last sync: 2020-Sep-30 14:32:32 UTC

Azure Policy

Windows machines should meet requirements for 'Security Options - User Account Control'

Policy DisplayName Windows machines should meet requirements for 'Security Options - User Account Control'
Policy Id 492a29ed-d143-4f03-b6a4-705ce081b463
Policy Category Guest Configuration
Policy Description Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.
Policy Mode Indexed
Policy Type BuiltIn
Policy in Preview FALSE
Policy Deprecated FALSE
Policy Effect Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
Roles used none
Policy Changes
Date/Time (UTC ymd) (i) Change Change detail
2020-09-15 14:06:41 change: DisplayName previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - User Account Control'
2020-08-20 14:05:01 add: Policy 492a29ed-d143-4f03-b6a4-705ce081b463
Used in Policy Initiative(s)
Initiative DisplayName Initiative Id
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab
[Preview]: Windows machines should meet requirements for the Azure security baseline be7a78aa-3e10-4153-a5fd-8c6506dbc821
Policy Rule
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'Security Options - User Account Control'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_SecurityOptionsUserAccountControl",
        "version": "1.*",
        "configurationParameter": {
          "UACAdminApprovalModeForTheBuiltinAdministratorAccount": "User Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue",
          "UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode": "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode;ExpectedValue",
          "UACDetectApplicationInstallationsAndPromptForElevation": "User Account Control: Detect application installations and prompt for elevation;ExpectedValue",
          "UACRunAllAdministratorsInAdminApprovalMode": "User Account Control: Run all administrators in Admin Approval Mode;ExpectedValue"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "UACAdminApprovalModeForTheBuiltinAdministratorAccount": {
        "type": "String",
        "metadata": {
          "displayName": "UAC: Admin Approval Mode for the Built-in Administrator account",
          "description": "Specifies the behavior of Admin Approval Mode for the built-in Administrator account."
        },
        "defaultValue": "1"
      },
      "UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode": {
        "type": "String",
        "metadata": {
          "displayName": "UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode",
          "description": "Specifies the behavior of the elevation prompt for administrators."
        },
        "defaultValue": "2"
      },
      "UACDetectApplicationInstallationsAndPromptForElevation": {
        "type": "String",
        "metadata": {
          "displayName": "UAC: Detect application installations and prompt for elevation",
          "description": "Specifies the behavior of application installation detection for the computer."
        },
        "defaultValue": "1"
      },
      "UACRunAllAdministratorsInAdminApprovalMode": {
        "type": "String",
        "metadata": {
          "displayName": "UAC: Run all administrators in Admin Approval Mode",
          "description": "Specifies the behavior of all User Account Control (UAC) policy settings for the computer."
        },
        "defaultValue": "1"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
              "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsUserAccountControl",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
              "equals": "[base64(concat('User Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue', '=', parameters('UACAdminApprovalModeForTheBuiltinAdministratorAccount'), ',', 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode;ExpectedValue', '=', parameters('UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'), ',', 'User Account Control: Detect application installations and prompt for elevation;ExpectedValue', '=', parameters('UACDetectApplicationInstallationsAndPromptForElevation'), ',', 'User Account Control: Run all administrators in Admin Approval Mode;ExpectedValue', '=', parameters('UACRunAllAdministratorsInAdminApprovalMode')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/492a29ed-d143-4f03-b6a4-705ce081b463",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "492a29ed-d143-4f03-b6a4-705ce081b463"
}