Azure Policy built-in definitions for Azure Virtual Machines
Applies to: ✔️ Linux VMs ✔️ Windows VMs ✔️ Flexible scale sets ✔️ Uniform scale sets
This page is an index of Azure Policy built-in policy definitions for Azure Virtual Machines. For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.
The name of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Version column to view the source on the Azure Policy GitHub repo.
Microsoft.Compute
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: A managed identity should be enabled on your machines | Resources managed by Automanage should have a managed identity. | Audit, Disabled | 1.0.0-preview |
[Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines | This policy adds a user-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration. A user-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | AuditIfNotExists, DeployIfNotExists, Disabled | 2.1.0-preview |
[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. | AuditIfNotExists, DeployIfNotExists, Disabled | 1.1.0-preview |
[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. | AuditIfNotExists, DeployIfNotExists, Disabled | 1.1.0-preview |
[Preview]: Automanage Configuration Profile Assignment should be Conformant | Resources managed by Automanage should have a status of Conformant or ConformantCorrected. | AuditIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Azure Backup should be enabled for Managed Disks | Ensure protection of your Managed Disks by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | AuditIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Azure Security agent should be installed on your Linux virtual machine scale sets | Install the Azure Security agent on your Linux virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. | AuditIfNotExists, Disabled | 2.0.0-preview |
[Preview]: Azure Security agent should be installed on your Linux virtual machines | Install the Azure Security agent on your Linux virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. | AuditIfNotExists, Disabled | 2.0.0-preview |
[Preview]: Azure Security agent should be installed on your Windows virtual machine scale sets | Install the Azure Security agent on your Windows virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. | AuditIfNotExists, Disabled | 2.1.0-preview |
[Preview]: Azure Security agent should be installed on your Windows virtual machines | Install the Azure Security agent on your Windows virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. | AuditIfNotExists, Disabled | 2.1.0-preview |
[Preview]: Boot Diagnostics should be enabled on virtual machines | Azure virtual machines should have boot diagniostics enabled. | Audit, Disabled | 1.0.0-preview |
[Preview]: ChangeTracking extension should be installed on your Linux virtual machine | Install ChangeTracking Extension on Linux virtual machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. | AuditIfNotExists, Disabled | 2.0.0-preview |
[Preview]: ChangeTracking extension should be installed on your Linux virtual machine scale sets | Install ChangeTracking Extension on Linux virtual machine scale sets to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. | AuditIfNotExists, Disabled | 2.0.0-preview |
[Preview]: ChangeTracking extension should be installed on your Windows virtual machine | Install ChangeTracking Extension on Windows virtual machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. | AuditIfNotExists, Disabled | 2.0.0-preview |
[Preview]: ChangeTracking extension should be installed on your Windows virtual machine scale sets | Install ChangeTracking Extension on Windows virtual machine scale sets to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. | AuditIfNotExists, Disabled | 2.0.0-preview |
[Preview]: Configure Azure Defender for SQL agent on virtual machine | Configure Windows machines to automatically install the Azure Defender for SQL agent where the Azure Monitor Agent is installed. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and Log Analytics workspace in the same region as the machine. Target virtual machines must be in a supported location. | DeployIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Configure backup for Azure Disks (Managed Disks) with a given tag to an existing backup vault in the same region | Enforce backup for all Azure Disks (Managed Disks) that contain a given tag to a central backup vault. Learn more at https://aka.ms/AB-DiskBackupAzPolicies | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Configure backup for Azure Disks (Managed Disks) without a given tag to an existing backup vault in the same region | Enforce backup for all Azure Disks (Managed Disks) that do not contain a given tag to a central backup vault. Learn more at https://aka.ms/AB-DiskBackupAzPolicies | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Configure ChangeTracking Extension for Linux virtual machine scale sets | Configure Linux virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | DeployIfNotExists, Disabled | 2.0.0-preview |
[Preview]: Configure ChangeTracking Extension for Linux virtual machines | Configure Linux virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | DeployIfNotExists, Disabled | 2.0.0-preview |
[Preview]: Configure ChangeTracking Extension for Windows virtual machine scale sets | Configure Windows virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | DeployIfNotExists, Disabled | 2.0.0-preview |
[Preview]: Configure ChangeTracking Extension for Windows virtual machines | Configure Windows virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | DeployIfNotExists, Disabled | 2.0.0-preview |
[Preview]: Configure Linux Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Linux virtual machines to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. | DeployIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 1.5.0-preview |
[Preview]: Configure Linux VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. | DeployIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 1.4.0-preview |
[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent | Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. | DeployIfNotExists, Disabled | 2.0.0-preview |
[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension | Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | DeployIfNotExists, Disabled | 6.1.0-preview |
