last sync: 2020-Sep-24 14:01:32 UTC

Changes on Azure Policies

Category Id DisplayName Description Effect Roles used Details (UTC ymd) (i)
Guest Configuration f3b44e5d-1456-475f-9c67-c66c4618e85a [Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain all of the specified members This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-16 13:09:49
change: DisplayName
previous DisplayName: [Deprecated]: Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members
Guest Configuration 5bb36dda-8a78-4df9-affd-4f05a8612a8a [Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified one This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-16 13:09:49
change: DisplayName
previous DisplayName: [Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote host connection status does not match the specified one
Guest Configuration bde62c94-ccca-4821-a815-92c1d31a76de [Deprecated]: Show audit results from Windows VMs if the Administrators group contains any of the specified members This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-16 13:09:49
change: DisplayName
previous DisplayName: [Deprecated]: Show audit results from Windows VMs in which the Administrators group contains any of the specified members
Guest Configuration cc7cda28-f867-4311-8497-a526129a8d19 [Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain only specified members This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-16 13:09:49
change: DisplayName
previous DisplayName: [Deprecated]: Show audit results from Windows VMs in which the Administrators group does not contain only the specified members
Guest Configuration b821191b-3a12-44bc-9c38-212138a29ff3 [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain only the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-16 13:09:49
change: DisplayName
previous DisplayName: [Deprecated]: Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain only the specified members
Guest Configuration bed48b13-6647-468e-aa2f-1af1d3f4dd40 Audit Windows machines on which Windows Defender Exploit Guard is not enabled Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the PowerShell command Get-MPPreference returns configuration details that does not match expected values. Windows Defender Exploit Guard helps protect against malware that uses exploits to infect devices and spread. Exploit Guard protection consists of a number of mitigations that can be applied to either the operating system or individual apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-16 13:09:49
change: DisplayName
previous DisplayName: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled
Kubernetes 0a15ec92-a229-4763-bb14-0ea34a568f8d [Preview]: Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Default: Audit
Allowed: (Audit,Disabled)
none
2020-09-16 13:09:49
change: DisplayName
previous DisplayName: [Preview]: Kubernetes Management Policy add-on should be installed and enabled on your clusters
Guest Configuration 630c64f9-8b6b-4c64-b511-6544ceff6fd6 Audit Linux machines that are not using SSH key for authentication Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Non-compliant if the machine allows passwords for authenticating through SSH Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-16 13:09:49
change: DisplayName
previous DisplayName: Audit Linux virtual machines on which the use of passwords for SSH is allowed
Guest Configuration 144f1397-32f9-4598-8c88-118decc3ccba [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group contains any of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-16 13:09:49
change: DisplayName
previous DisplayName: [Deprecated]: Deploy prerequisites to audit Windows VMs in which the Administrators group contains any of the specified members
Guest Configuration 02a84be7-c304-421f-9bb7-5d2c26af54ad [Deprecated]: Show audit results from Windows VMs on which the remote connection status does not match the specified one This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-16 13:09:49
change: DisplayName
previous DisplayName: [Deprecated]: Show audit results from Windows VMs on which the remote host connection status does not match the specified one
Guest Configuration 93507a81-10a4-4af0-9ee2-34cf25a96e98 [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain all of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-16 13:09:49
change: DisplayName
previous DisplayName: [Deprecated]: Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain all of the specified members
Kubernetes 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 Kubernetes cluster containers should not share host process ID or host IPC namespace This policy blocks pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Kubernetes cluster containers should not share host process ID or host IPC namespace
Kubernetes e1e6c427-07d9-46ab-9689-bfa85431e636 Kubernetes cluster pods and containers should only use allowed SELinux options This policy ensures pods and containers only use allowed SELinux options in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Kubernetes cluster pods and containers should only use allowed SELinux options
Kubernetes 233a2a17-77ca-4fb1-9b6b-69223d272a44 Ensure services listen only on allowed ports in Kubernetes cluster This policy enforces services to listen only on allowed ports in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Ensure services listen only on allowed ports in Kubernetes cluster
Guest Configuration f2143251-70de-4e81-87a8-36cee5a2f29d Windows machines should meet requirements for 'Security Settings - Account Policies' Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Settings - Account Policies'
Guest Configuration 8537fe96-8cbe-43de-b0ef-131bc72bc22a Windows machines should meet requirements for 'Windows Components' Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'Windows Components'
Guest Configuration 3aa2661b-02d7-4ba6-99bc-dc36b10489fd Windows machines should meet requirements for 'Administrative Templates - Control Panel' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Control Panel' for input personalization and prevention of enabling lock screens. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'Administrative Templates - Control Panel'
Guest Configuration 492a29ed-d143-4f03-b6a4-705ce081b463 Windows machines should meet requirements for 'Security Options - User Account Control' Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - User Account Control'
Guest Configuration f71be03e-e25b-4d0f-b8bc-9b3e309b66c0 Windows machines should meet requirements for 'Security Options - Recovery console' Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Recovery console'
Guest Configuration 6141c932-9384-44c6-a395-59e4c057d7c9 Configure time zone on Windows machines. This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. Fixed: deployIfNotExists Contributor
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Configure time zone on Windows machines.
Kubernetes f85eb0dd-92ee-40e9-8a76-db25a507d6d3 Kubernetes cluster containers should only use allowed ProcMountType This policy ensures containers only use allowed ProcMountType in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Kubernetes cluster containers should only use allowed ProcMountType
Guest Configuration 968410dc-5ca0-4518-8a5b-7b55f0530ea9 Windows machines should meet requirements for 'Administrative Templates - System' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - System' for settings that control the administrative experience and Remote Assistance. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'Administrative Templates - System'
Guest Configuration 43bb60fe-1d7e-4b82-9e93-496bfc99e7d5 Windows machines should meet requirements for 'System Audit Policies - Account Logon' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Logon' for auditing credential validation and other account logon events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Account Logon'
Guest Configuration d472d2c9-d6a3-4500-9f5f-b15f123005aa Windows machines should meet requirements for 'Security Options - Interactive Logon' Windows machines should have the specified Group Policy settings in the category 'Security Options - Interactive Logon' for displaying last user name and requiring ctrl-alt-del. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Interactive Logon'
Guest Configuration 1221c620-d201-468c-81e7-2817e6107e84 Windows machines should meet requirements for 'Security Options - Network Security' Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Network Security'
Kubernetes 511f5417-5d12-434d-ab2e-816901e72a5e Kubernetes cluster containers should only use allowed AppArmor profiles This policy ensures containers only use allowed AppArmor profiles in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Kubernetes cluster containers should only use allowed AppArmor profiles
Kubernetes 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 Enforce labels on pods in Kubernetes cluster This policy enforces the specified labels are provided for pods in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Enforce labels on pods in Kubernetes cluster
Guest Configuration 94d9aca8-3757-46df-aa51-f218c5f11954 Windows machines should meet requirements for 'System Audit Policies - Account Management' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Account Management'
Guest Configuration 35781875-8026-4628-b19b-f6efb4d88a1d Windows machines should meet requirements for 'System Audit Policies - Object Access' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Object Access' for auditing file, registry, SAM, storage, filtering, kernel, and other system types. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Object Access'
Guest Configuration b4a4d1eb-0263-441b-84cb-a44073d8372d Windows machines should meet requirements for 'Security Options - Shutdown' Windows machines should have the specified Group Policy settings in the category 'Security Options - Shutdown' for allowing shutdown without logon and clearing the virtual memory pagefile. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Shutdown'
Guest Configuration 2a7a701e-dff3-4da9-9ec5-42cb98594c0b Windows machines should meet requirements for 'System Audit Policies - Policy Change' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Policy Change' for auditing changes to system audit policies. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Policy Change'
Kubernetes f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes cluster pods and containers should only run with approved user and group IDs This policy controls the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Kubernetes cluster pods and containers should only run with approved user and group IDs
Guest Configuration 3cf2ab00-13f1-4d0c-8971-2ac904541a7e Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modify Contributor
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
Guest Configuration e068b215-0026-4354-b347-8fb2766f73a2 Windows machines should meet requirements for 'User Rights Assignment' Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'User Rights Assignment'
Kubernetes 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e Enforce internal load balancers in Kubernetes cluster This policy enforces load balancers do not have public IPs in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Enforce internal load balancers in Kubernetes cluster
Guest Configuration 8316fa92-d69c-4810-8124-62414f560dcf Windows machines should meet requirements for 'System Audit Policies - System' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - System' for auditing IPsec driver, system integrity, system extension, state change, and other system events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - System'
Kubernetes 16697877-1118-4fb1-9b65-9898ec2509ec Kubernetes cluster pods should only use allowed volume types This policy ensures pods can only use allowed volume types in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Kubernetes cluster pods should only use allowed volume types
Kubernetes febd0533-8e55-448f-b837-bd0e06f16469 Ensure only allowed container images in Kubernetes cluster This policy ensures only allowed container images are running in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Ensure only allowed container images in Kubernetes cluster
Kubernetes 56d0a13f-712f-466b-8416-56fb354fb823 Kubernetes cluster containers should not use forbidden sysctl interfaces This policy ensures containers do not use forbidden sysctl interfaces in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Kubernetes cluster containers should not use forbidden sysctl interfaces
Kubernetes 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Kubernetes clusters should not allow container privilege escalation This policy does not allow containers to use privilege escalation in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Kubernetes clusters should not allow container privilege escalation
Guest Configuration 33936777-f2ac-45aa-82ec-07958ec9ade4 Windows machines should meet requirements for 'Security Options - Audit' Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Audit'
Kubernetes f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 Kubernetes cluster pod FlexVolume volumes should only use allowed drivers This policy ensures pod FlexVolume volumes only use allowed drivers in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Kubernetes cluster pod FlexVolume volumes should only use allowed drivers
Guest Configuration caf2d518-f029-4f6b-833b-d7081702f253 Windows machines should meet requirements for 'Security Options - Microsoft Network Server' Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Microsoft Network Server'
Guest Configuration 58383b73-94a9-4414-b382-4146eb02611b Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'
Kubernetes 975ce327-682c-4f2e-aa46-b9598289b86c Kubernetes cluster containers should only use allowed seccomp profiles This policy ensures containers only use allowed seccomp profiles in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Kubernetes cluster containers should only use allowed seccomp profiles
Kubernetes e345eecc-fa47-480f-9e88-67dcc122b164 Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster This policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster
Guest Configuration ee984370-154a-4ee8-9726-19d900e56fc0 Windows machines should meet requirements for 'Security Options - Accounts' Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Accounts'
Guest Configuration d6c69680-54f0-4349-af10-94dd05f4225e Windows machines should meet requirements for 'Security Options - Microsoft Network Client' Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Microsoft Network Client'
Guest Configuration 385f5831-96d4-41db-9a3c-cd3af78aaae6 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExists Contributor
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
Guest Configuration bed48b13-6647-468e-aa2f-1af1d3f4dd40 Audit Windows machines on which Windows Defender Exploit Guard is not enabled Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the PowerShell command Get-MPPreference returns configuration details that does not match expected values. Windows Defender Exploit Guard helps protect against malware that uses exploits to infect devices and spread. Exploit Guard protection consists of a number of mitigations that can be applied to either the operating system or individual apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled
Kubernetes 440b515e-a580-421e-abeb-b159a61ddcbc Ensure containers listen only on allowed ports in Kubernetes cluster This policy enforces containers to listen only on allowed ports in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Ensure containers listen only on allowed ports in Kubernetes cluster
Kubernetes df49d893-a74c-421d-bc95-c663042e5b80 Kubernetes cluster containers should run with a read only root file system This policy ensures containers run with a read only root file system in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Kubernetes cluster containers should run with a read only root file system
Guest Configuration 2f262ace-812a-4fd0-b731-b38ba9e9708d Windows machines should meet requirements for 'Security Options - System objects' Windows machines should have the specified Group Policy settings in the category 'Security Options - System objects' for case insensitivity for non-Windows subsystems and permissions of internal system objects. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - System objects'
