AzPolicyAdvertizer

last sync: 2021-Aug-04 14:59:26 UTC

Azure Policy definition

[Preview]: Configure supported Windows virtual machines to automatically enable Secure Boot

Name [Preview]: Configure supported Windows virtual machines to automatically enable Secure Boot
Azure Portal

Id 7cb1b219-61c6-47e0-b80c-4472cadeeb5f

Version 1.0.0-preview
details on versioning

Category Security Center
Microsoft docs

Description Configure supported Windows virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run.

Mode Indexed

Type BuiltIn

Preview True

Deprecated FALSE

Effect Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)

Used RBAC Role

Role Name	Role Id
Virtual Machine Contributor	9980e02c-c2be-4d73-94e8-173b1dc7cf3c

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2021-06-08 15:17:13	add	7cb1b219-61c6-47e0-b80c-4472cadeeb5f

Used in Initiatives none

JSON

{
  "properties": {
  "displayName": "[Preview]: Configure supported Windows virtual machines to automatically enable Secure Boot",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Configure supported Windows virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run.",
    "metadata": {
      "category": "Security Center",
      "version": "1.0.0-preview",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/storageProfile.imageReference.offer",
            "like": "windows*"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings",
            "exists": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings.secureBootEnabled",
            "notEquals": "true"
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines",
        "name": "[field('fullName')]",
          "existenceCondition": {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings.secureBootEnabled",
            "equals": "true"
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                "value": "[field('name')]"
                },
                "location": {
                "value": "[field('location')]"
                }
              },
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                  "name": "[parameters('vmName')]",
                  "location": "[parameters('location')]",
                    "type": "Microsoft.Compute/virtualMachines",
                    "apiVersion": "2020-12-01",
                    "properties": {
                      "securityProfile": {
                        "uefiSettings": {
                          "secureBootEnabled": "true"
                        },
                        "securityType": "TrustedLaunch"
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7cb1b219-61c6-47e0-b80c-4472cadeeb5f",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7cb1b219-61c6-47e0-b80c-4472cadeeb5f"
}