AzPolicyAdvertizer

last sync: 2024-Jul-26 18:17:39 UTC

[Preview]: Configure supported Windows virtual machines to automatically enable Secure Boot

Azure BuiltIn Policy definition

Source

Azure Portal

Display name

[Preview]: Configure supported Windows virtual machines to automatically enable Secure Boot

7cb1b219-61c6-47e0-b80c-4472cadeeb5f

Version

3.0.0-preview
Details on versioning

Category

Security Center
Microsoft Learn

Description

Configure supported Windows virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run.

Mode

Indexed

Type

BuiltIn

Preview

True

Deprecated

False

Effect

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

RBAC role(s)

Role Name	Role Id
Virtual Machine Contributor	9980e02c-c2be-4d73-94e8-173b1dc7cf3c

Rule aliases

IF (5)

Alias	Namespace	ResourceType	Path	PathIsDefault	Modifiable
Microsoft.Compute/virtualMachines/securityProfile.securityType	Microsoft.Compute	virtualMachines	properties.securityProfile.securityType	True	False
Microsoft.Compute/virtualMachines/securityProfile.uefiSettings	Microsoft.Compute	virtualMachines	properties.securityProfile.uefiSettings	True	False
Microsoft.Compute/virtualMachines/securityProfile.uefiSettings.secureBootEnabled	Microsoft.Compute	virtualMachines	properties.securityProfile.uefiSettings.secureBootEnabled	True	False
Microsoft.Compute/virtualMachines/storageProfile.imageReference.offer	Microsoft.Compute	virtualMachines	properties.storageProfile.imageReference.offer	True	True
Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType	Microsoft.Compute	virtualMachines	properties.storageProfile.osDisk.osType	True	True

THEN-ExistenceCondition (1)

Alias	Namespace	ResourceType	Path	PathIsDefault	DefaultPath	Modifiable
Microsoft.Compute/virtualMachines/securityProfile.uefiSettings.secureBootEnabled	Microsoft.Compute	virtualMachines	properties.securityProfile.uefiSettings.secureBootEnabled	True		False

Rule resource types

IF (1)
Microsoft.Compute/virtualMachines
THEN-Deployment (1)
Microsoft.Compute/virtualMachines

Compliance

Not a Compliance control

Initiatives usage

none

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2021-11-12 16:23:07	change	Major, suffix remains equal (1.0.0-preview > 3.0.0-preview)
2021-06-08 15:17:13	add	7cb1b219-61c6-47e0-b80c-4472cadeeb5f

JSON compare

compare mode: version left: version right:

JSON

api-version=2021-06-01
EPAC