AzPolicyAdvertizer

last sync: 2025-Apr-29 17:16:02 UTC

[Preview]: Azure Stack HCI servers should have consistently enforced application control policies

Azure BuiltIn Policy definition

Source

Azure Portal

Display name

[Preview]: Azure Stack HCI servers should have consistently enforced application control policies

dad3a6b9-4451-492f-a95c-69efc6f3fada

Version

1.0.0-preview
Details on versioning

Versioning

Versions supported for Versioning: 1
1.0.0-preview
Built-in Versioning [Preview]

Category

Stack HCI
Microsoft Learn

Description

At a minimum, apply the Microsoft WDAC base policy in enforced mode on all Azure Stack HCI servers. Applied Windows Defender Application Control (WDAC) policies must be consistent across servers in the same cluster.

Cloud environments

AzureCloud = true
AzureUSGovernment = unknown
AzureChinaCloud = unknown

Available in AzUSGov

Unknown, no evidence if Policy definition is/not available in AzureUSGovernment

Assessment(s)

Assessments count: 1
Assessment Id: ce488796-a2d4-401f-a688-b3f4a1137921
DisplayName: Azure Local machines should have consistently enforced application control policies
Description: At a minimum, apply the Microsoft WDAC base policy in enforced mode on all Azure Local machines. Applied Windows Defender Application Control (WDAC) policies must be consistent across machines in the same system.
Remediation description: To enforce WDAC policies:
1. From the Azure Local instance page, go to Windows Admin Center and select Connect.
2. Go to the Security extension and select Windows Defender Application Control.
3. Select one or more policy and click Set to Enforced.
Categories: Compute
Severity: High
User impact: High
Threats: ElevationOfPrivilege
preview: True

Mode

Indexed

Type

BuiltIn

Preview

True

Deprecated

False

Effect

Default
AuditIfNotExists
Allowed
Audit, Disabled, AuditIfNotExists

RBAC role(s)

none

Rule aliases

IF (1)

Alias	Namespace	ResourceType	Path	PathIsDefault	DefaultPath	Modifiable
Microsoft.AzureStackHCI/clusters/reportedProperties.clusterVersion	Microsoft.AzureStackHCI	clusters	properties.reportedProperties.clusterVersion	True		False

THEN-ExistenceCondition (1)

Alias	Namespace	ResourceType	Path	PathIsDefault	DefaultPath	Modifiable
Microsoft.AzureStackHCI/clusters/securitySettings/securityComplianceStatus.wdacCompliance	Microsoft.AzureStackHCI	clusters/securitySettings	properties.securityComplianceStatus.wdacCompliance	True		False

Rule resource types

IF (1)

Microsoft.AzureStackHCI/clusters

Compliance

The following 2 compliance controls are associated with this Policy definition '[Preview]: Azure Stack HCI servers should have consistently enforced application control policies' (dad3a6b9-4451-492f-a95c-69efc6f3fada)

Control Domain	Control	Name	MetadataId	Category	Title	Owner	Requirements	Description	Info	Policy#
Azure_Security_Benchmark_v3.0	PV-4	Azure_Security_Benchmark_v3.0_PV-4	Microsoft cloud security benchmark PV-4	Posture and Vulnerability Management	Audit and enforce secure configurations for compute resources	Shared	Security Principle: Continuously monitor and alert when there is a deviation from the defined configuration baseline in your compute resources. Enforce the desired configuration according to the baseline configuration by denying the non-compliant configuration or deploy a configuration in compute resources. Azure Guidance: Use Microsoft Defender for Cloud and Azure Policy guest configuration agent to regularly assess and remediate configuration deviations on your Azure compute resources, including VMs, containers, and others. In addition, you can use Azure Resource Manager templates, custom operating system images, or Azure Automation State Configuration to maintain the security configuration of the operating system. Microsoft VM templates in conjunction with Azure Automation State Configuration can assist in meeting and maintaining security requirements. Note: Azure Marketplace VM images published by Microsoft are managed and maintained by Microsoft. Implementation and additional context: How to implement Microsoft Defender for Cloud vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations How to create an Azure virtual machine from an ARM template: https://docs.microsoft.com/azure/virtual-machines/windows/ps-template Azure Automation State Configuration overview: https://docs.microsoft.com/azure/automation/automation-dsc-overview Create a Windows virtual machine in the Azure portal: https://docs.microsoft.com/azure/virtual-machines/windows/quick-create-portal Container security in Microsoft Defender for Cloud: https://docs.microsoft.com/azure/security-center/container-security	n/a	link	13
	C.04.7 - Evaluated	C.04.7 - Evaluated	404 not found				n/a	n/a		55

Initiatives usage

Initiative DisplayName	Initiative Id	Initiative Category	State	Type	polSet in AzUSGov
Microsoft cloud security benchmark	1f3afdf9-d0c9-4c3d-847f-89da613e70a8	Security Center	GA	BuiltIn	true
NL BIO Cloud Theme V2	d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee	Regulatory Compliance	GA	BuiltIn	unknown

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2024-03-01 17:50:27	add	dad3a6b9-4451-492f-a95c-69efc6f3fada

JSON compare

n/a

JSON

api-version=2021-06-01
EPAC