[Preview]: Configure supported Linux virtual machines to automatically enable Secure Boot | Configure supported Linux virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. | DeployIfNotExists, Disabled | 5.0.0-preview |
[Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agent | Configure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. | DeployIfNotExists, Disabled | 7.0.0-preview |
[Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension | Configure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | DeployIfNotExists, Disabled | 7.1.0-preview |
[Preview]: Configure supported virtual machines to automatically enable vTPM | Configure supported virtual machines to automatically enable vTPM to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. | DeployIfNotExists, Disabled | 2.0.0-preview |
[Preview]: Configure supported Windows machines to automatically install the Azure Security agent | Configure supported Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. | DeployIfNotExists, Disabled | 5.1.0-preview |
[Preview]: Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent | Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Windows virtual machine scale sets must be in a supported location. | DeployIfNotExists, Disabled | 2.1.0-preview |
[Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension | Configure supported Windows virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | DeployIfNotExists, Disabled | 4.1.0-preview |
[Preview]: Configure supported Windows virtual machines to automatically enable Secure Boot | Configure supported Windows virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. | DeployIfNotExists, Disabled | 3.0.0-preview |
[Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension | Configure supported Windows virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | DeployIfNotExists, Disabled | 5.1.0-preview |
[Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs | Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor and do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. | Modify, Disabled | 6.0.0-preview |
[Preview]: Configure VMs created with Shared Image Gallery images to install the Guest Attestation extension | Configure virtual machines created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | DeployIfNotExists, Disabled | 2.0.0-preview |
[Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extension | Configure VMSS created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. | DeployIfNotExists, Disabled | 2.1.0-preview |
[Preview]: Configure Windows Server to disable local users. | Creates a Guest Configuration assignment to configure disabling local users on Windows Server. This ensures that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | DeployIfNotExists, Disabled | 1.2.0-preview |
[Preview]: Configure Windows Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Windows virtual machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. | DeployIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Configure Windows VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 1.1.0-preview |
[Preview]: Configure Windows VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Windows virtual machine scale sets to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. | DeployIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Configure Windows VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 1.1.0-preview |
[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines | Deploys Microsoft Defender for Endpoint agent on applicable Linux VM images. | DeployIfNotExists, AuditIfNotExists, Disabled | 3.0.0-preview |
[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows virtual machines | Deploys Microsoft Defender for Endpoint on applicable Windows VM images. | DeployIfNotExists, AuditIfNotExists, Disabled | 2.0.1-preview |
[Preview]: Enable system-assigned identity to SQL VM | Enable system-assigned identity at scale to SQL virtual machines. You need to assign this policy at subscription level. Assign at resource group level will not work as expected. | DeployIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines | Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines. | AuditIfNotExists, Disabled | 6.0.0-preview |
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets | Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets. | AuditIfNotExists, Disabled | 5.1.0-preview |
[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines | Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | AuditIfNotExists, Disabled | 4.0.0-preview |
[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets | Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets. | AuditIfNotExists, Disabled | 3.1.0-preview |
[Preview]: Linux machines should meet requirements for the Azure security baseline for Docker hosts | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. The machine is not configured correctly for one of the recommendations in the Azure security baseline for Docker hosts. | AuditIfNotExists, Disabled | 1.2.0-preview |
[Preview]: Linux machines should meet STIG compliance requirement for Azure compute | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in STIG compliance requirement for Azure compute. DISA (Defense Information Systems Agency) provides technical guides STIG (Security Technical Implementation Guide) to secure compute OS as required by Department of Defense (DoD). For more details, https://public.cyber.mil/stigs/. | AuditIfNotExists, Disabled | 1.2.0-preview |
[Preview]: Linux machines with OMI installed should have version 1.6.8-1 or later | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Due to a security fix included in version 1.6.8-1 of the OMI package for Linux, all machines should be updated to the latest release. Upgrade apps/packages that use OMI to resolve the issue. For more information, see https://aka.ms/omiguidance. | AuditIfNotExists, Disabled | 1.2.0-preview |
[Preview]: Linux virtual machines should use only signed and trusted boot components | All OS boot components (boot loader, kernel, kernel drivers) must be signed by trusted publishers. Defender for Cloud has identified untrusted OS boot components on one or more of your Linux machines. To protect your machines from potentially malicious components, add them to your allow list or remove the identified components. | AuditIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Linux virtual machines should use Secure Boot | To protect against the installation of malware-based rootkits and boot kits, enable Secure Boot on supported Linux virtual machines. Secure Boot ensures that only signed operating systems and drivers will be allowed to run. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed. | AuditIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Log Analytics Extension should be enabled for listed virtual machine images | Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. | AuditIfNotExists, Disabled | 2.0.1-preview |
