last sync: 2021-Jul-23 16:37:57 UTC

Azure Policy definition

[Preview]: Secure Boot should be enabled on supported Windows virtual machines

Name [Preview]: Secure Boot should be enabled on supported Windows virtual machines
Azure Portal
Id 97566dd7-78ae-4997-8b36-1c7bfe0d8121
Version 1.0.0-preview
details on versioning
Category Security Center
Microsoft docs
Description Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment only applies to trusted launch enabled Windows virtual machines.
Mode Indexed
Type BuiltIn
Preview True
Deprecated FALSE
Effect Default: Audit
Allowed: (Audit, Disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-05-04 14:34:06 add 97566dd7-78ae-4997-8b36-1c7bfe0d8121
Used in Initiatives
Initiative DisplayName Initiative Id Initiative Category State
Azure Security Benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA
JSON
{
  "properties": {
  "displayName": "[Preview]: Secure Boot should be enabled on supported Windows virtual machines",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment only applies to trusted launch enabled Windows virtual machines.",
    "metadata": {
      "category": "Security Center",
      "version": "1.0.0-preview",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/storageProfile.imageReference.offer",
            "like": "windows*"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings",
            "exists": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/securityProfile.uefiSettings.secureBootEnabled",
            "notequals": "true"
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "97566dd7-78ae-4997-8b36-1c7bfe0d8121"
}