AzPolicyAdvertizer

last sync: 2021-Jul-23 16:37:57 UTC

Azure Policy definition

[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines

Name [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines
Azure Portal

Id 1cb4d9c2-f88f-4069-bee0-dba239a57b09

Version 1.0.0-preview
details on versioning

Category Security Center
Microsoft docs

Description Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled virtual machines.

Mode Indexed

Type BuiltIn

Preview True

Deprecated FALSE

Effect Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Used RBAC Role none

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2021-05-04 14:34:06	add	1cb4d9c2-f88f-4069-bee0-dba239a57b09

Used in Initiatives

Initiative DisplayName	Initiative Id	Initiative Category	State
Azure Security Benchmark	1f3afdf9-d0c9-4c3d-847f-89da613e70a8	Security Center	GA

JSON

{
  "properties": {
  "displayName": "[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled virtual machines.",
    "metadata": {
      "category": "Security Center",
      "version": "1.0.0-preview",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/storageProfile.imageReference.offer",
            "like": "windows*"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings",
            "exists": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings.secureBootEnabled",
            "equals": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings.vTpmEnabled",
            "equals": "true"
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.Azure.Security.WindowsAttestation"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "GuestAttestation"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
                "in": [
                  "Succeeded",
                  "Provisioning succeeded"
                ]
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1cb4d9c2-f88f-4069-bee0-dba239a57b09",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1cb4d9c2-f88f-4069-bee0-dba239a57b09"
}