last sync: 2020-Sep-30 14:32:32 UTC

Azure Policy

Windows machines should meet requirements for 'Windows Components'

Policy DisplayName Windows machines should meet requirements for 'Windows Components'
Policy Id 8537fe96-8cbe-43de-b0ef-131bc72bc22a
Policy Category Guest Configuration
Policy Description Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.
Policy Mode Indexed
Policy Type BuiltIn
Policy in Preview FALSE
Policy Deprecated FALSE
Policy Effect Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
Roles used none
Policy Changes
Date/Time (UTC ymd) (i) Change Change detail
2020-09-15 14:06:41 change: DisplayName previous DisplayName: [Preview]: Windows machines should meet requirements for 'Windows Components'
2020-08-20 14:05:01 add: Policy 8537fe96-8cbe-43de-b0ef-131bc72bc22a
Used in Policy Initiative(s)
Initiative DisplayName Initiative Id
[Preview]: Windows machines should meet requirements for the Azure security baseline be7a78aa-3e10-4153-a5fd-8c6506dbc821
Policy Rule
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'Windows Components'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_WindowsComponents",
        "version": "1.*",
        "configurationParameter": {
          "SendFileSamplesWhenFurtherAnalysisIsRequired": "Send file samples when further analysis is required;ExpectedValue",
          "AllowIndexingOfEncryptedFiles": "Allow indexing of encrypted files;ExpectedValue",
          "AllowTelemetry": "Allow Telemetry;ExpectedValue",
          "AllowUnencryptedTraffic": "Allow unencrypted traffic;ExpectedValue",
          "AlwaysInstallWithElevatedPrivileges": "Always install with elevated privileges;ExpectedValue",
          "AlwaysPromptForPasswordUponConnection": "Always prompt for password upon connection;ExpectedValue",
          "ApplicationSpecifyTheMaximumLogFileSizeKB": "Application: Specify the maximum log file size (KB);ExpectedValue",
          "AutomaticallySendMemoryDumpsForOSgeneratedErrorReports": "Automatically send memory dumps for OS-generated error reports;ExpectedValue",
          "ConfigureDefaultConsent": "Configure Default consent;ExpectedValue",
          "ConfigureWindowsSmartScreen": "Configure Windows SmartScreen;ExpectedValue",
          "DisallowDigestAuthentication": "Disallow Digest authentication;ExpectedValue",
          "DisallowWinRMFromStoringRunAsCredentials": "Disallow WinRM from storing RunAs credentials;ExpectedValue",
          "DoNotAllowPasswordsToBeSaved": "Do not allow passwords to be saved;ExpectedValue",
          "SecuritySpecifyTheMaximumLogFileSizeKB": "Security: Specify the maximum log file size (KB);ExpectedValue",
          "SetClientConnectionEncryptionLevel": "Set client connection encryption level;ExpectedValue",
          "SetTheDefaultBehaviorForAutoRun": "Set the default behavior for AutoRun;ExpectedValue",
          "SetupSpecifyTheMaximumLogFileSizeKB": "Setup: Specify the maximum log file size (KB);ExpectedValue",
          "SystemSpecifyTheMaximumLogFileSizeKB": "System: Specify the maximum log file size (KB);ExpectedValue",
          "TurnOffDataExecutionPreventionForExplorer": "Turn off Data Execution Prevention for Explorer;ExpectedValue",
          "SpecifyTheIntervalToCheckForDefinitionUpdates": "Specify the interval to check for definition updates;ExpectedValue"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "SendFileSamplesWhenFurtherAnalysisIsRequired": {
        "type": "String",
        "metadata": {
          "displayName": "Send file samples when further analysis is required",
          "description": "Specifies whether and how Windows Defender will submit samples of suspected malware  to Microsoft for further analysis when opt-in for MAPS telemetry is set."
        },
        "defaultValue": "1"
      },
      "AllowIndexingOfEncryptedFiles": {
        "type": "String",
        "metadata": {
          "displayName": "Allow indexing of encrypted files",
          "description": "Specifies whether encrypted items are allowed to be indexed."