Guest Configuration 630c64f9-8b6b-4c64-b511-6544ceff6fd6 Audit Linux machines that are not using SSH key for authentication Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Non-compliant if the machine allows passwords for authenticating through SSH Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Audit Linux virtual machines on which the use of passwords for SSH is allowed
Kubernetes 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes cluster pod hostPath volumes should only use allowed host paths This policy ensures pod hostPath volumes can only use allowed host paths in a Kubernetes Cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Kubernetes cluster pod hostPath volumes should only use allowed host paths
Guest Configuration 497dff13-db2a-4c0f-8603-28fa3b331ab6 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modify Contributor
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
Guest Configuration 3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd Windows machines should meet requirements for 'Security Options - Network Access' Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Network Access'
Kubernetes 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Enforce HTTPS ingress in Kubernetes cluster This policy enforces HTTPS ingress in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Enforce HTTPS ingress in Kubernetes cluster
Guest Configuration 19be9779-c776-4dfa-8a15-a2fd5dc843d6 Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Logon-Logoff' for auditing IPSec, network policy, claims, account lockout, group membership, and logon/logoff events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff'
Guest Configuration 87845465-c458-45f3-af66-dcd62176f397 Windows machines should meet requirements for 'System Audit Policies - Privilege Use' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Privilege Use' for auditing nonsensitive and other privilege use. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Privilege Use'
Guest Configuration 35d9882c-993d-44e6-87d2-db66ce21b636 Windows machines should meet requirements for 'Windows Firewall Properties' Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'Windows Firewall Properties'
Kubernetes c26596ff-4d70-4e6a-9a30-c2506bd2f80c Kubernetes cluster containers should only use allowed capabilities This policy ensures containers only use allowed capabilities in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Kubernetes cluster containers should only use allowed capabilities
Guest Configuration 12017595-5a75-4bb1-9d97-4c2c939ea3c3 Windows machines should meet requirements for 'Security Options - System settings' Windows machines should have the specified Group Policy settings in the category 'Security Options - System settings' for certificate rules on executables for SRP and optional subsystems. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - System settings'
Automanage 270610db-8c04-438a-a739-e8e6745b22d3 Enable Automanage - Azure virtual machine best practices Automanage enrolls, configures, and monitors virtual machines with Azure VM best practice services. Use this policy to apply Automanage to your selected scope. Fixed: deployIfNotExists Contributor
2020-09-15 14:06:41
add: Policy
Kubernetes 82985f06-dc18-4a48-bc1c-b9f4f0098cfe Kubernetes cluster pods should only use approved host network and port range This policy controls pod access to the host network and the allowable host port range in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Kubernetes cluster pods should only use approved host network and port range
Guest Configuration e0a7e899-2ce2-4253-8a13-d808fdeb75af Windows machines should meet requirements for 'Administrative Templates - MSS (Legacy)' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - MSS (Legacy)' for automatic logon, screen saver, network behavior, safe DLL, and event log. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'Administrative Templates - MSS (Legacy)'
Kubernetes 95edb821-ddaf-4404-9732-666045e056b4 Do not allow privileged containers in Kubernetes cluster This policy does not allow privileged containers creation in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Do not allow privileged containers in Kubernetes cluster
Guest Configuration 67e010c1-640d-438e-a3a5-feaccb533a98 Windows machines should meet requirements for 'Administrative Templates - Network' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'Administrative Templates - Network'
Guest Configuration 8794ff4f-1a35-4e18-938f-0b22055067cd Windows machines should meet requirements for 'Security Options - Devices' Windows machines should have the specified Group Policy settings in the category 'Security Options - Devices' for undocking without logging on, installing print drivers, and formatting/ejecting media. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Devices'
Guest Configuration 331e8ea8-378a-410f-a2e5-ae22f38bb0da Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExists Contributor
2020-09-15 14:06:41
change: DisplayName
previous DisplayName: [Preview]: Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
SQL b219b9cf-f672-4f96-9ab0-f5a3ac5e1c13 SQL Database should avoid using GRS backup redundancy Databases should avoid using GRS storage for backups if data residency rules require data to stay within a specific region. Default: Deny
Allowed: (Deny,Disabled)
none
2020-09-09 11:24:03
add: Policy
Guest Configuration 144f1397-32f9-4598-8c88-118decc3ccba [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group contains any of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs in which the Administrators group contains any of the specified members
Security Center 5a913c68-0590-402c-a531-e57e19379da3 Operating system version should be the most current version for your cloud service roles Keeping the operating system (OS) on the most recent supported version for your cloud service roles enhances the systems security posture. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-09 11:24:03
add: Policy
Guest Configuration bde62c94-ccca-4821-a815-92c1d31a76de [Deprecated]: Show audit results from Windows VMs if the Administrators group contains any of the specified members This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Show audit results from Windows VMs in which the Administrators group contains any of the specified members
Key Vault 55615ac9-af46-4a59-874e-391cc3dfb490 [Preview]: Firewall should be enabled on Key Vault The key vault firewall prevents unauthorized traffic from reaching your key vault and provides an additional layer of protection for your secrets. Enable the key vault firewall to make sure that only traffic from allowed networks can access your key vault. Default: Audit
Allowed: (Audit,Disabled)
none
2020-09-09 11:24:03
add: Policy
Guest Configuration 58c460e9-7573-4bb2-9676-339c2f2486bb Audit Windows machines on which Windows Serial Console is not enabled Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine does not have the Serial Console software installed or if the EMS port number or baud rate are not configured with the same values as the policy parameters. Fixed: auditIfNotExists none
2020-09-09 11:24:03
add: Policy
Guest Configuration 60ffe3e2-4604-4460-8f22-0f1da058266c [Deprecated]: Show audit results from Windows web servers that are not using secure communication protocols This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Show audit results from Windows web servers that are not using secure communication protocols
SQL a9934fd7-29f2-4e6d-ab3d-607ea38e9079 SQL Managed Instances should avoid using GRS backup redundancy Managed Instances should avoid using GRS storage for backups if data residency rules require data to stay within a specific region. Default: Deny
Allowed: (Deny,Disabled)
none
2020-09-09 11:24:03
add: Policy
Guest Configuration f0633351-c7b2-41ff-9981-508fc08553c2 [Deprecated]: Deploy prerequisites to audit Windows VMs that have the specified applications installed This policy creates a Guest Configuration assignment to audit Windows virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs that have the specified applications installed
Security Center a4fe33eb-e377-4efb-ab31-0784311bc499 Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-09 11:24:03
add: Policy
Guest Configuration 630ac30f-a234-4533-ac2d-e0df77acda51 Audit Windows machines network connectivity Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a network connection status to an IP and TCP port does not match the policy parameter. Fixed: auditIfNotExists none
2020-09-09 11:24:03
add: Policy
Guest Configuration 30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7 Audit Windows machines missing any of specified members in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. Fixed: auditIfNotExists none
2020-09-09 11:24:03
add: Policy
Guest Configuration 5e393799-e3ca-4e43-a9a5-0ec4648a57d9 [Deprecated]: Show audit results from Windows VMs that do not have the specified applications installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Show audit results from Windows VMs that do not have the specified applications installed
Guest Configuration ea53dbee-c6c9-4f0e-9f9e-de0039b78023 Audit Linux machines that allow remote connections from accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-09 11:24:03
add: Policy
Guest Configuration e6955644-301c-44b5-a4c4-528577de6861 Audit Linux machines that do not have the passwd file permissions set to 0644 Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-09 11:24:03
add: Policy
Guest Configuration c96f3246-4382-4264-bf6b-af0b35e23c3c [Deprecated]: Deploy prerequisites to audit Windows VMs with a pending reboot This policy creates a Guest Configuration assignment to audit Windows virtual machines with a pending reboot. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs with a pending reboot
Guest Configuration c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a [Deprecated]: Show audit results from Windows VMs on which the specified services are not installed and 'Running' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the specified services are not installed and 'Running'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Show audit results from Windows VMs on which the specified services are not installed and 'Running'
Guest Configuration 356a906e-05e5-4625-8729-90771e0ee934 [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a maximum password age of 70 days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days
Guest Configuration 32b1e4d4-6cd5-47b4-a935-169da8a5c262 [Deprecated]: Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running' This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the specified services are not installed and 'Running'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running'
Guest Configuration 237b38db-ca4d-4259-9e47-7882441ca2c0 Audit Windows machines that do not have a minimum password age of 1 day Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a minimum password age of 1 day Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-09 11:24:03
add: Policy
Guest Configuration c40c9087-1981-4e73-9f53-39743eda9d05 [Deprecated]: Show audit results from Linux VMs that have accounts without passwords This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Show audit results from Linux VMs that have accounts without passwords
Guest Configuration 08a2f2d2-94b2-4a7b-aa3b-bb3f523ee6fd Audit Windows machines on which the DSC configuration is not compliant Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-DSCConfigurationStatus returns that the DSC configuration for the machine is not compliant. Fixed: auditIfNotExists none
2020-09-09 11:24:03
add: Policy
Guest Configuration f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 Audit Linux machines that have accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-09 11:24:03
add: Policy
Guest Configuration 8b0de57a-f511-4d45-a277-17cb79cb163b [Deprecated]: Show audit results from Windows VMs with a pending reboot This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with a pending reboot. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Show audit results from Windows VMs with a pending reboot
Guest Configuration f3b44e5d-1456-475f-9c67-c66c4618e85a [Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain all of the specified members This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members
Managed Application 9db7917b-1607-4e7d-a689-bca978dd0633 Application definition for Managed Application should use customer provided storage account Use your own storage account to control the application definition data when this is a regulatory or compliance requirement. You can choose to store your managed application definition within a storage account provided by you during creation, so that its location and access can be fully managed by you to fulfill regulatory compliance requirements. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-09 11:24:03
add: Policy
Guest Configuration 7227ebe5-9ff7-47ab-b823-171cd02fb90f [Deprecated]: Show audit results from Windows VMs on which the DSC configuration is not compliant This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Show audit results from Windows VMs on which the DSC configuration is not compliant
Guest Configuration e6ebf138-3d71-4935-a13b-9c7fdddd94df Audit Windows machines on which the specified services are not installed and 'Running' Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if result of the Windows PowerShell command Get-Service do not include the service name with matching status as specified by the policy parameter. Fixed: auditIfNotExists none
2020-09-09 11:24:03
add: Policy
Guest Configuration da0f98fe-a24b-4ad5-af69-bd0400233661 Audit Windows machines that do not store passwords using reversible encryption Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-09 11:24:03
add: Policy
Guest Configuration 12f7e5d0-42a7-4630-80d8-54fb7cff9bd6 [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified applications installed This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have the specified applications installed
Guest Configuration a2d0e922-65d0-40c4-8f87-ea6da2d307a2 Audit Windows machines that do not restrict the minimum password length to 14 characters Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-09 11:24:03
add: Policy
Guest Configuration 2d67222d-05fd-4526-a171-2ee132ad9e83 [Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Show audit results from Linux VMs that allow remote connections from accounts without passwords
Guest Configuration 315c850a-272d-4502-8935-b79010405970 [Deprecated]: Deploy prerequisites to audit Windows VMs that are not joined to the specified domain This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not joined to the specified domain. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs that are not joined to the specified domain
Guest Configuration 2d60d3b7-aa10-454c-88a8-de39d99d17c6 [Deprecated]: Show audit results from Windows VMs that do not store passwords using reversible encryption This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Show audit results from Windows VMs that do not store passwords using reversible encryption
Guest Configuration 7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8 [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the password complexity setting enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled
Guest Configuration ebb67efd-3c46-49b0-adfe-5599eb944998 Audit Windows machines that don't have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is not found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. Fixed: auditIfNotExists none
2020-09-09 11:24:03
add: Policy
Guest Configuration c633f6a2-7f8b-4d9e-9456-02f0f04f5505 Audit Windows machines that are not set to the specified time zone Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the property StandardName in WMI class Win32_TimeZone does not match the selected time zone for the policy parameter. Fixed: auditIfNotExists none
2020-09-09 11:24:03
add: Policy
Guest Configuration 7e84ba44-6d03-46fd-950e-5efa5a1112fa [Deprecated]: Show audit results from Windows VMs that have not restarted within the specified number of days This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Show audit results from Windows VMs that have not restarted within the specified number of days
Guest Configuration fee5cb2b-9d9b-410e-afe3-2902d90d0004 [Deprecated]: Show audit results from Linux VMs that do not have the specified applications installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Show audit results from Linux VMs that do not have the specified applications installed