[Preview]: Machines should have ports closed that might expose attack vectors | Azure's Terms Of Use prohibit the use of Azure services in ways that could damage, disable, overburden, or impair any Microsoft server, or the network. The exposed ports identified by this recommendation need to be closed for your continued security. For each identified port, the recommendation also provides an explanation of the potential threat. | AuditIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Managed Disks should be Zone Resilient | Managed Disks can be configured to be either Zone Aligned, Zone Redundant, or neither. Managed Disks with exactly one zone assignment are Zone Aligned. Managed Disks with a sku name that ends in ZRS are Zone Redundant. This policy assists in identifying and enforcing these resilience configurations for Managed Disks. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
[Preview]: Secure Boot should be enabled on supported Windows virtual machines | Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. | Audit, Disabled | 4.0.0-preview |
[Preview]: Set prerequisite for Scheduling recurring updates on Azure virtual machines. | This policy will set the prerequisite needed to schedule recurring updates on Azure Update Manager by configuring patch orchestration to 'Customer Managed Schedules'. This change will automatically set the patch mode to 'AutomaticByPlatform' and enables 'BypassPlatformSafetyChecksOnUserSchedule' to 'True' on Azure VMs. The prerequisite is not applicable for Arc-enabled servers. Learn more - https://learn.microsoft.com/en-us/azure/update-manager/dynamic-scope-overview?tabs=avms#prerequisites | DeployIfNotExists, Disabled | 1.1.0-preview |
[Preview]: Virtual Machine Scale Sets should be Zone Resilient | Virtual Machine Scale Sets can be configured to be either Zone Aligned, Zone Redundant, or neither. Virtual Machine Scale Sets that have exactly one entry in their zones array are considered Zone Aligned. In contrast, Virtual Machine Scale Sets with 3 or more entries in their zones array and a capacity of at least 3 are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: Virtual machines guest attestation status should be healthy | Guest attestation is performed by sending a trusted log (TCGLog) to an attestation server. The server uses these logs to determine whether boot components are trustworthy. This assessment is intended to detect compromises of the boot chain which might be the result of a bootkit or rootkit infection. This assessment only applies to Trusted Launch enabled virtual machines that have Guest Attestation extension installed. | AuditIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Virtual Machines should be Zone Aligned | Virtual Machines can be configured to be Zone Aligned or not. They are considered Zone Aligned if they have only one entry in their zones array. This policy ensures that they are configured to operate within a single availability zone. | Audit, Deny, Disabled | 1.0.0-preview |
[Preview]: vTPM should be enabled on supported virtual machines | Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. | Audit, Disabled | 2.0.0-preview |
[Preview]: Windows machines should meet STIG compliance requirements for Azure compute | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in STIG compliance requirements for Azure compute. DISA (Defense Information Systems Agency) provides technical guides STIG (Security Technical Implementation Guide) to secure compute OS as required by Department of Defense (DoD). For more details, https://public.cyber.mil/stigs/. | AuditIfNotExists, Disabled | 1.0.0-preview |
A vulnerability assessment solution should be enabled on your virtual machines | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | AuditIfNotExists, Disabled | 3.0.0 |
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 |
Allowed virtual machine size SKUs | This policy enables you to specify a set of virtual machine size SKUs that your organization can deploy. | Deny | 1.0.1 |
Audit Linux machines that allow remote connections from accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords | AuditIfNotExists, Disabled | 3.1.0 |
Audit Linux machines that do not have the passwd file permissions set to 0644 | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 | AuditIfNotExists, Disabled | 3.1.0 |
Audit Linux machines that don't have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. | AuditIfNotExists, Disabled | 4.2.0 |
Audit Linux machines that have accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords | AuditIfNotExists, Disabled | 3.1.0 |
Audit Linux machines that have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. | AuditIfNotExists, Disabled | 4.2.0 |
Audit SSH security posture for Linux (powered by OSConfig) | This policy audits SSH server security configuration on Linux machines (Azure VMs and Arc-enabled machines). For more information including pre-requisites, settings in scope, defaults, and customization, see https://aka.ms/SshPostureControlOverview | AuditIfNotExists, Disabled | 1.0.1 |
Audit virtual machines without disaster recovery configured | Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. | auditIfNotExists | 1.0.0 |
Audit VMs that do not use managed disks | This policy audits VMs that do not use managed disks | audit | 1.0.0 |
Audit Windows machines missing any of specified members in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. | auditIfNotExists | 2.0.0 |
Audit Windows machines network connectivity | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a network connection status to an IP and TCP port does not match the policy parameter. | auditIfNotExists | 2.0.0 |
Audit Windows machines on which the DSC configuration is not compliant | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-DSCConfigurationStatus returns that the DSC configuration for the machine is not compliant. | auditIfNotExists | 3.0.0 |