        },
        "defaultValue": "0"
      },
      "AllowTelemetry": {
        "type": "String",
        "metadata": {
          "displayName": "Allow Telemetry",
          "description": "Specifies configuration of the amount of diagnostic and usage data reported to Microsoft. The data is transmitted securely and sensitive data is not sent."
        },
        "defaultValue": "2"
      },
      "AllowUnencryptedTraffic": {
        "type": "String",
        "metadata": {
          "displayName": "Allow unencrypted traffic",
          "description": "Specifies whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network."
        },
        "defaultValue": "0"
      },
      "AlwaysInstallWithElevatedPrivileges": {
        "type": "String",
        "metadata": {
          "displayName": "Always install with elevated privileges",
          "description": "Specifies whether Windows Installer should use system permissions when it installs any program on the system."
        },
        "defaultValue": "0"
      },
      "AlwaysPromptForPasswordUponConnection": {
        "type": "String",
        "metadata": {
          "displayName": "Always prompt for password upon connection",
          "description": "Specifies whether Terminal Services/Remote Desktop Connection always prompts the client computer for a password upon connection."
        },
        "defaultValue": "1"
      },
      "ApplicationSpecifyTheMaximumLogFileSizeKB": {
        "type": "String",
        "metadata": {
          "displayName": "Application: Specify the maximum log file size (KB)",
          "description": "Specifies the maximum size for the Application event log in kilobytes."
        },
        "defaultValue": "32768"
      },
      "AutomaticallySendMemoryDumpsForOSgeneratedErrorReports": {
        "type": "String",
        "metadata": {
          "displayName": "Automatically send memory dumps for OS-generated error reports",
          "description": "Specifies if memory dumps in support of OS-generated error reports can be sent to Microsoft automatically."
        },
        "defaultValue": "1"
      },
      "ConfigureDefaultConsent": {
        "type": "String",
        "metadata": {
          "displayName": "Configure Default consent",
          "description": "Specifies setting of the default consent handling for error reports sent to Microsoft."
        },
        "defaultValue": "4"
      },
      "ConfigureWindowsSmartScreen": {
        "type": "String",
        "metadata": {
          "displayName": "Configure Windows SmartScreen",
          "description": "Specifies how to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled."
        },
        "defaultValue": "1"
      },
      "DisallowDigestAuthentication": {
        "type": "String",
        "metadata": {
          "displayName": "Disallow Digest authentication",
          "description": "Specifies whether the Windows Remote Management (WinRM) client will not use Digest authentication."
        },
        "defaultValue": "0"
      },
      "DisallowWinRMFromStoringRunAsCredentials": {
        "type": "String",
        "metadata": {
          "displayName": "Disallow WinRM from storing RunAs credentials",
          "description": "Specifies whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins."
        },
        "defaultValue": "1"
      },
      "DoNotAllowPasswordsToBeSaved": {
        "type": "String",
        "metadata": {
          "displayName": "Do not allow passwords to be saved",
          "description": "Specifies whether to prevent Remote Desktop Services - Terminal Services clients from saving passwords on a computer."
        },
        "defaultValue": "1"
      },
      "SecuritySpecifyTheMaximumLogFileSizeKB": {
        "type": "String",
        "metadata": {
          "displayName": "Security: Specify the maximum log file size (KB)",
          "description": "Specifies the maximum size for the Security event log in kilobytes."
        },
        "defaultValue": "196608"
      },
      "SetClientConnectionEncryptionLevel": {
        "type": "String",
        "metadata": {
          "displayName": "Set client connection encryption level",
          "description": "Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption."
        },
        "defaultValue": "3"
      },
      "SetTheDefaultBehaviorForAutoRun": {
        "type": "String",
        "metadata": {
          "displayName": "Set the default behavior for AutoRun",
          "description": "Specifies the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines."
        },
        "defaultValue": "1"
      },
      "SetupSpecifyTheMaximumLogFileSizeKB": {
        "type": "String",
        "metadata": {
          "displayName": "Setup: Specify the maximum log file size (KB)",
          "description": "Specifies the maximum size for the Setup event log in kilobytes."