Guest Configuration d38b4c26-9d2e-47d7-aefe-18d859a8706a [Deprecated]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant This policy creates a Guest Configuration assignment to audit Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant
Guest Configuration f19aa1c1-6b91-4c27-ae6a-970279f03db9 [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644
Guest Configuration beb6ccee-b6b8-4e91-9801-a5fa4260a104 Audit Windows machines that have not restarted within the specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the WMI property LastBootUpTime in class Win32_Operatingsystem is outside the range of days provided by the policy parameter. Fixed: auditIfNotExists none
2020-09-09 11:24:03
add: Policy
Security Center 6646a0bd-e110-40ca-bb97-84fcee63c414 Service principals should be used to protect your subscriptions instead of management certificates Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-09 11:24:03
add: Policy
Guest Configuration cdbf72d9-ac9c-4026-8a3a-491a5ac59293 [Deprecated]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Show audit results from Windows VMs that allow re-use of the previous 24 passwords
Guest Configuration 9328f27e-611e-44a7-a244-39109d7d35ab [Deprecated]: Show audit results from Windows VMs that contain certificates expiring within the specified number of days This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Show audit results from Windows VMs that contain certificates expiring within the specified number of days
Guest Configuration c21f7060-c148-41cf-a68b-0ab3e14c764c [Deprecated]: Deploy prerequisites to audit Windows VMs that are not set to the specified time zone This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not set to the specified time zone. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs that are not set to the specified time zone
Guest Configuration c5b85cba-6e6f-4de4-95e1-f0233cd712ac Audit Windows machines that have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. Fixed: auditIfNotExists none
2020-09-09 11:24:03
add: Policy
Guest Configuration 9f658460-46b7-43af-8565-94fc0662be38 [Deprecated]: Show audit results from Windows VMs that are not set to the specified time zone This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not set to the specified time zone. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Show audit results from Windows VMs that are not set to the specified time zone
Guest Configuration 8ff0b18b-262e-4512-857a-48ad0aeb9a78 [Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not store passwords using reversible encryption. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption
Guest Configuration 5aa11bbc-5c76-4302-80e5-aba46a4282e7 [Deprecated]: Show audit results from Windows VMs that do not have a minimum password age of 1 day This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Show audit results from Windows VMs that do not have a minimum password age of 1 day
Guest Configuration a030a57e-4639-4e8f-ade9-a92f33afe7ee [Deprecated]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected
Guest Configuration a29ee95c-0395-4515-9851-cc04ffe82a91 [Deprecated]: Show audit results from Windows VMs that are not joined to the specified domain This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not joined to the specified domain. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Show audit results from Windows VMs that are not joined to the specified domain
Guest Configuration ec49586f-4939-402d-a29e-6ff502b20592 [Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords
Guest Configuration 3470477a-b35a-49db-aca5-1073d04524fe [Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Linux VMs that have accounts without passwords
Guest Configuration 24dde96d-f0b1-425e-884f-4a1421e2dcdc [Deprecated]: Show audit results from Windows VMs that do not have a maximum password age of 70 days This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Show audit results from Windows VMs that do not have a maximum password age of 70 days
Guest Configuration 4221adbc-5c0f-474f-88b7-037a99e6114c Audit Windows VMs with a pending reboot Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is pending reboot for any of the following reasons: component based servicing, Windows Update, pending file rename, pending computer rename, configuration manager pending reboot. Each detection has a unique registry path. Fixed: auditIfNotExists none
2020-09-09 11:24:03
add: Policy
Guest Configuration 4ceb8dc2-559c-478b-a15b-733fbf1e3738 Audit Windows machines that do not have a maximum password age of 70 days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-09 11:24:03
add: Policy
Guest Configuration 0447bc18-e2f7-4c0d-aa20-bff034275be1 Audit Linux machines that have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. Fixed: auditIfNotExists none
2020-09-09 11:24:03
add: Policy
Guest Configuration 02a84be7-c304-421f-9bb7-5d2c26af54ad [Deprecated]: Show audit results from Windows VMs on which the remote connection status does not match the specified one This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Show audit results from Windows VMs on which the remote host connection status does not match the specified one
Guest Configuration 1417908b-4bff-46ee-a2a6-4acc899320ab Audit Windows machines that contain certificates expiring within the specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if certificates in the specified store have an expiration date out of range for the number of days given as parameter. The policy also provides the option to only check for specific certificates or exclude specific certificates, and whether to report on expired certificates. Fixed: auditIfNotExists none
2020-09-09 11:24:03
add: Policy
Guest Configuration 5b842acb-0fe7-41b0-9f40-880ec4ad84d8 [Deprecated]: Show audit results from Linux VMs that have the specified applications installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Show audit results from Linux VMs that have the specified applications installed
Guest Configuration f3b9ad83-000d-4dc1-bff0-6d54533dd03f [Deprecated]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root
Security Center a3a6ea0c-e018-4933-9ef0-5aaa1501449b Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-09 11:24:03
add: Policy
Security Center d62cfe2b-3ab0-4d41-980d-76803b58ca65 Log Analytics agent health issues should be resolved on your machines Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-09 11:24:03
add: Policy
Guest Configuration d7ccd0ca-8d78-42af-a43d-6b7f928accbc [Deprecated]: Show audit results from Windows Server VMs on which Windows Serial Console is not enabled This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows Server virtual machines on which Windows Serial Console is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Show audit results from Windows Server VMs on which Windows Serial Console is not enabled
Guest Configuration 7a031c68-d6ab-406e-a506-697a19c634b0 [Deprecated]: Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled This policy creates a Guest Configuration assignment to audit Windows Server virtual machines on which Windows Serial Console is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled
Guest Configuration 106ccbe4-a791-4f33-a44a-06796944b8d5 [Deprecated]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root This policy creates a Guest Configuration assignment to audit Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root
Guest Configuration 726671ac-c4de-4908-8c7d-6043ae62e3b6 [Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords This policy creates a Guest Configuration assignment to audit Windows virtual machines that allow re-use of the previous 24 passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords
Guest Configuration c5fbc59e-fb6f-494f-81e2-d99a671bdaa8 [Deprecated]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days This policy creates a Guest Configuration assignment to audit Windows virtual machines that contain certificates expiring within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days
Guest Configuration 7e56b49b-5990-4159-a734-511ea19b731c [Deprecated]: Show audit results from Windows VMs that have the specified applications installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Show audit results from Windows VMs that have the specified applications installed
Guest Configuration 5b054a0d-39e2-4d53-bea3-9734cad2c69b Audit Windows machines that allow re-use of the previous 24 passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-09 11:24:03
add: Policy
Key Vault 5f0bc445-3935-4915-9981-011aa2b46147 [Preview]: Private endpoint should be configured for Key Vault Private link provides a way to connect key vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. Default: Audit
Allowed: (Audit,Disabled)
none
2020-09-09 11:24:03
add: Policy
Guest Configuration 16390df4-2f73-4b42-af13-c801066763df [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a minimum password age of 1 day. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day
Guest Configuration 884b209a-963b-4520-8006-d20cb3c213e0 [Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installed This policy creates a Guest Configuration assignment to audit Linux virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Linux VMs that have the specified applications installed
Guest Configuration 84662df4-0e37-44a6-9ce1-c9d2150db18c Audit Windows machines that are not joined to the specified domain Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the Domain property in WMI class win32_computersystem does not match the value in the policy parameter. Fixed: auditIfNotExists none
2020-09-09 11:24:03
add: Policy
Guest Configuration 5bb36dda-8a78-4df9-affd-4f05a8612a8a [Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified one This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs on which the remote host connection status does not match the specified one
Guest Configuration b821191b-3a12-44bc-9c38-212138a29ff3 [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain only the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain only the specified members
Guest Configuration 6265018c-d7e2-432f-a75d-094d5f6f4465 Audit Windows machines on which the Log Analytics agent is not connected as expected Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. Fixed: auditIfNotExists none
2020-09-09 11:24:03
add: Policy
Guest Configuration bf16e0bb-31e1-4646-8202-60a235cc7e74 Audit Windows machines that do not have the password complexity setting enabled Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-09 11:24:03
add: Policy
Guest Configuration 4d1c04de-2172-403f-901b-90608c35c721 [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed
Guest Configuration f48b2913-1dc5-4834-8c72-ccc1dfd819bb [Deprecated]: Show audit results from Windows VMs that do not have the password complexity setting enabled This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Show audit results from Windows VMs that do not have the password complexity setting enabled
Guest Configuration b18175dd-c599-4c64-83ba-bb018a06d35b [Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644
Guest Configuration 69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f Audit Windows machines that have the specified members in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. Fixed: auditIfNotExists none
2020-09-09 11:24:03
add: Policy
Guest Configuration 5aebc8d1-020d-4037-89a0-02043a7524ec [Deprecated]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters
Guest Configuration d3b823c9-e0fc-4453-9fb2-8213b7338523 Audit Linux machines that don't have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. Fixed: auditIfNotExists none
2020-09-09 11:24:03
add: Policy
Guest Configuration cc7cda28-f867-4311-8497-a526129a8d19 [Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain only specified members This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Show audit results from Windows VMs in which the Administrators group does not contain only the specified members
Guest Configuration 68511db2-bd02-41c4-ae6b-1900a012968a [Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected
Guest Configuration 93507a81-10a4-4af0-9ee2-34cf25a96e98 [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain all of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain all of the specified members
Guest Configuration 934345e1-4dfb-4c70-90d7-41990dc9608b Audit Windows machines that do not contain the specified certificates in Trusted Root Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy paramter. Fixed: auditIfNotExists none
2020-09-09 11:24:03
add: Policy
Guest Configuration f4b245d4-46c9-42be-9b1a-49e2b5b94194 [Deprecated]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days This policy creates a Guest Configuration assignment to audit Windows virtual machines that have not restarted within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days
Guest Configuration b2fc8f91-866d-4434-9089-5ebfe38d6fd8 [Deprecated]: Deploy prerequisites to audit Windows web servers that are not using secure communication protocols This policy creates a Guest Configuration assignment to audit Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows web servers that are not using secure communication protocols
Guest Configuration 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 Audit Windows web servers that are not using secure communication protocols Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the registry key HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols includes protocols less secure than what is selected in the policy parameter. Fixed: auditIfNotExists none
2020-09-09 11:24:03
add: Policy
Guest Configuration 3d2a3320-2a72-4c67-ac5f-caa40fbee2b2 Audit Windows machines that have extra accounts in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter. Fixed: auditIfNotExists none
2020-09-09 11:24:03
add: Policy
Guest Configuration 23020aa6-1135-4be2-bae2-149982b06eca [Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not restrict the minimum password length to 14 characters. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-09-09 11:24:03
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters
App Service 86d97760-d216-4d81-a3ad-163087b2b6c3 [Deprecated]: Ensure that Register with Azure Active Directory is enabled on API app This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3ee instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-02 14:03:46
change: DisplayName
previous DisplayName: Ensure that Register with Azure Active Directory is enabled on API app
Security Center 501541f7-f7e7-4cd6-868c-4190fdad3ac9 A vulnerability assessment solution should be enabled on your virtual machines Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-02 14:03:46
change: DisplayName
previous DisplayName: Vulnerability assessment should be enabled on virtual machines
App Service f0473e7a-a1ba-4e86-afb2-e829e11b01d8 [Deprecated]: Ensure that Register with Azure Active Directory is enabled on Function App This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-02 14:03:46
change: DisplayName
previous DisplayName: Ensure that Register with Azure Active Directory is enabled on Function App
Key Vault a22f4a40-01d3-4c7d-8071-da157eeff341 [Preview]: Certificates should be issued by the specified non-integrated certificate authority Manage your organizational compliance requirements by specifying the custom or internal certificate authorities that can issue certificates in your key vault. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-02 14:03:46
change: DisplayName
previous DisplayName: [Preview]: Manage certificates issued by a non-integrated CA
App Service 843664e0-7563-41ee-a9cb-7522c382d2c4 [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Web app This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-02 14:03:46
change: DisplayName
previous DisplayName: Ensure that '.Net Framework' version is the latest, if used as a part of the Web app
Guest Configuration fc9b3da7-8347-4380-8e70-0a0361d8dedd [Preview]: Linux machines should meet requirements for the Azure security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines should meet the requirements for the Azure security baseline Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-02 14:03:46
add: Policy
App Service ab965db2-d2bf-4b64-8b39-c38ec8179461 [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the Function app PHP cannot be used with Function apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-02 14:03:46