Audit Windows machines on which the Log Analytics agent is not connected as expected | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. | auditIfNotExists | 2.0.0 |
Audit Windows machines on which the specified services are not installed and 'Running' | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if result of the Windows PowerShell command Get-Service do not include the service name with matching status as specified by the policy parameter. | auditIfNotExists | 3.0.0 |
Audit Windows machines on which Windows Serial Console is not enabled | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine does not have the Serial Console software installed or if the EMS port number or baud rate are not configured with the same values as the policy parameters. | auditIfNotExists | 3.0.0 |
Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24 | AuditIfNotExists, Disabled | 2.1.0 |
Audit Windows machines that are not joined to the specified domain | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the Domain property in WMI class win32_computersystem does not match the value in the policy parameter. | auditIfNotExists | 2.0.0 |
Audit Windows machines that are not set to the specified time zone | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the property StandardName in WMI class Win32_TimeZone does not match the selected time zone for the policy parameter. | auditIfNotExists | 3.0.0 |
Audit Windows machines that contain certificates expiring within the specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if certificates in the specified store have an expiration date out of range for the number of days given as parameter. The policy also provides the option to only check for specific certificates or exclude specific certificates, and whether to report on expired certificates. | auditIfNotExists | 2.0.0 |
Audit Windows machines that do not contain the specified certificates in Trusted Root | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter. | auditIfNotExists | 3.0.0 |
Audit Windows machines that do not have the maximum password age set to specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days | AuditIfNotExists, Disabled | 2.1.0 |
Audit Windows machines that do not have the minimum password age set to specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the minimum password age set to specified number of days. Default value for minimum password age is 1 day | AuditIfNotExists, Disabled | 2.1.0 |
Audit Windows machines that do not have the password complexity setting enabled | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled | AuditIfNotExists, Disabled | 2.0.0 |
Audit Windows machines that do not have the specified Windows PowerShell execution policy | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter. | AuditIfNotExists, Disabled | 3.0.0 |
Audit Windows machines that do not have the specified Windows PowerShell modules installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a module isn't available in a location specified by the environment variable PSModulePath. | AuditIfNotExists, Disabled | 3.0.0 |
Audit Windows machines that do not restrict the minimum password length to specified number of characters | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters | AuditIfNotExists, Disabled | 2.1.0 |
Audit Windows machines that do not store passwords using reversible encryption | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption | AuditIfNotExists, Disabled | 2.0.0 |
Audit Windows machines that don't have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is not found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. | auditIfNotExists | 2.0.0 |
Audit Windows machines that have extra accounts in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter. | auditIfNotExists | 2.0.0 |
Audit Windows machines that have not restarted within the specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the WMI property LastBootUpTime in class Win32_Operatingsystem is outside the range of days provided by the policy parameter. | auditIfNotExists | 2.0.0 |
Audit Windows machines that have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. | auditIfNotExists | 2.0.0 |
Audit Windows machines that have the specified members in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. | auditIfNotExists | 2.0.0 |
Audit Windows VMs with a pending reboot | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is pending reboot for any of the following reasons: component based servicing, Windows Update, pending file rename, pending computer rename, configuration manager pending reboot. Each detection has a unique registry path. | auditIfNotExists | 2.0.0 |
Authentication to Linux machines should require SSH keys | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | AuditIfNotExists, Disabled | 3.2.0 |
Azure Backup should be enabled for Virtual Machines | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | AuditIfNotExists, Disabled | 3.0.0 |
Cloud Services (extended support) role instances should be configured securely | Protect your Cloud Service (extended support) role instances from attacks by ensuring they are not expolosed to any OS vulnerabilities. | AuditIfNotExists, Disabled | 1.0.0 |
Cloud Services (extended support) role instances should have an endpoint protection solution installed | Protect your Cloud Services (extended support) role instances from threats and vulnerabilities by ensuring an endpoint protection solution is installed on them. | AuditIfNotExists, Disabled | 1.0.0 |
Cloud Services (extended support) role instances should have system updates installed | Secure your Cloud Services (extended support) role instances by ensuring the latest security and critical updates are installed on them. | AuditIfNotExists, Disabled | 1.0.0 |
