last sync: 2021-May-10 15:04:35 UTC

Azure Policy definition

[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines

Name [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines
Azure Portal
Id 1cb4d9c2-f88f-4069-bee0-dba239a57b09
Version 1.0.0-preview
details on versioning
Category Security Center
Microsoft docs
Description Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled virtual machines.
Mode Indexed
Type BuiltIn
Preview True
Deprecated FALSE
Effect Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-05-04 14:34:06 add 1cb4d9c2-f88f-4069-bee0-dba239a57b09
Used in Initiatives none
JSON
{
  "properties": {
  "displayName": "[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled virtual machines.",
    "metadata": {
      "category": "Security Center",
      "version": "1.0.0-preview",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/storageProfile.imageReference.offer",
            "like": "windows*"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings",
            "exists": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings.secureBootEnabled",
            "equals": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings.vTpmEnabled",
            "equals": "true"
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.Azure.Security.WindowsAttestation"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "GuestAttestation"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
                "in": [
                  "Succeeded",
                  "Provisioning succeeded"
                ]
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1cb4d9c2-f88f-4069-bee0-dba239a57b09",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1cb4d9c2-f88f-4069-bee0-dba239a57b09"
}