change: DisplayName
previous DisplayName: Ensure that 'PHP version' is the latest, if used as a part of the Function app
Key Vault 1151cede-290b-4ba0-8b38-0ad145ac888f [Preview]: Certificates should use allowed key types Manage your organizational compliance requirements by restricting the key types allowed for certificates. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-02 14:03:46
change: DisplayName
previous DisplayName: [Preview]: Manage allowed certificate key types
Key Vault cee51871-e572-4576-855c-047c820360f0 [Preview]: Certificates using RSA cryptography should have the specified minimum key size Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-02 14:03:46
change: DisplayName
previous DisplayName: [Preview]: Manage minimum key size for RSA certificates
App Service c2e7ca55-f62c-49b2-89a4-d41eb661d2f0 [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the API app This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-02 14:03:46
change: DisplayName
previous DisplayName: Ensure that '.Net Framework' version is the latest, if used as a part of the API app
App Service 10c1859c-e1a7-4df3-ab97-a487fa8059f6 [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Function App This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-02 14:03:46
change: DisplayName
previous DisplayName: Ensure that '.Net Framework' version is the latest, if used as a part of the Function App
App Service aa81768c-cb87-4ce2-bfaa-00baa10d760c [Deprecated]: Ensure that Register with Azure Active Directory is enabled on WEB App This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332 instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-02 14:03:46
change: DisplayName
previous DisplayName: Ensure that Register with Azure Active Directory is enabled on WEB App
Key Vault f772fb64-8e40-40ad-87bc-7706e1949427 [Preview]: Certificates should not expire within the specified number of days Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-02 14:03:46
change: DisplayName
previous DisplayName: [Preview]: Manage certificates that are within a specified number of days of expiration
Key Vault 12ef42cb-9903-4e39-9c26-422d29570417 [Preview]: Certificates should have the specified lifetime action triggers Manage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-02 14:03:46
change: DisplayName
previous DisplayName: [Preview]: Manage certificate lifetime action triggers
Key Vault 0a075868-4c26-42ef-914c-5bc007359560 [Preview]: Certificates should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-02 14:03:46
change: DisplayName
previous DisplayName: [Preview]: Manage certificate validity period
Key Vault bd78111f-4953-4367-9fd5-7e08808b54bf [Preview]: Certificates using elliptic curve cryptography should have allowed curve names Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-02 14:03:46
change: DisplayName
previous DisplayName: [Preview]: Manage allowed curve names for elliptic curve cryptography certificates
Key Vault 8e826246-c976-48f6-b03e-619bb92b3d82 [Preview]: Certificates should be issued by the specified integrated certificate authority Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-02 14:03:46
change: DisplayName
previous DisplayName: [Preview]: Manage certificates issued by an integrated CA
Cognitive Services 67121cc7-ff39-4ab8-b7e3-95b84dab487d Cognitive Services accounts should enable data encryption with customer-managed key Customer-managed keys provide enhanced data protection by allowing you to manage your encryption keys for data stored in Cognitive Services. This is often required to meet compliance requirements. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-09-02 14:03:46
change: DisplayName
previous DisplayName: Cognitive Services accounts should enable data encryption with customer managed key
Synapse 84ce0900-69cd-4b5e-b676-0b5a66d027c9 [Preview]: Resource type for Azure Synapse linked service should be in allowed list You can define an allowed list of resource types for Azure Synapse linked service to restrict creation or update on a scope. With this policy in place you can have a better control over the boundary of data movement. Fixed: n/a
2020-08-31 13:45:20
remove: Policy (i)
Network c251913d-7d24-4958-af87-478ed3b9ba41 Flow log should be configured for every network security group Audit for network security groups to verify if flow log resource is configured. Flow log allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Fixed: audit none
2020-08-27 15:39:26
add: Policy
Guest Configuration f8036bd0-c10b-4931-86bb-94a878add855 [Deprecated]: Show audit results from Windows VMs that do not have the specified Windows PowerShell execution policy This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-27 15:39:26
change: DisplayName
previous DisplayName: Show audit results from Windows VMs that do not have the specified Windows PowerShell execution policy
Guest Configuration 16f9b37c-4408-4c30-bc17-254958f2e2d6 [Deprecated]: Show audit results from Windows VMs that do not have the specified Windows PowerShell modules installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-27 15:39:26
change: DisplayName
previous DisplayName: Show audit results from Windows VMs that do not have the specified Windows PowerShell modules installed
Guest Configuration e0efc13a-122a-47c5-b817-2ccfe5d12615 [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy This policy creates a Guest Configuration assignment to audit Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-27 15:39:26
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy
Guest Configuration 3e4e2bd5-15a2-4628-b3e1-58977e9793f3 Audit Windows machines that do not have the specified Windows PowerShell modules installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a module isn't available in a location specified by the environment variable PSModulePath. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-27 15:39:26
add: Policy
Guest Configuration 90ba2ee7-4ca8-4673-84d1-c851c50d3baf [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified Windows PowerShell modules installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-27 15:39:26
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed
Machine Learning 40cec1dd-a100-4920-b15b-3024fe8901ab Azure Machine Learning workspaces should use private link Evaluate Azure Machine Learning workspaces that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/azureml-workspaces-privatelink. Default: Audit
Allowed: (Audit,Disabled)
none
2020-08-27 15:39:26
add: Policy
Storage 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 [Preview]: Storage account public access should be disallowed Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. Default: audit
Allowed: (audit,deny,disabled)
none
2020-08-27 15:39:26
add: Policy
Network 0db34a60-64f4-4bf6-bd44-f95c16cf34b9 Deploy a flow log resource with target network security group Configures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. Fixed: deployIfNotExists Contributor
2020-08-27 15:39:26
add: Policy
84ce0900-69cd-4b5e-b676-0b5a66d027c9 Fixed: none
2020-08-27 15:39:26
add: Policy
Guest Configuration c648fbbb-591c-4acd-b465-ce9b176ca173 Audit Windows machines that do not have the specified Windows PowerShell execution policy Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-27 15:39:26
add: Policy
Machine Learning ba769a63-b8cc-4b2d-abf6-ac33c7204be8 Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK) Evaluate Azure Machine Learning workspaces that do not have encryption enabled with customer-managed keys (CMK). Customer-managed keys add an aditional layer of security for workspaces. For more information, visit https://aka.ms/azureml-workspaces-cmk. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-08-27 15:39:26
add: Policy
Guest Configuration 67e010c1-640d-438e-a3a5-feaccb533a98 Windows machines should meet requirements for 'Administrative Templates - Network' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Guest Configuration 5c028d2a-1889-45f6-b821-31f42711ced8 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Security' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Network Security'
Guest Configuration 19be9779-c776-4dfa-8a15-a2fd5dc843d6 Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Logon-Logoff' for auditing IPSec, network policy, claims, account lockout, group membership, and logon/logoff events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Guest Configuration 7066131b-61a6-4917-a7e4-72e8983f0aa6 [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - System' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - System'
Guest Configuration 968410dc-5ca0-4518-8a5b-7b55f0530ea9 Windows machines should meet requirements for 'Administrative Templates - System' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - System' for settings that control the administrative experience and Remote Assistance. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Guest Configuration 97646672-5efa-4622-9b54-740270ad60bf [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'
Guest Configuration 7040a231-fb65-4412-8c0a-b365f4866c24 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components'
Guest Configuration ddb53c61-9db4-41d4-a953-2abff5b66c12 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies'
Guest Configuration 12ae2d24-3805-4b37-9fa9-465968bfbcfa [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects'
Guest Configuration 3750712b-43d0-478e-9966-d2c26f6141b9 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon'
Guest Configuration a9a33475-481d-4b81-9116-0bf02ffe67e8 [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking'
Guest Configuration ee984370-154a-4ee8-9726-19d900e56fc0 Windows machines should meet requirements for 'Security Options - Accounts' Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Guest Configuration ec7ac234-2af5-4729-94d2-c557c071799d [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel'
Guest Configuration c961dac9-5916-42e8-8fb1-703148323994 [Deprecated]: Show audit results from Windows VMs configurations in 'User Rights Assignment' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'User Rights Assignment'
Guest Configuration 97b595c8-fd10-400e-8543-28e2b9138b13 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change'
Guest Configuration 86880e5c-df35-43c5-95ad-7e120635775e [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server'
Guest Configuration 12017595-5a75-4bb1-9d97-4c2c939ea3c3 Windows machines should meet requirements for 'Security Options - System settings' Windows machines should have the specified Group Policy settings in the category 'Security Options - System settings' for certificate rules on executables for SRP and optional subsystems. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Guest Configuration e3d95ab7-f47a-49d8-a347-784177b6c94c [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies'
Guest Configuration 909c958d-1b99-4c74-b88f-46a5c5bc34f9 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties'
Guest Configuration caf2d518-f029-4f6b-833b-d7081702f253 Windows machines should meet requirements for 'Security Options - Microsoft Network Server' Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Guest Configuration 985285b7-b97a-419c-8d48-c88cc934c8d8 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network'
Guest Configuration e425e402-a050-45e5-b010-bd3f934589fc [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control'
Guest Configuration 498b810c-59cd-4222-9338-352ba146ccf3 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit'
Guest Configuration 8794ff4f-1a35-4e18-938f-0b22055067cd Windows machines should meet requirements for 'Security Options - Devices' Windows machines should have the specified Group Policy settings in the category 'Security Options - Devices' for undocking without logging on, installing print drivers, and formatting/ejecting media. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Guest Configuration f2143251-70de-4e81-87a8-36cee5a2f29d Windows machines should meet requirements for 'Security Settings - Account Policies' Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Guest Configuration e0a7e899-2ce2-4253-8a13-d808fdeb75af Windows machines should meet requirements for 'Administrative Templates - MSS (Legacy)' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - MSS (Legacy)' for automatic logon, screen saver, network behavior, safe DLL, and event log. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Guest Configuration 9178b430-2295-406e-bb28-f6a7a2a2f897 [Deprecated]: Show audit results from Windows VMs configurations in 'Windows Components' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'Windows Components'
Guest Configuration ce2370f6-0ac5-4d85-8ab4-10721cc640b0 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use'
Guest Configuration d6c69680-54f0-4349-af10-94dd05f4225e Windows machines should meet requirements for 'Security Options - Microsoft Network Client' Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Guest Configuration d472d2c9-d6a3-4500-9f5f-b15f123005aa Windows machines should meet requirements for 'Security Options - Interactive Logon' Windows machines should have the specified Group Policy settings in the category 'Security Options - Interactive Logon' for displaying last user name and requiring ctrl-alt-del. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Guest Configuration 58383b73-94a9-4414-b382-4146eb02611b Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Guest Configuration 7229bd6a-693d-478a-87f0-1dc1af06f3b8 [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Network' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'Administrative Templates - Network'
Guest Configuration 94d9aca8-3757-46df-aa51-f218c5f11954 Windows machines should meet requirements for 'System Audit Policies - Account Management' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Guest Configuration 1221c620-d201-468c-81e7-2817e6107e84 Windows machines should meet requirements for 'Security Options - Network Security' Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Guest Configuration 33936777-f2ac-45aa-82ec-07958ec9ade4 Windows machines should meet requirements for 'Security Options - Audit' Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Guest Configuration 35781875-8026-4628-b19b-f6efb4d88a1d Windows machines should meet requirements for 'System Audit Policies - Object Access' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Object Access' for auditing file, registry, SAM, storage, filtering, kernel, and other system types. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Guest Configuration 30040dab-4e75-4456-8273-14b8f75d91d9 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Access' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Network Access'
Guest Configuration 225e937e-d32e-4713-ab74-13ce95b3519a [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management'
Guest Configuration 8316fa92-d69c-4810-8124-62414f560dcf Windows machines should meet requirements for 'System Audit Policies - System' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - System' for auditing IPsec driver, system integrity, system extension, state change, and other system events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Guest Configuration bc87d811-4a9b-47cc-ae54-0a41abda7768 [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon'
Guest Configuration 36e17963-7202-494a-80c3-f508211c826b [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security'
Guest Configuration 3d7b154e-2700-4c8c-9e46-cb65ac1578c2 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Devices' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Devices'
Guest Configuration e068b215-0026-4354-b347-8fb2766f73a2 Windows machines should meet requirements for 'User Rights Assignment' Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Guest Configuration dd4680ed-0559-4a6a-ad10-081d14cbb484 [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change'
Guest Configuration b872a447-cc6f-43b9-bccf-45703cd81607 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Accounts' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Accounts'
Guest Configuration e3a77a94-cf41-4ee8-b45c-98be28841c03 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Shutdown' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Shutdown'
Guest Configuration fcbc55c9-f25a-4e55-a6cb-33acb3be778b [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client'
Guest Configuration 7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use'