        },
        "defaultValue": "32768"
      },
      "SystemSpecifyTheMaximumLogFileSizeKB": {
        "type": "String",
        "metadata": {
          "displayName": "System: Specify the maximum log file size (KB)",
          "description": "Specifies the maximum size for the System event log in kilobytes."
        },
        "defaultValue": "32768"
      },
      "TurnOffDataExecutionPreventionForExplorer": {
        "type": "String",
        "metadata": {
          "displayName": "Turn off Data Execution Prevention for Explorer",
          "description": "Specifies whether to turn off Data Execution Prevention for Windows File Explorer. Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer."
        },
        "defaultValue": "0"
      },
      "SpecifyTheIntervalToCheckForDefinitionUpdates": {
        "type": "String",
        "metadata": {
          "displayName": "Specify the interval to check for definition updates",
          "description": "Specifies an interval at which to check for Windows Defender definition updates. The time value is represented as the number of hours between update checks."
        },
        "defaultValue": "8"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
              "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_WindowsComponents",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
              "equals": "[base64(concat('Send file samples when further analysis is required;ExpectedValue', '=', parameters('SendFileSamplesWhenFurtherAnalysisIsRequired'), ',', 'Allow indexing of encrypted files;ExpectedValue', '=', parameters('AllowIndexingOfEncryptedFiles'), ',', 'Allow Telemetry;ExpectedValue', '=', parameters('AllowTelemetry'), ',', 'Allow unencrypted traffic;ExpectedValue', '=', parameters('AllowUnencryptedTraffic'), ',', 'Always install with elevated privileges;ExpectedValue', '=', parameters('AlwaysInstallWithElevatedPrivileges'), ',', 'Always prompt for password upon connection;ExpectedValue', '=', parameters('AlwaysPromptForPasswordUponConnection'), ',', 'Application: Specify the maximum log file size (KB);ExpectedValue', '=', parameters('ApplicationSpecifyTheMaximumLogFileSizeKB'), ',', 'Automatically send memory dumps for OS-generated error reports;ExpectedValue', '=', parameters('AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'), ',', 'Configure Default consent;ExpectedValue', '=', parameters('ConfigureDefaultConsent'), ',', 'Configure Windows SmartScreen;ExpectedValue', '=', parameters('ConfigureWindowsSmartScreen'), ',', 'Disallow Digest authentication;ExpectedValue', '=', parameters('DisallowDigestAuthentication'), ',', 'Disallow WinRM from storing RunAs credentials;ExpectedValue', '=', parameters('DisallowWinRMFromStoringRunAsCredentials'), ',', 'Do not allow passwords to be saved;ExpectedValue', '=', parameters('DoNotAllowPasswordsToBeSaved'), ',', 'Security: Specify the maximum log file size (KB);ExpectedValue', '=', parameters('SecuritySpecifyTheMaximumLogFileSizeKB'), ',', 'Set client connection encryption level;ExpectedValue', '=', parameters('SetClientConnectionEncryptionLevel'), ',', 'Set the default behavior for AutoRun;ExpectedValue', '=', parameters('SetTheDefaultBehaviorForAutoRun'), ',', 'Setup: Specify the maximum log file size (KB);ExpectedValue', '=', parameters('SetupSpecifyTheMaximumLogFileSizeKB'), ',', 'System: Specify the maximum log file size (KB);ExpectedValue', '=', parameters('SystemSpecifyTheMaximumLogFileSizeKB'), ',', 'Turn off Data Execution Prevention for Explorer;ExpectedValue', '=', parameters('TurnOffDataExecutionPreventionForExplorer'), ',', 'Specify the interval to check for definition updates;ExpectedValue', '=', parameters('SpecifyTheIntervalToCheckForDefinitionUpdates')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/8537fe96-8cbe-43de-b0ef-131bc72bc22a",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "8537fe96-8cbe-43de-b0ef-131bc72bc22a"
}