Configure Azure Defender for Servers to be disabled for all resources (resource level) | Azure Defender for Servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. This policy will disable the Defender for Servers plan for all resources (VMs, VMSSs and ARC Machines) in the selected scope (subscription or resource group). | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure Defender for Servers to be disabled for resources (resource level) with the selected tag | Azure Defender for Servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. This policy will disable the Defender for Servers plan for all resources (VMs, VMSSs and ARC Machines) that have the selected tag name and tag value(s). | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure Defender for Servers to be enabled ('P1' subplan) for all resources (resource level) with the selected tag | Azure Defender for Servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. This policy will enable the Defender for Servers plan (with 'P1' subplan) for all resources (VMs and ARC Machines) that have the selected tag name and tag value(s). | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure Defender for Servers to be enabled (with 'P1' subplan) for all resources (resource level) | Azure Defender for Servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. This policy will enable the Defender for Servers plan (with 'P1' subplan) for all resources (VMs and ARC Machines) in the selected scope (subscription or resource group). | DeployIfNotExists, Disabled | 1.0.0 |
Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | 9.3.0 |
Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | 9.3.0 |
Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | 9.3.0 |
Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | 9.3.0 |
Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery | Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit https://aka.ms/asr-doc. | DeployIfNotExists, Disabled | 2.1.0 |
Configure disk access resources with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to disk access resources, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | DeployIfNotExists, Disabled | 6.5.1 |
Configure Linux Server to disable local users. | Creates a Guest Configuration assignment to configure disabling local users on Linux Server. This ensures that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | DeployIfNotExists, Disabled | 1.3.0-preview |
Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | DeployIfNotExists, Disabled | 4.4.1 |
Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 3.6.0 |
Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 3.8.0 |
Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | DeployIfNotExists, Disabled | 4.4.1 |
Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 3.6.0 |
Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 3.8.0 |
Configure machines to receive a vulnerability assessment provider | Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. | DeployIfNotExists, Disabled | 4.0.0 |
Configure managed disks to disable public network access | Disable public network access for your managed disk resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/disksprivatelinksdoc. | Modify, Disabled | 2.0.0 |
Configure periodic checking for missing system updates on azure virtual machines | Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | modify | 4.8.0 |
Configure secure communication protocols(TLS 1.1 or TLS 1.2) on Windows machines | Creates a Guest Configuration assignment to configure specified secure protocol version(TLS 1.1 or TLS 1.2) on Windows machine. | DeployIfNotExists, Disabled | 1.0.1 |
Configure SQL Virtual Machines to automatically install Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 1.5.0 |
Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL | Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). | DeployIfNotExists, Disabled | 1.5.0 |
Configure SSH security posture for Linux (powered by OSConfig) | This policy audits and configures SSH server security configuration on Linux machines (Azure VMs and Arc-enabled machines). For more information including pre-requisites, settings in scope, defaults, and customization, see https://aka.ms/SshPostureControlOverview | DeployIfNotExists, Disabled | 1.0.1 |
Configure time zone on Windows machines. | This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. | deployIfNotExists | 2.1.0 |
Configure virtual machines to be onboarded to Azure Automanage | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. | AuditIfNotExists, DeployIfNotExists, Disabled | 2.4.0 |
Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage with your own customized Configuration Profile to your selected scope. | AuditIfNotExists, DeployIfNotExists, Disabled | 1.4.0 |
Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | DeployIfNotExists, Disabled | 4.5.1 |
Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | DeployIfNotExists, Disabled | 3.3.1 |
Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 3.4.0 |
Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 1.6.0 |
Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | DeployIfNotExists, Disabled | 3.3.1 |
Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 4.4.0 |
Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 1.6.0 |
Create and assign a built-in user-assigned managed identity | Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. | AuditIfNotExists, DeployIfNotExists, Disabled | 1.7.0 |
Dependency agent should be enabled for listed virtual machine images | Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. | AuditIfNotExists, Disabled | 2.0.0 |
Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images | Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. | AuditIfNotExists, Disabled | 2.0.0 |
Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets | Deploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. | DeployIfNotExists, Disabled | 3.2.0 |
Deploy - Configure Dependency agent to be enabled on Windows virtual machines | Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. | DeployIfNotExists, Disabled | 3.2.0 |
Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets | Deploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | DeployIfNotExists, Disabled | 3.1.0 |
Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines | Deploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | DeployIfNotExists, Disabled | 3.1.0 |
Deploy default Microsoft IaaSAntimalware extension for Windows Server | This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension. | deployIfNotExists | 1.1.0 |
Deploy Dependency agent for Linux virtual machine scale sets | Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | deployIfNotExists | 5.1.0 |
Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | DeployIfNotExists, Disabled | 3.2.0 |
Deploy Dependency agent for Linux virtual machines | Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. | deployIfNotExists | 5.1.0 |
Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. | DeployIfNotExists, Disabled | 3.2.0 |
Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings | Deploy Dependency agent for Windows virtual machine scale sets with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. | DeployIfNotExists, Disabled | 1.3.0 |
Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings | Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. | DeployIfNotExists, Disabled | 1.3.0 |
Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice below | Deploy Log Analytics extension for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the extension is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Deprecation notice: The Log Analytics agent will not be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | deployIfNotExists | 3.0.0 |
Deploy Log Analytics extension for Linux VMs. See deprecation notice below | Deploy Log Analytics extension for Linux VMs if the VM Image (OS) is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | deployIfNotExists | 3.0.0 |
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 3.1.0 |
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.2.0 |
Disk access resources should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. | AuditIfNotExists, Disabled | 1.0.0 |
Disks and OS image should support TrustedLaunch | TrustedLaunch improves security of a Virtual Machine which requires OS Disk & OS Image to support it (Gen 2). To learn more about TrustedLaunch, visit https://aka.ms/trustedlaunch | Audit, Disabled | 1.0.0 |
Endpoint protection health issues should be resolved on your machines | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | AuditIfNotExists, Disabled | 1.0.0 |
Endpoint protection should be installed on your machines | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | AuditIfNotExists, Disabled | 1.0.0 |
Endpoint protection solution should be installed on virtual machine scale sets | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | AuditIfNotExists, Disabled | 3.0.0 |
Guest Configuration extension should be installed on your machines | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 1.0.3 |
Hotpatch should be enabled for Windows Server Azure Edition VMs | Minimize reboots and install updates quickly with hotpatch. Learn more at https://docs.microsoft.com/azure/automanage/automanage-hotpatch | Audit, Deny, Disabled | 1.0.0 |
Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
IP Forwarding on your virtual machine should be disabled | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | AuditIfNotExists, Disabled | 3.0.0 |
Linux machines should meet requirements for the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | AuditIfNotExists, Disabled | 2.2.0 |
Linux machines should only have local accounts that are allowed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. | AuditIfNotExists, Disabled | 2.2.0 |
Linux virtual machine scale sets should have Azure Monitor Agent installed | Linux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. | AuditIfNotExists, Disabled | 3.3.0 |
Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. | Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 1.2.1 |
Linux virtual machines should have Azure Monitor Agent installed | Linux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. | AuditIfNotExists, Disabled | 3.3.0 |
Local authentication methods should be disabled on Linux machines | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux servers don't have local authentication methods disabled. This is to validate that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | AuditIfNotExists, Disabled | 1.2.0-preview |
Local authentication methods should be disabled on Windows Servers | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows servers don't have local authentication methods disabled. This is to validate that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. | AuditIfNotExists, Disabled | 1.0.0-preview |
Log Analytics agent should be installed on your Cloud Services (extended support) role instances | Security Center collects data from your Cloud Services (extended support) role instances to monitor for security vulnerabilities and threats. | AuditIfNotExists, Disabled | 2.0.0 |
Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images | Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. | AuditIfNotExists, Disabled | 2.0.1 |
Machines should be configured to periodically check for missing system updates | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Audit, Deny, Disabled | 3.7.0 |
Machines should have secret findings resolved | Audits virtual machines to detect whether they contain secret findings from the secret scanning solutions on your virtual machines. | AuditIfNotExists, Disabled | 1.0.2 |
Managed disks should be double encrypted with both platform-managed and customer-managed keys | High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption. Learn more at https://aka.ms/disks-doubleEncryption. | Audit, Deny, Disabled | 1.0.0 |
Managed disks should disable public network access | Disabling public network access improves security by ensuring that a managed disk isn't exposed on the public internet. Creating private endpoints can limit exposure of managed disks. Learn more at: https://aka.ms/disksprivatelinksdoc. | Audit, Disabled | 2.0.0 |
Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption | Requiring a specific set of disk encryption sets to be used with managed disks give you control over the keys used for encryption at rest. You are able to select the allowed encrypted sets and all others are rejected when attached to a disk. Learn more at https://aka.ms/disks-cmk. | Audit, Deny, Disabled | 2.0.0 |
Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
Management ports should be closed on your virtual machines | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | AuditIfNotExists, Disabled | 3.0.0 |
Microsoft Antimalware for Azure should be configured to automatically update protection signatures | This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. | AuditIfNotExists, Disabled | 1.0.0 |
Microsoft IaaSAntimalware extension should be deployed on Windows servers | This policy audits any Windows server VM without Microsoft IaaSAntimalware extension deployed. | AuditIfNotExists, Disabled | 1.1.0 |
Monitor missing Endpoint Protection in Azure Security Center | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
Non-internet-facing virtual machines should be protected with network security groups | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
Only approved VM extensions should be installed | This policy governs the virtual machine extensions that are not approved. | Audit, Deny, Disabled | 1.0.0 |