Guest Configuration 815dcc9f-6662-43f2-9a03-1b83e9876f24 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment'
Guest Configuration 35d9882c-993d-44e6-87d2-db66ce21b636 Windows machines should meet requirements for 'Windows Firewall Properties' Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Guest Configuration c8abcef9-fc26-482f-b8db-5fa60ee4586d [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon'
Guest Configuration f1f4825d-58fb-4257-8016-8c00e3c9ed9d [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'
Guest Configuration ba12366f-f9a6-42b8-9d98-157d0b1a837b [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Recovery console' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Recovery console'
Guest Configuration 21e2995e-683e-497a-9e81-2f42ad07050a [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Audit' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Audit'
Guest Configuration f56a3ab2-89d1-44de-ac0d-2ada5962e22a [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access'
Guest Configuration 87b590fe-4a1d-4697-ae74-d4fe72ab786c [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel'
Guest Configuration 620e58b5-ac75-49b4-993f-a9d4f0459636 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System objects' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - System objects'
Guest Configuration 3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd Windows machines should meet requirements for 'Security Options - Network Access' Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Guest Configuration 2a7a701e-dff3-4da9-9ec5-42cb98594c0b Windows machines should meet requirements for 'System Audit Policies - Policy Change' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Policy Change' for auditing changes to system audit policies. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Guest Configuration 40917425-69db-4018-8dae-2a0556cef899 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System'
Guest Configuration 42a07bbf-ffcf-459a-b4b1-30ecd118a505 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking'
Guest Configuration a1e8dda3-9fd2-4835-aec3-0e55531fde33 [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - System' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'Administrative Templates - System'
Guest Configuration 1f8c20ce-3414-4496-8b26-0e902a1541da [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown'
Guest Configuration f71be03e-e25b-4d0f-b8bc-9b3e309b66c0 Windows machines should meet requirements for 'Security Options - Recovery console' Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Guest Configuration 8a39d1f1-5513-4628-b261-f469a5a3341b [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System settings' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - System settings'
Guest Configuration b3802d79-dd88-4bce-b81d-780218e48280 [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff'
Guest Configuration 87845465-c458-45f3-af66-dcd62176f397 Windows machines should meet requirements for 'System Audit Policies - Privilege Use' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Privilege Use' for auditing nonsensitive and other privilege use. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Guest Configuration 6fe4ef56-7576-4dc4-8e9c-26bad4b087ce [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server'
Guest Configuration b4a4d1eb-0263-441b-84cb-a44073d8372d Windows machines should meet requirements for 'Security Options - Shutdown' Windows machines should have the specified Group Policy settings in the category 'Security Options - Shutdown' for allowing shutdown without logon and clearing the virtual memory pagefile. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Guest Configuration c04255ee-1b9f-42c1-abaa-bf1553f79930 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff'
Guest Configuration bbcdd8fa-b600-4ee3-85b8-d184e3339652 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client'
Guest Configuration 60aeaf73-a074-417a-905f-7ce9df0ff77b [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access'
Guest Configuration 6481cc21-ed6e-4480-99dd-ea7c5222e897 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices'
Guest Configuration 2f262ace-812a-4fd0-b731-b38ba9e9708d Windows machines should meet requirements for 'Security Options - System objects' Windows machines should have the specified Group Policy settings in the category 'Security Options - System objects' for case insensitivity for non-Windows subsystems and permissions of internal system objects. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Guest Configuration f8b0158d-4766-490f-bea0-259e52dba473 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System'
Guest Configuration 3aa2661b-02d7-4ba6-99bc-dc36b10489fd Windows machines should meet requirements for 'Administrative Templates - Control Panel' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Control Panel' for input personalization and prevention of enabling lock screens. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Guest Configuration 0a9991e6-21be-49f9-8916-a06d934bcf29 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management'
Guest Configuration 8537fe96-8cbe-43de-b0ef-131bc72bc22a Windows machines should meet requirements for 'Windows Components' Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Guest Configuration ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console'
Guest Configuration 29829ec2-489d-4925-81b7-bda06b1718e0 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - User Account Control' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - User Account Control'
Guest Configuration c1e289c0-ffad-475d-a924-adc058765d65 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon'
Guest Configuration e5b81f87-9185-4224-bf00-9f505e9f89f3 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts'
Guest Configuration 437a1f8f-8552-47a8-8b12-a2fee3269dd5 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings'
Guest Configuration 8bbd627e-4d25-4906-9a6e-3789780af3ec [Deprecated]: Show audit results from Windows VMs configurations in 'Windows Firewall Properties' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Show audit results from Windows VMs configurations in 'Windows Firewall Properties'
Guest Configuration 492a29ed-d143-4f03-b6a4-705ce081b463 Windows machines should meet requirements for 'Security Options - User Account Control' Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Guest Configuration 8e170edb-e0f5-497a-bb36-48b3280cec6a [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-08-20 14:05:01
change: DisplayName
previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access'
Guest Configuration 43bb60fe-1d7e-4b82-9e93-496bfc99e7d5 Windows machines should meet requirements for 'System Audit Policies - Account Logon' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Logon' for auditing credential validation and other account logon events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: Policy
Security Center 0e246bcf-5f6f-4f87-bc6f-775d4712c7ea Authorized IP ranges should be defined on Kubernetes Services Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. Default: Audit
Allowed: (Audit,Disabled)
none
2020-08-19 13:49:29
change: DisplayName
previous DisplayName: [Preview]: Authorized IP ranges should be defined on Kubernetes Services
App Platform af35e2a4-ef96-44e7-a9ae-853dd97032c4 Azure Spring Cloud should use network injection Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. Default: Audit
Allowed: (Audit,Disabled,Deny)
none
2020-08-19 13:49:29
add: Policy
Security Center ac4a19c2-fa67-49b4-8ae5-0b2e78c49457 Role-Based Access Control (RBAC) should be used on Kubernetes Services To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Default: Audit
Allowed: (Audit,Disabled)
none
2020-08-19 13:49:29
change: DisplayName
previous DisplayName: [Preview]: Role-Based Access Control (RBAC) should be used on Kubernetes Services
Security Center 5f0f936f-2f01-4bf5-b6be-d423792fa562 Vulnerabilities in Azure Container Registry images should be remediated Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image (powered by Qualys). Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-19 13:49:29
add: Policy
Security Center fb893a29-21bb-418c-a157-e99480ec364c Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ Default: Audit
Allowed: (Audit,Disabled)
none
2020-08-19 13:49:29
change: DisplayName
previous DisplayName: [Preview]: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version
Storage 6fac406b-40ca-413b-bf8e-0bf964659c25 Storage account should use customer-managed key for encryption Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Default: Audit
Allowed: (Audit,Disabled)
none
2020-08-18 14:06:57
add: Policy
Storage 6edd7eda-6dd8-40f7-810d-67160c639cd9 Storage account should use a private link connection Private links enforce secure communication, by providing private connectivity to the storage account Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-18 14:06:57
add: Policy
Storage 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f Storage accounts should restrict network access using virtual network rules Protect your storage accounts from potential threats using virtual network rules as a preferred method to IP-based filtering. Disallowing IP-based filtering prevents public IPs from accessing your storage accounts. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-08-18 14:06:57
add: Policy
SQL aeb23562-188d-47cb-80b8-551f16ef9fff [Deprecated]: Email notifications to admins should be enabled in SQL Managed Instance advanced data security settings Audit that 'email notification to admins and subscription owners' is enabled in SQL Managed Instance advanced threat protection settings. This setting ensures that any detections of anomalous activities on SQL Managed Instance are reported as soon as possible to the admins. Default: Disabled
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-05 13:05:29
change: DisplayName
previous DisplayName: [Deprecated]: Email notifications to admins and subscription owners should be enabled in SQL Managed Instance advanced data security settings
SQL 3965c43d-b5f4-482e-b74a-d89ee0e0b3a8 [Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address for security alerts Ensure that an email address is provided for the 'Send alerts to' field in the advanced data security settings. This email address receives alert notifications when anomalous activities are detected on SQL Managed Instance. Default: Disabled
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-05 13:05:29
change: DisplayName
previous DisplayName: [Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address to receive security alerts
Guest Configuration 385f5831-96d4-41db-9a3c-cd3af78aaae6 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExists Contributor
2020-08-05 13:05:29
change: DisplayName
previous DisplayName: [Preview]: Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows virtual machines
SQL c8343d2f-fdc9-4a97-b76f-fc71d1163bfc [Deprecated]: Email notifications to admins should be enabled in SQL server advanced data security settings Audit that 'email notification to admins and subscription owners' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible to the admins. Default: Disabled
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-05 13:05:29
change: DisplayName
previous DisplayName: [Deprecated]: Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings
Guest Configuration 331e8ea8-378a-410f-a2e5-ae22f38bb0da Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExists Contributor
2020-08-05 13:05:29
change: DisplayName
previous DisplayName: [Preview]: Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux virtual machines
Guest Configuration 497dff13-db2a-4c0f-8603-28fa3b331ab6 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modify Contributor
2020-08-05 13:05:29
change: DisplayName
previous DisplayName: [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with a user-assigned identity
App Configuration 967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1 App Configuration should use a customer-managed key Customer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements. Default: Audit
Allowed: (Audit,Disabled)
none
2020-08-05 13:05:29
change: DisplayName
previous DisplayName: App Configuration should use a customer managed key
Guest Configuration 3cf2ab00-13f1-4d0c-8971-2ac904541a7e Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modify Contributor
2020-07-17 15:57:10
add: Policy
Guest Configuration fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50 [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExists Contributor
2020-07-17 15:57:10
change: DisplayName
previous DisplayName: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.
Guest Configuration 497dff13-db2a-4c0f-8603-28fa3b331ab6 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modify Contributor
2020-07-17 15:57:10
add: Policy
Guest Configuration 0ecd903d-91e7-4726-83d3-a229d7f2e293 [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExists Contributor
2020-07-17 15:57:10
change: DisplayName
previous DisplayName: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.
Security Center 308fbb08-4ab8-4e67-9b29-592e93fb94fa Advanced threat protection should be enabled on Azure Storage accounts Advanced threat protection provides detections of unusual and potentially harmful attempts to access or exploit Storage accounts. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-14 15:28:17
change: DisplayName
previous DisplayName: Advanced threat protection should be enabled on Storage accounts
Security Center 47a6b606-51aa-4496-8bb7-64b11cf66adc Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-14 15:28:17
change: DisplayName
previous DisplayName: Adaptive application controls for whitelisting safe applications should be enabled on your machines
Security Center 0e6763cc-5078-4e64-889d-ff4d9a839047 Advanced threat protection should be enabled on Azure Key Vault vaults Advanced threat protection provides an additional layer of protection of security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-14 15:28:17
change: DisplayName
previous DisplayName: Advanced threat protection should be enabled on Key Vault
Security Center 2913021d-f2fd-4f3d-b958-22354e2bdbcb Advanced threat protection should be enabled on Azure App Service plans Advanced threat protection leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-14 15:28:17
change: DisplayName
previous DisplayName: Advanced threat protection should be enabled on App Service
SQL a8793640-60f7-487c-b5c3-1d37215905c4 SQL Managed Instance should have the minimal TLS version of 1.2 Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities. Default: Audit
Allowed: (Audit,Disabled)
none
2020-07-14 15:28:17
add: Policy
SQL 32e6bbec-16b6-44c2-be37-c5b672d103cf Azure SQL Database should have the minimal TLS version of 1.2 Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities. Default: Audit
Allowed: (Audit,Disabled)
none
2020-07-14 15:28:17
add: Policy
Security Center 6581d072-105e-4418-827f-bd446d56421b Advanced data security should be enabled on SQL servers on machines Advanced data security provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to SQL database and discovering and classifying sensitive data. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-14 15:28:17
change: DisplayName
previous DisplayName: Advanced data security should be enabled on SQL Server on Virtual Machines
Security Center 523b5cd1-3e23-492f-a539-13118b6d1e3a Advanced threat protection should be enabled on Azure Kubernetes Service clusters Advanced threat protection provides real-time threat protection for containerized environments and generates alerts for suspicious activities. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-14 15:28:17
change: DisplayName
previous DisplayName: Advanced threat protection should be enabled on Azure Kubernetes Service
Security Center 501541f7-f7e7-4cd6-868c-4190fdad3ac9 A vulnerability assessment solution should be enabled on your virtual machines Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-14 15:28:17
change: DisplayName
previous DisplayName: [Preview] Vulnerability Assessment should be enabled on Virtual Machines
Security Center 123a3936-f020-408a-ba0c-47873faf1534 Allowlist rules in your adaptive application control policy should be updated Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-14 15:28:17
change: DisplayName
previous DisplayName: Whitelisting rules in your adaptive application control policy should be updated
Security Center c25d9a16-bc35-4e15-a7e5-9db606bf9ed4 Advanced threat protection should be enabled on Azure Container Registry registries Advanced threat protection provides scanning of container registries for security vulnerabilities on each pushed container image and exposes detailed findings per image. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-14 15:28:17
change: DisplayName
previous DisplayName: Advanced threat protection should be enabled on Azure Container Registry
Kubernetes 16697877-1118-4fb1-9b65-9898ec2509ec Kubernetes cluster pods should only use allowed volume types This policy ensures pods can only use allowed volume types in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-07-08 14:28:08
add: Policy
Kubernetes e1e6c427-07d9-46ab-9689-bfa85431e636 Kubernetes cluster pods and containers should only use allowed SELinux options This policy ensures pods and containers only use allowed SELinux options in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-07-08 14:28:08
add: Policy
Network 12430be1-6cc8-4527-a9a8-e3d38f250096 Web Application Firewall (WAF) should use the specified mode for Application Gateway Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-07-08 14:28:08
add: Policy
Network 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66 Web Application Firewall (WAF) should be enabled for Application Gateway Requires Web Application Firewall (WAF) on any Application Gateway. A Web Application Firewall provides greater security for your other Azure resources. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-07-08 14:28:08
add: Policy
Kubernetes 82985f06-dc18-4a48-bc1c-b9f4f0098cfe Kubernetes cluster pods should only use approved host network and port range This policy controls pod access to the host network and the allowable host port range in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-07-08 14:28:08
add: Policy
Kubernetes f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 Kubernetes cluster pod FlexVolume volumes should only use allowed drivers This policy ensures pod FlexVolume volumes only use allowed drivers in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-07-08 14:28:08
add: Policy
Network 055aa869-bc98-4af8-bafc-23f1ab6ffe2c Web Application Firewall (WAF) should be enabled for Azure Front Door Service Requires Web Application Firewall (WAF) on any Azure Front Door Service. A Web Application Firewall provides greater security for your other Azure resources. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-07-08 14:28:08
add: Policy
SQL 77e8b146-0078-4fb2-b002-e112381199f0 Virtual network firewall rule on Azure SQL Database should be enabled to allow traffic from the specified subnet Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure SQL Database while ensuring the traffic stays within the Azure boundary. Fixed: AuditIfNotExists none
2020-07-08 14:28:08
add: Policy
Network f6b68e5a-7207-4638-a1fb-47d90404209e [Deprecated]: Web Application Firewall should be a set mode for Application Gateway and Azure Front Door Service Mandates detect or prevent mode to be active on all Web Application Firewall policies for Azure Front Door and Application Gateway. Web Application Firewall policies can have a consistent mode configuration across a resource group. Default: Deny
Allowed: (Audit,Deny,Disabled)
none
2020-07-08 14:28:08
change: DisplayName
previous DisplayName: Web Application Firewall should be a set mode for Application Gateway and Azure Front Door Service
Kubernetes f85eb0dd-92ee-40e9-8a76-db25a507d6d3 Kubernetes cluster containers should only use allowed ProcMountType This policy ensures containers only use allowed ProcMountType in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-07-08 14:28:08
add: Policy
Kubernetes 511f5417-5d12-434d-ab2e-816901e72a5e Kubernetes cluster containers should only use allowed AppArmor profiles This policy ensures containers only use allowed AppArmor profiles in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-07-08 14:28:08
add: Policy
Kubernetes f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes cluster pods and containers should only run with approved user and group IDs This policy controls the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-07-08 14:28:08
add: Policy
Network 425bea59-a659-4cbb-8d31-34499bd030b8 Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Azure Front Door Service. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-07-08 14:28:08
add: Policy
Kubernetes 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes cluster pod hostPath volumes should only use allowed host paths This policy ensures pod hostPath volumes can only use allowed host paths in a Kubernetes Cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-07-08 14:28:08
add: Policy
Kubernetes 975ce327-682c-4f2e-aa46-b9598289b86c Kubernetes cluster containers should only use allowed seccomp profiles This policy ensures containers only use allowed seccomp profiles in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-07-08 14:28:08
add: Policy
Kubernetes 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Kubernetes clusters should not allow container privilege escalation This policy does not allow containers to use privilege escalation in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-07-08 14:28:08
add: Policy
Network be7ed5c8-2660-4136-8216-e6f3412ba909 [Deprecated]: Web Application Firewall should be enabled for Azure Front Door Service or Application Gateway Requires Web Application Firewall on any Azure Front Door Service or Application Gateway. A Web Application Firewall provides greater security for your other Azure resources. Default: Deny
Allowed: (Audit,Deny,Disabled)
none
2020-07-08 14:28:08
change: DisplayName
previous DisplayName: Web Application Firewall should be enabled for Azure Front Door Service or Application Gateway
SQL 1b8ca024-1d5c-4dec-8995-b1a932b41780 Public network access on Azure SQL Database should be disabled Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Fixed: audit none
2020-07-08 14:28:08
change: DisplayName
previous DisplayName: Audit public network access setting for Azure SQL Database
Kubernetes 56d0a13f-712f-466b-8416-56fb354fb823 Kubernetes cluster containers should not use forbidden sysctl interfaces This policy ensures containers do not use forbidden sysctl interfaces in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-07-08 14:28:08
add: Policy
Kubernetes 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 Kubernetes cluster containers should not share host process ID or host IPC namespace This policy blocks pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. Default: audit
Allowed: (audit,deny,disabled)
none
2020-07-08 14:28:08
add: Policy
SQL 7698e800-9299-47a6-b3b6-5a0fee576eed Private endpoint connections on Azure SQL Database should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Fixed: audit none
2020-07-08 14:28:08
change: DisplayName
previous DisplayName: Azure SQL Databases should have private endpoint connections
Kubernetes c26596ff-4d70-4e6a-9a30-c2506bd2f80c Kubernetes cluster containers should only use allowed capabilities This policy ensures containers only use allowed capabilities in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-07-08 14:28:08
add: Policy
Kubernetes df49d893-a74c-421d-bc95-c663042e5b80 Kubernetes cluster containers should run with a read only root file system This policy ensures containers run with a read only root file system in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. Default: audit
Allowed: (audit,deny,disabled)
none
2020-07-08 14:28:08
add: Policy
SQL 1b8ca024-1d5c-4dec-8995-b1a932b41780 Public network access on Azure SQL Database should be disabled Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Fixed: audit none
2020-07-01 14:50:07
add: Policy
SQL 9677b740-f641-4f3c-b9c5-466005c85278 [Deprecated]: Advanced data security settings for SQL server should contain an email address to receive security alerts Ensure that an email address is provided for the 'Send alerts to' field in the Advanced Data Security server settings. This email address receives alert notifications when anomalous activities are detected on SQL servers. Default: Disabled
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-01 14:50:07
change: DisplayName
previous DisplayName: Advanced data security settings for SQL server should contain an email address to receive security alerts
SQL e756b945-1b1b-480b-8de8-9a0859d5f7ad [Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities. Default: Disabled
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-01 14:50:07
change: DisplayName
previous DisplayName: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings
SQL 3965c43d-b5f4-482e-b74a-d89ee0e0b3a8 [Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address for security alerts Ensure that an email address is provided for the 'Send alerts to' field in the advanced data security settings. This email address receives alert notifications when anomalous activities are detected on SQL Managed Instance. Default: Disabled
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-01 14:50:07
change: DisplayName
previous DisplayName: Advanced data security settings for SQL managed instance should contain an email address to receive security alerts
VM Image Builder 2154edb9-244f-4741-9970-660785bccdaa VM Image Builder templates should use private link Audit VM Image Builder templates that do not have a virtual network configured. When a virtual network is not configured, a public IP is created and used instead which may expose resources directly to the internet and increase the potential attack surface. Default: Audit
Allowed: (Audit,Disabled)
none
2020-07-01 14:50:07
add: Policy
SignalR 53503636-bcc9-4748-9663-5348217f160f Azure SignalR Service should use private links Audit Azure SignalR Service resources that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/asrs/privatelink. Default: Audit
Allowed: (Audit,Disabled)
none
2020-07-01 14:50:07
change: DisplayName
previous DisplayName: [Preview]: Azure SignalR Service should use private links
SQL bda18df3-5e41-4709-add9-2554ce68c966 [Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL Managed Instance advanced data security settings It's recommended to enable all Advanced Threat Protection types on your SQL Managed Instance. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities. Default: Disabled
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-01 14:50:07
change: DisplayName
previous DisplayName: Advanced Threat Protection types should be set to 'All' in SQL managed instance Advanced Data Security settings
SQL aeb23562-188d-47cb-80b8-551f16ef9fff [Deprecated]: Email notifications to admins should be enabled in SQL Managed Instance advanced data security settings Audit that 'email notification to admins and subscription owners' is enabled in SQL Managed Instance advanced threat protection settings. This setting ensures that any detections of anomalous activities on SQL Managed Instance are reported as soon as possible to the admins. Default: Disabled
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-01 14:50:07
change: DisplayName
previous DisplayName: Email notifications to admins and subscription owners should be enabled in SQL managed instance advanced data security settings
SQL 7698e800-9299-47a6-b3b6-5a0fee576eed Private endpoint connections on Azure SQL Database should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Fixed: audit none
2020-07-01 14:50:07
add: Policy
SQL c8343d2f-fdc9-4a97-b76f-fc71d1163bfc [Deprecated]: Email notifications to admins should be enabled in SQL server advanced data security settings Audit that 'email notification to admins and subscription owners' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible to the admins. Default: Disabled
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-01 14:50:07
change: DisplayName
previous DisplayName: Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings
Guest Configuration 5fc23db3-dd4d-4c56-bcc7-43626243e601 Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled This policy audits Windows virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-30 14:58:19
change: DisplayName
previous DisplayName: Audit prerequisites to enable Guest Configuration policies on Windows VMs.
Guest Configuration 3cf2ab00-13f1-4d0c-8971-2ac904541a7e [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modify n/a
2020-06-29 05:46:45
remove: Policy (i)
Guest Configuration 497dff13-db2a-4c0f-8603-28fa3b331ab6 [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modify n/a
2020-06-29 05:46:45
remove: Policy (i)
Guest Configuration 0ecd903d-91e7-4726-83d3-a229d7f2e293 [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExists Contributor
2020-06-29 05:46:45
change: DisplayName
previous DisplayName: [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.
Guest Configuration fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50 [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExists Contributor
2020-06-29 05:46:45
change: DisplayName
previous DisplayName: [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.
Security Center 4da35fc9-c9e7-4960-aec9-797fe7d9051d Advanced threat protection should be enabled on Virtual Machines Advanced threat protection provides real-time threat protection for virtual machine workloads and generates hardening recommendations as well as alerts about suspicious activities. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-23 16:03:25
add: Policy
Security Center 523b5cd1-3e23-492f-a539-13118b6d1e3a Advanced threat protection should be enabled on Azure Kubernetes Service clusters Advanced threat protection provides real-time threat protection for containerized environments and generates alerts for suspicious activities. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-23 16:03:25
add: Policy
Security Center 0e6763cc-5078-4e64-889d-ff4d9a839047 Advanced threat protection should be enabled on Azure Key Vault vaults Advanced threat protection provides an additional layer of protection of security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-23 16:03:25
add: Policy
Kubernetes 0a15ec92-a229-4763-bb14-0ea34a568f8d [Preview]: Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Default: Audit
Allowed: (Audit,Disabled)
none
2020-06-23 16:03:25
add: Policy
Guest Configuration faf25c8c-9598-4305-b4de-0aee1317fb31 Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabled This policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-23 16:03:25
add: Policy
Security Center 308fbb08-4ab8-4e67-9b29-592e93fb94fa Advanced threat protection should be enabled on Azure Storage accounts Advanced threat protection provides detections of unusual and potentially harmful attempts to access or exploit Storage accounts. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-23 16:03:25
add: Policy
Machine Learning 6a6f7384-63de-11ea-bc55-0242ac130003 [Preview]: Configure code signing for training code for specified Azure Machine Learning computes This policy helps provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting,disabled)
none
2020-06-23 16:03:25
add: Policy
Cosmos DB 1f905d99-2ab7-462c-a6b0-f709acca6c8f Azure Cosmos DB account should use customer-managed keys to encrypt data at rest Use customer-managed keys to control the encryption at rest of the data stored in Azure Cosmos DB when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. See https://aka.ms/cosmosdb-cmk Default: audit
Allowed: (audit,deny,disabled)
none
2020-06-23 16:03:25
add: Policy
Guest Configuration 385f5831-96d4-41db-9a3c-cd3af78aaae6 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExists Contributor
2020-06-23 16:03:25
add: Policy
Security Center 7fe3b40f-802b-4cdd-8bd4-fd799c948cc2 Advanced data security should be enabled on Azure SQL Database servers Advanced data security provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat on SQL database and discovering and classifying sensitive data. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-23 16:03:25
add: Policy
Guest Configuration 0ecd903d-91e7-4726-83d3-a229d7f2e293 [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExists Contributor
2020-06-23 16:03:25
change: DisplayName
previous DisplayName: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.
Guest Configuration fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50 [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExists Contributor
2020-06-23 16:03:25
change: DisplayName
previous DisplayName: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.