OS and data disks should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. | Audit, Deny, Disabled | 3.0.0 |
Private endpoints for Guest Configuration assignments should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Guest Configuration for virtual machines. Virtual machines will be non-compliant unless they have the tag, 'EnablePrivateNetworkGC'. This tag enforces secure communication through private connectivity to Guest Configuration for Virtual Machines. Private connectivity limits access to traffic coming only from known networks and prevents access from all other IP addresses, including within Azure. | Audit, Deny, Disabled | 1.1.0 |
Protect your data with authentication requirements when exporting or uploading to a disk or snapshot. | When export/upload URL is used, the system checks if the user has an identity in Azure Active Directory and has necessary permissions to export/upload the data. Please refer to aka.ms/DisksAzureADAuth. | Modify, Disabled | 1.0.0 |
Require automatic OS image patching on Virtual Machine Scale Sets | This policy enforces enabling automatic OS image patching on Virtual Machine Scale Sets to always keep Virtual Machines secure by safely applying latest security patches every month. | deny | 1.0.0 |
Schedule recurring updates using Azure Update Manager | You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | DeployIfNotExists, Disabled | 3.12.0 |
SQL servers on machines should have vulnerability findings resolved | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | AuditIfNotExists, Disabled | 1.0.0 |
System updates should be installed on your machines (powered by Update Center) | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | AuditIfNotExists, Disabled | 1.0.1 |
The legacy Log Analytics extension should not be installed on Linux virtual machine scale sets | Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Linux virtual machine scale sets. Learn more: https://aka.ms/migratetoAMA | Deny, Audit, Disabled | 1.0.0 |
The legacy Log Analytics extension should not be installed on Linux virtual machines | Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Linux virtual machines. Learn more: https://aka.ms/migratetoAMA | Deny, Audit, Disabled | 1.0.0 |
The legacy Log Analytics extension should not be installed on virtual machine scale sets | Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Windows virtual machine scale sets. Learn more: https://aka.ms/migratetoAMA | Deny, Audit, Disabled | 1.0.0 |
The legacy Log Analytics extension should not be installed on virtual machines | Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Windows virtual machines. Learn more: https://aka.ms/migratetoAMA | Deny, Audit, Disabled | 1.0.0 |
The Log Analytics extension should be installed on Virtual Machine Scale Sets | This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics extension is not installed. | AuditIfNotExists, Disabled | 1.0.1 |
Virtual Machine should have TrustedLaunch enabled | Enable TrustedLaunch on Virtual Machine for enhanced security, use VM SKU (Gen 2) that supports TrustedLaunch. To learn more about TrustedLaunch, visit https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch | Audit, Disabled | 1.0.0 |
Virtual machines and virtual machine scale sets should have encryption at host enabled | Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at https://aka.ms/vm-hbe. | Audit, Deny, Disabled | 1.0.0 |
Virtual machines should be connected to a specified workspace | Reports virtual machines as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. | AuditIfNotExists, Disabled | 1.1.0 |
Virtual machines should be migrated to new Azure Resource Manager resources | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Audit, Deny, Disabled | 1.0.0 |
Virtual machines should have the Log Analytics extension installed | This policy audits any Windows/Linux virtual machines if the Log Analytics extension is not installed. | AuditIfNotExists, Disabled | 1.0.1 |
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | AuditIfNotExists, Disabled | 1.0.1 |
Vulnerabilities in security configuration on your machines should be remediated | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.1.0 |
Windows Defender Exploit Guard should be enabled on your machines | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | AuditIfNotExists, Disabled | 2.0.0 |
Windows machines should be configured to use secure communication protocols | To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. | AuditIfNotExists, Disabled | 4.1.1 |
Windows machines should configure Windows Defender to update protection signatures within one day | To provide adequate protection against newly released malware, Windows Defender protection signatures need to be updated regularly to account for newly released malware. This policy is not applied to Arc connected servers and it requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 1.0.1 |
Windows machines should enable Windows Defender Real-time protection | Windows machines should enable the Real-time protection in the Windows Defender to provide adequate protection against newly released malware. This policy is not applicable to arc connected servers and it requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 1.0.1 |
Windows machines should meet requirements for 'Administrative Templates - Control Panel' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Control Panel' for input personalization and prevention of enabling lock screens. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'Administrative Templates - MSS (Legacy)' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - MSS (Legacy)' for automatic logon, screen saver, network behavior, safe DLL, and event log. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'Administrative Templates - Network' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'Administrative Templates - System' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - System' for settings that control the administrative experience and Remote Assistance. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'Security Options - Accounts' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'Security Options - Audit' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'Security Options - Devices' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Devices' for undocking without logging on, installing print drivers, and formatting/ejecting media. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'Security Options - Interactive Logon' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Interactive Logon' for displaying last user name and requiring ctrl-alt-del. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'Security Options - Microsoft Network Client' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'Security Options - Microsoft Network Server' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'Security Options - Network Access' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'Security Options - Network Security' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'Security Options - Recovery console' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'Security Options - Shutdown' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Shutdown' for allowing shutdown without logon and clearing the virtual memory pagefile. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'Security Options - System objects' | Windows machines should have the specified Group Policy settings in the category 'Security Options - System objects' for case insensitivity for non-Windows subsystems and permissions of internal system objects. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'Security Options - System settings' | Windows machines should have the specified Group Policy settings in the category 'Security Options - System settings' for certificate rules on executables for SRP and optional subsystems. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'Security Options - User Account Control' | Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'Security Settings - Account Policies' | Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'System Audit Policies - Account Logon' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Logon' for auditing credential validation and other account logon events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'System Audit Policies - Account Management' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Logon-Logoff' for auditing IPSec, network policy, claims, account lockout, group membership, and logon/logoff events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'System Audit Policies - Object Access' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Object Access' for auditing file, registry, SAM, storage, filtering, kernel, and other system types. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'System Audit Policies - Policy Change' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Policy Change' for auditing changes to system audit policies. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'System Audit Policies - Privilege Use' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Privilege Use' for auditing nonsensitive and other privilege use. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'System Audit Policies - System' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - System' for auditing IPsec driver, system integrity, system extension, state change, and other system events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'User Rights Assignment' | Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'Windows Components' | Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'Windows Firewall Properties' | Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements of the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | AuditIfNotExists, Disabled | 2.0.0 |
Windows machines should only have local accounts that are allowed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. This definition is not supported on Windows Server 2012 or 2012 R2. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. | AuditIfNotExists, Disabled | 2.0.0 |
Windows virtual machine scale sets should have Azure Monitor Agent installed | Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | AuditIfNotExists, Disabled | 3.2.0 |
Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. | Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 1.1.1 |
Windows virtual machines should have Azure Monitor Agent installed | Windows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | AuditIfNotExists, Disabled | 3.2.0 |
Microsoft.VirtualMachineImages
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
VM Image Builder templates should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. | Audit, Disabled, Deny | 1.1.0 |
Microsoft.ClassicCompute
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
A vulnerability assessment solution should be enabled on your virtual machines | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | AuditIfNotExists, Disabled | 3.0.0 |
All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 |
Audit virtual machines without disaster recovery configured | Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. | auditIfNotExists | 1.0.0 |
Endpoint protection health issues should be resolved on your machines | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | AuditIfNotExists, Disabled | 1.0.0 |
Endpoint protection should be installed on your machines | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | AuditIfNotExists, Disabled | 1.0.0 |
Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
IP Forwarding on your virtual machine should be disabled | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | AuditIfNotExists, Disabled | 3.0.0 |
Machines should have secret findings resolved | Audits virtual machines to detect whether they contain secret findings from the secret scanning solutions on your virtual machines. | AuditIfNotExists, Disabled | 1.0.2 |
Management ports should be closed on your virtual machines | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | AuditIfNotExists, Disabled | 3.0.0 |
Monitor missing Endpoint Protection in Azure Security Center | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
Non-internet-facing virtual machines should be protected with network security groups | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
Virtual machines should be migrated to new Azure Resource Manager resources | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Audit, Deny, Disabled | 1.0.0 |
Vulnerabilities in security configuration on your machines should be remediated | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.1.0 |
Next steps
- See the built-ins on the Azure Policy GitHub repo.
- Review the Azure Policy definition structure.
- Review Understanding policy effects.