Security Center 2913021d-f2fd-4f3d-b958-22354e2bdbcb Advanced threat protection should be enabled on Azure App Service plans Advanced threat protection leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-23 16:03:25
add: Policy
API for FHIR 0fea8f8a-4169-495d-8307-30ec335f387d CORS should not allow every domain to access your API for FHIR Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect. Default: audit
Allowed: (audit,disabled)
none
2020-06-23 16:03:25
add: Policy
Guest Configuration 3cf2ab00-13f1-4d0c-8971-2ac904541a7e Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modify Contributor
2020-06-23 16:03:25
add: Policy
Security Center 6581d072-105e-4418-827f-bd446d56421b Advanced data security should be enabled on SQL servers on machines Advanced data security provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to SQL database and discovering and classifying sensitive data. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-23 16:03:25
add: Policy
Security Center c25d9a16-bc35-4e15-a7e5-9db606bf9ed4 Advanced threat protection should be enabled on Azure Container Registry registries Advanced threat protection provides scanning of container registries for security vulnerabilities on each pushed container image and exposes detailed findings per image. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-23 16:03:25
add: Policy
Guest Configuration 331e8ea8-378a-410f-a2e5-ae22f38bb0da Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExists Contributor
2020-06-23 16:03:25
add: Policy
Guest Configuration 497dff13-db2a-4c0f-8603-28fa3b331ab6 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modify Contributor
2020-06-23 16:03:25
add: Policy
Cosmos DB 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb Azure Cosmos DB accounts should have firewall rules Audit or deny resources that do not have any IP rules configured and allow all networks by default. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. Default: Deny
Allowed: (Audit,Deny,Disabled)
none
2020-06-23 16:03:25
add: Policy
Monitoring 4da21710-ce6f-4e06-8cdb-5cc4c93ffbee Deploy Dependency agent for Linux virtual machines Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. Fixed: deployIfNotExists Log Analytics Contributor
2020-06-22 16:06:25
change: DisplayName
previous DisplayName: Deploy Dependency agent for Linux VMs
Monitoring 1c210e94-a481-4beb-95fa-1571b434fb04 Deploy Dependency agent for Windows virtual machines Deploy Dependency agent for Windows virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: deployIfNotExists Log Analytics Contributor
2020-06-22 16:06:25
change: DisplayName
previous DisplayName: Deploy Dependency agent for Windows VMs
Network f6b68e5a-7207-4638-a1fb-47d90404209e [Deprecated]: Web Application Firewall should be a set mode for Application Gateway and Azure Front Door Service Mandates detect or prevent mode to be active on all Web Application Firewall policies for Azure Front Door and Application Gateway. Web Application Firewall policies can have a consistent mode configuration across a resource group. Default: Deny
Allowed: (Audit,Deny,Disabled)
none
2020-06-11 19:46:04
add: Policy
Network be7ed5c8-2660-4136-8216-e6f3412ba909 [Deprecated]: Web Application Firewall should be enabled for Azure Front Door Service or Application Gateway Requires Web Application Firewall on any Azure Front Door Service or Application Gateway. A Web Application Firewall provides greater security for your other Azure resources. Default: Deny
Allowed: (Audit,Deny,Disabled)
none
2020-06-11 19:46:04
add: Policy
Guest Configuration ba12366f-f9a6-42b8-9d98-157d0b1a837b [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Recovery console' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Recovery console'
Cognitive Services 2bdd0062-9d75-436e-89df-487dd8e4b3c7 Cognitive Services accounts should enable data encryption This policy audits any Cognitive Services account not using data encryption. For each Cognitive Services account with storage, should enable data encryption with either customer managed or Microsoft managed key. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-06-09 16:25:53
add: Policy
Guest Configuration 21e2995e-683e-497a-9e81-2f42ad07050a [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Audit' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Audit'
Guest Configuration 8ff0b18b-262e-4512-857a-48ad0aeb9a78 [Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not store passwords using reversible encryption. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption
Guest Configuration bc87d811-4a9b-47cc-ae54-0a41abda7768 [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon'
Guest Configuration 498b810c-59cd-4222-9338-352ba146ccf3 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit'
Guest Configuration 12ae2d24-3805-4b37-9fa9-465968bfbcfa [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects'
Guest Configuration 2d60d3b7-aa10-454c-88a8-de39d99d17c6 [Deprecated]: Show audit results from Windows VMs that do not store passwords using reversible encryption This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs that do not store passwords using reversible encryption
Guest Configuration 86880e5c-df35-43c5-95ad-7e120635775e [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server'
Guest Configuration 42a07bbf-ffcf-459a-b4b1-30ecd118a505 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking'
Guest Configuration 16390df4-2f73-4b42-af13-c801066763df [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a minimum password age of 1 day. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day
Guest Configuration 985285b7-b97a-419c-8d48-c88cc934c8d8 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network'
Guest Configuration 36e17963-7202-494a-80c3-f508211c826b [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security'
Guest Configuration 97646672-5efa-4622-9b54-740270ad60bf [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'
Guest Configuration f48b2913-1dc5-4834-8c72-ccc1dfd819bb [Deprecated]: Show audit results from Windows VMs that do not have the password complexity setting enabled This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs that do not have the password complexity setting enabled
Guest Configuration f1f4825d-58fb-4257-8016-8c00e3c9ed9d [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'
Guest Configuration 5bb36dda-8a78-4df9-affd-4f05a8612a8a [Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified one This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs on which the remote host connection status does not match the specified one
Guest Configuration 5aa11bbc-5c76-4302-80e5-aba46a4282e7 [Deprecated]: Show audit results from Windows VMs that do not have a minimum password age of 1 day This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs that do not have a minimum password age of 1 day
Guest Configuration 356a906e-05e5-4625-8729-90771e0ee934 [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a maximum password age of 70 days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days
Guest Configuration 437a1f8f-8552-47a8-8b12-a2fee3269dd5 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings'
Guest Configuration 726671ac-c4de-4908-8c7d-6043ae62e3b6 [Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords This policy creates a Guest Configuration assignment to audit Windows virtual machines that allow re-use of the previous 24 passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords
Guest Configuration e5b81f87-9185-4224-bf00-9f505e9f89f3 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts'
Guest Configuration ddb53c61-9db4-41d4-a953-2abff5b66c12 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies'
Guest Configuration 7229bd6a-693d-478a-87f0-1dc1af06f3b8 [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Network' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Administrative Templates - Network'
Guest Configuration bbcdd8fa-b600-4ee3-85b8-d184e3339652 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client'
Guest Configuration 8bbd627e-4d25-4906-9a6e-3789780af3ec [Deprecated]: Show audit results from Windows VMs configurations in 'Windows Firewall Properties' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Windows Firewall Properties'
Guest Configuration 97b595c8-fd10-400e-8543-28e2b9138b13 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change'
Guest Configuration 29829ec2-489d-4925-81b7-bda06b1718e0 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - User Account Control' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - User Account Control'
Guest Configuration 1f8c20ce-3414-4496-8b26-0e902a1541da [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown'
Guest Configuration c961dac9-5916-42e8-8fb1-703148323994 [Deprecated]: Show audit results from Windows VMs configurations in 'User Rights Assignment' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'User Rights Assignment'
Guest Configuration 9178b430-2295-406e-bb28-f6a7a2a2f897 [Deprecated]: Show audit results from Windows VMs configurations in 'Windows Components' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Windows Components'
Guest Configuration 620e58b5-ac75-49b4-993f-a9d4f0459636 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System objects' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - System objects'
Guest Configuration 30040dab-4e75-4456-8273-14b8f75d91d9 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Access' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Network Access'
Guest Configuration 7040a231-fb65-4412-8c0a-b365f4866c24 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components'
Guest Configuration e3d95ab7-f47a-49d8-a347-784177b6c94c [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies'
Guest Configuration 24dde96d-f0b1-425e-884f-4a1421e2dcdc [Deprecated]: Show audit results from Windows VMs that do not have a maximum password age of 70 days This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs that do not have a maximum password age of 70 days
Guest Configuration 87b590fe-4a1d-4697-ae74-d4fe72ab786c [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel'
Guest Configuration d38b4c26-9d2e-47d7-aefe-18d859a8706a [Deprecated]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant This policy creates a Guest Configuration assignment to audit Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant
Cognitive Services 46aa9b05-0e60-4eae-a88b-1e9d374fa515 Cognitive Services accounts should use customer owned storage This policy audits any Cognitive Services account not using customer owned storage. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-06-09 16:25:53
add: Policy
Guest Configuration 815dcc9f-6662-43f2-9a03-1b83e9876f24 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment'
Security Center bb91dfba-c30d-4263-9add-9c2384e659a6 Non-internet-facing virtual machines should be protected with network security groups Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-09 16:25:53
add: Policy
Cognitive Services 11566b39-f7f7-4b82-ab06-68d8700eb0a4 Cognitive Services accounts should use customer owned storage or enable data encryption. This policy audits any Cognitive Services account not using customer owned storage nor data encryption. For each Cognitive Services account with storage, use either customer owned storage or enable data encryption. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-06-09 16:25:53
add: Policy
Guest Configuration 6481cc21-ed6e-4480-99dd-ea7c5222e897 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices'
Guest Configuration 5aebc8d1-020d-4037-89a0-02043a7524ec [Deprecated]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters
Guest Configuration 630c64f9-8b6b-4c64-b511-6544ceff6fd6 Audit Linux machines that are not using SSH key for authentication Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Non-compliant if the machine allows passwords for authenticating through SSH Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-09 16:25:53
add: Policy
Guest Configuration 2d67222d-05fd-4526-a171-2ee132ad9e83 [Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Linux VMs that allow remote connections from accounts without passwords
Guest Configuration c5fbc59e-fb6f-494f-81e2-d99a671bdaa8 [Deprecated]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days This policy creates a Guest Configuration assignment to audit Windows virtual machines that contain certificates expiring within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days
Guest Configuration fcbc55c9-f25a-4e55-a6cb-33acb3be778b [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client'
Guest Configuration b872a447-cc6f-43b9-bccf-45703cd81607 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Accounts' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Accounts'
Guest Configuration a9a33475-481d-4b81-9116-0bf02ffe67e8 [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking'
Kubernetes 1d61c4d2-aef2-432b-87fc-7f96b019b7e1 [Preview]: Deploy GitOps to Kubernetes cluster This policy deploys a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth from the defined git repo. For instructions on using this policy, visit https://aka.ms/K8sGitOpsPolicy. Fixed: DeployIfNotExists Contributor
2020-06-09 16:25:53
add: Policy
Guest Configuration 60aeaf73-a074-417a-905f-7ce9df0ff77b [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access'
Guest Configuration ce2370f6-0ac5-4d85-8ab4-10721cc640b0 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use'
Guest Configuration e3a77a94-cf41-4ee8-b45c-98be28841c03 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Shutdown' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Shutdown'
Guest Configuration f3b9ad83-000d-4dc1-bff0-6d54533dd03f [Deprecated]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root
Cognitive Services 67121cc7-ff39-4ab8-b7e3-95b84dab487d Cognitive Services accounts should enable data encryption with customer-managed key Customer-managed keys provide enhanced data protection by allowing you to manage your encryption keys for data stored in Cognitive Services. This is often required to meet compliance requirements. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-06-09 16:25:53
add: Policy
Guest Configuration 3750712b-43d0-478e-9966-d2c26f6141b9 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon'
Guest Configuration 3d7b154e-2700-4c8c-9e46-cb65ac1578c2 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Devices' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Devices'
Guest Configuration 8a39d1f1-5513-4628-b261-f469a5a3341b [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System settings' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - System settings'
Guest Configuration b3802d79-dd88-4bce-b81d-780218e48280 [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff'
Guest Configuration f8b0158d-4766-490f-bea0-259e52dba473 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System'
Guest Configuration c8abcef9-fc26-482f-b8db-5fa60ee4586d [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon'
Guest Configuration 225e937e-d32e-4713-ab74-13ce95b3519a [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management'
Guest Configuration a1e8dda3-9fd2-4835-aec3-0e55531fde33 [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - System' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Administrative Templates - System'
Guest Configuration 7066131b-61a6-4917-a7e4-72e8983f0aa6 [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - System' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - System'
Guest Configuration 23020aa6-1135-4be2-bae2-149982b06eca [Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not restrict the minimum password length to 14 characters. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters
Guest Configuration 8e170edb-e0f5-497a-bb36-48b3280cec6a [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access'
Guest Configuration 0a9991e6-21be-49f9-8916-a06d934bcf29 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management'
Guest Configuration f19aa1c1-6b91-4c27-ae6a-970279f03db9 [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644
Guest Configuration ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console'
Guest Configuration f4b245d4-46c9-42be-9b1a-49e2b5b94194 [Deprecated]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days This policy creates a Guest Configuration assignment to audit Windows virtual machines that have not restarted within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days
Guest Configuration 106ccbe4-a791-4f33-a44a-06796944b8d5 [Deprecated]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root This policy creates a Guest Configuration assignment to audit Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root
Guest Configuration 5c028d2a-1889-45f6-b821-31f42711ced8 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Security' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Network Security'
Guest Configuration 3470477a-b35a-49db-aca5-1073d04524fe [Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Linux VMs that have accounts without passwords
Guest Configuration ec49586f-4939-402d-a29e-6ff502b20592 [Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords
Guest Configuration 9328f27e-611e-44a7-a244-39109d7d35ab [Deprecated]: Show audit results from Windows VMs that contain certificates expiring within the specified number of days This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs that contain certificates expiring within the specified number of days
Guest Configuration a030a57e-4639-4e8f-ade9-a92f33afe7ee [Deprecated]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected
Guest Configuration ec7ac234-2af5-4729-94d2-c557c071799d [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel'
Guest Configuration c1e289c0-ffad-475d-a924-adc058765d65 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon'
Guest Configuration b18175dd-c599-4c64-83ba-bb018a06d35b [Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644
Guest Configuration cdbf72d9-ac9c-4026-8a3a-491a5ac59293 [Deprecated]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords
Cognitive Services 0725b4dd-7e76-479c-a735-68e7ee23d5ca Public network access should be disabled for Cognitive Services accounts This policy audits any Cognitive Services account in your environment with public network access enabled. Public network access should be disabled so that only connections from private endpoints are allowed. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-06-09 16:25:53
add: Policy
Guest Configuration 7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8 [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the password complexity setting enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled
Guest Configuration 6fe4ef56-7576-4dc4-8e9c-26bad4b087ce [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server'
Guest Configuration e425e402-a050-45e5-b010-bd3f934589fc [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control'
Guest Configuration c40c9087-1981-4e73-9f53-39743eda9d05 [Deprecated]: Show audit results from Linux VMs that have accounts without passwords This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Linux VMs that have accounts without passwords
Guest Configuration 909c958d-1b99-4c74-b88f-46a5c5bc34f9 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties'
Guest Configuration 7e84ba44-6d03-46fd-950e-5efa5a1112fa [Deprecated]: Show audit results from Windows VMs that have not restarted within the specified number of days This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs that have not restarted within the specified number of days
Guest Configuration dd4680ed-0559-4a6a-ad10-081d14cbb484 [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change'
Guest Configuration 7227ebe5-9ff7-47ab-b823-171cd02fb90f [Deprecated]: Show audit results from Windows VMs on which the DSC configuration is not compliant This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs on which the DSC configuration is not compliant
Guest Configuration c04255ee-1b9f-42c1-abaa-bf1553f79930 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff'
SignalR 53503636-bcc9-4748-9663-5348217f160f Azure SignalR Service should use private links Audit Azure SignalR Service resources that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/asrs/privatelink. Default: Audit
Allowed: (Audit,Disabled)
none
2020-06-09 16:25:53
add: Policy
Guest Configuration f56a3ab2-89d1-44de-ac0d-2ada5962e22a [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access'
Guest Configuration 02a84be7-c304-421f-9bb7-5d2c26af54ad [Deprecated]: Show audit results from Windows VMs on which the remote connection status does not match the specified one This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs on which the remote host connection status does not match the specified one
Guest Configuration 68511db2-bd02-41c4-ae6b-1900a012968a [Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected
Guest Configuration 40917425-69db-4018-8dae-2a0556cef899 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System'
Guest Configuration 7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-06-09 16:25:53
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use'
Security Center a7aca53f-2ed4-4466-a25e-0b45ade68efd Azure DDoS Protection Standard should be enabled DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-08 18:42:36
change: DisplayName
previous DisplayName: DDoS Protection Standard should be enabled
SQL 1b7aa243-30e4-4c9e-bca8-d0d3022b634a Vulnerability assessment should be enabled on SQL Managed Instance Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-08 18:42:36
change: DisplayName
previous DisplayName: Vulnerability assessment should be enabled on your SQL managed instances
SQL abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9 Advanced data security should be enabled on SQL Managed Instance Audit each SQL Managed Instance without advanced data security. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-08 18:42:36
change: DisplayName
previous DisplayName: Advanced data security should be enabled on your SQL managed instances
Security Center 47a6b606-51aa-4496-8bb7-64b11cf66adc Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-08 18:42:36
change: DisplayName
previous DisplayName: Adaptive Application Controls should be enabled on virtual machines
Kubernetes service d011d9f7-ba32-4005-b727-b3d09371ca60 [Deprecated]: Enforce unique ingress hostnames across namespaces in AKS This policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2020-06-01 18:36:18
change: DisplayName
previous DisplayName: [Limited Preview]: [AKS] Enforce unique ingress hostnames across namespaces in AKS
Security Center b0f33259-77d7-4c9e-aac6-3aabcfae693c Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-01 18:36:18
change: DisplayName
previous DisplayName: Just-In-Time network access control should be applied on virtual machines
Kubernetes service 7ce7ac02-a5c6-45d6-8d1b-844feb1c1531 [Deprecated]: Do not allow privileged containers in AKS This policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2020-06-01 18:36:18
change: DisplayName
previous DisplayName: [Limited Preview]: [AKS] Do not allow privileged containers in AKS
Kubernetes service 0f636243-1b1c-4d50-880f-310f6199f2cb [Deprecated]: Ensure containers listen only on allowed ports in AKS This policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2020-06-01 18:36:18
change: DisplayName
previous DisplayName: [Limited Preview]: [AKS] Ensure containers listen only on allowed ports in AKS
Kubernetes service 25dee3db-6ce0-4c02-ab5d-245887b24077 [Deprecated]: Ensure services listen only on allowed ports in AKS This policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2020-06-01 18:36:18
change: DisplayName
previous DisplayName: [Limited Preview]: [AKS] Ensure services listen only on allowed ports in AKS
Kubernetes service 16c6ca72-89d2-4798-b87e-496f9de7fcb7 [Deprecated]: Enforce labels on pods in AKS This policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2020-06-01 18:36:18
change: DisplayName
previous DisplayName: [Limited Preview]: [AKS] Enforce labels on pods in AKS
Kubernetes service 2fbff515-eecc-4b7e-9b63-fcc7138b7dc3 [Deprecated]: Enforce HTTPS ingress in AKS This policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2020-06-01 18:36:18
change: DisplayName
previous DisplayName: [Limited Preview]: [AKS] Enforce HTTPS ingress in AKS
Kubernetes service a2d3ed81-8d11-4079-80a5-1faadc0024f4 [Deprecated]: Ensure CPU and memory resource limits defined on containers in AKS This policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2020-06-01 18:36:18
change: DisplayName
previous DisplayName: [Limited Preview]: [AKS] Ensure CPU and memory resource limits defined on containers in AKS
Security Center bd352bd5-2853-4985-bf0d-73806b4a5744 IP Forwarding on your virtual machine should be disabled Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-01 18:36:18
change: DisplayName
previous DisplayName: [Preview]: IP Forwarding on your virtual machine should be disabled
Kubernetes service a74d8f00-2fd9-4ce4-968e-0ee1eb821698 [Deprecated]: Enforce internal load balancers in AKS This policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2020-06-01 18:36:18
change: DisplayName
previous DisplayName: [Limited Preview]: [AKS] Enforce internal load balancers in AKS
Cache 22bee202-a82f-4305-9a2a-6d7f44d4dedb Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-06-01 18:36:18
change: DisplayName
previous DisplayName: Only secure connections to your Redis Cache should be enabled
Kubernetes service 5f86cb6e-c4da-441b-807c-44bd0cc14e66 [Deprecated]: Ensure only allowed container images in AKS This policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2020-06-01 18:36:18
change: DisplayName
previous DisplayName: [Limited Preview]: [AKS] Ensure only allowed container images in AKS
Monitoring deacecc0-9f84-44d2-bb82-46f32d766d43 [Preview]: Deploy Dependency agent to hybrid Linux Azure Arc machines This policy deploys the Dependency agent to Linux Azure Arc machines if the agent isn't installed. Fixed: deployIfNotExists Log Analytics Contributor
2020-05-29 15:39:09
add: Policy
Container Registry e8eef0a8-67cf-4eb4-9386-14b0e78733d4 Container registries should use private links Audit container registries that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. Public access can then be disabled to ensure that only private links can be used to connect to the registry. For more information, visit: https://aka.ms/acr/private-link. Default: Audit
Allowed: (Audit,Disabled)
none
2020-05-29 15:39:09
change: DisplayName
previous DisplayName: [Preview]: Container Registries should use private links
Cognitive Services 037eea7a-bd0a-46c5-9a66-03aea78705d3 Cognitive Services accounts should restrict network access Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-05-29 15:39:09
add: Policy
Event Grid 9830b652-8523-49cc-b1b3-e17dce1127ca Azure Event Grid domains should use private links Audit Azure Event Grid domains that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections via private links. For more information, visit https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit,Disabled)
none
2020-05-29 15:39:09
add: Policy
Cosmos DB 4750c32b-89c0-46af-bfcb-2e4541a818d5 Azure Cosmos DB key based metadata write access should be disabled This policy enables you to ensure all Azure Cosmos DB accounts disable key based metadata write access. Fixed: append none
2020-05-29 15:39:09
add: Policy
Monitoring 69af7d4a-7b18-4044-93a9-2651498ef203 [Preview]: Deploy Log Analytics agent to Windows Azure Arc machines This policy deploys the Log Analytics agent to Windows Azure Arc machines if the agent isn't installed. Fixed: deployIfNotExists Log Analytics Contributor
2020-05-29 15:39:09
change: DisplayName
previous DisplayName: [Preview]: Deploy Log Analytics agent to hybrid Windows VMs managed in Azure Arc
Event Grid 4b90e17e-8448-49db-875e-bd83fb6f804f Azure Event Grid topics should use private links Audit Azure Event Grid topics that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections via private links. For more information, visit https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit,Disabled)
none
2020-05-29 15:39:09
add: Policy
Container Registry 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580 Container registries should be encrypted with a customer-managed key (CMK) Audit container registries that do not have encryption enabled with customer-managed keys (CMK). Azure automatically encrypts registry contents at rest with service-managed keys. You can supplement default encryption with an additional encryption layer using a key that you create and manage in Azure Key Vault. For more information on CMK encryption, please visit: https://aka.ms/acr/CMK. Default: Audit
Allowed: (Audit,Disabled)
none
2020-05-29 15:39:09
change: DisplayName
previous DisplayName: [Preview]: Container Registries should be encrypted with a Customer-Managed Key (CMK)
API Management ef619a2c-cc4d-4d03-b2ba-8c94a834d85b API Management services should use a virtual network Virtual network on API Management services of the specified SKU should be enabled. Default: Audit
Allowed: (Audit,Disabled)
none
2020-05-29 15:39:09
add: Policy
Monitoring d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e [Preview]: Log Analytics agent should be installed on your Windows Azure Arc machines This policy audits Windows Azure Arc machines if the Log Analytics agent is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-05-29 15:39:09
add: Policy
Monitoring 9d2b61b4-1d14-4a63-be30-d4498e7ad2cf [Preview]: Deploy Log Analytics agent to Linux Azure Arc machines This policy deploys the Log Analytics agent to Linux Azure Arc machines if the agent isn't installed. Fixed: deployIfNotExists Log Analytics Contributor
2020-05-29 15:39:09
add: Policy
Container Registry d0793b48-0edc-4296-a390-4c75d1bdfd71 Container registries should not allow unrestricted network access Audit container registries that do not have any network or firewall (IP) rules configured and so allow all network access by default. Restricting network access protects container registries from potential threats. Container registries with at least one IP / firewall rule or configured virtual network are deemed compliant. For more information on Container Registry network rules, visit: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. Default: Audit
Allowed: (Audit,Disabled)
none
2020-05-29 15:39:09
change: DisplayName
previous DisplayName: [Preview]: Container Registries should not allow unrestricted network access
Security Center ffb6f416-7bd2-4488-8828-56585fef2be9 Deploy export to Log Analytics workspace for Azure Security Center alerts and recommendations Enable export to Log Analytics workspace of Azure Security Center alerts and/or recommendations. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExists Contributor
2020-05-29 15:39:09
add: Policy
Security Center 123a3936-f020-408a-ba0c-47873faf1534 Allowlist rules in your adaptive application control policy should be updated Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-05-29 15:39:09
add: Policy
Security Center 73d6ab6c-2475-4850-afd6-43795f3492ef Deploy Workflow Automation for Azure Security Center recommendations Enable automation of Azure Security Center recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExists Contributor
2020-05-29 15:39:09
add: Policy
Security Center f1525828-9a90-4fcf-be48-268cdd02361e Deploy Workflow Automation for Azure Security Center alerts Enable automation of Azure Security Center alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExists Contributor
2020-05-29 15:39:09
add: Policy
Monitoring 842c54e8-c2f9-4d79-ae8d-38d8b8019373 [Preview]: Log Analytics agent should be installed on your Linux Azure Arc machines This policy audits Linux Azure Arc machines if the Log Analytics agent is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-05-29 15:39:09
add: Policy
Security Center cdfcce10-4578-4ecd-9703-530938e4abcb Deploy export to Event Hub for Azure Security Center alerts and recommendations Enable export to Event Hub of Azure Security Center alerts and/or recommendations. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExists Contributor
2020-05-29 15:39:09
add: Policy
Cosmos DB 0b7ef78e-a035-4f23-b9bd-aff122a1b1cf Azure Cosmos DB throughput should be limited This policy enables you to restrict the maximum throughput your organization can specify when creating Azure Cosmos DB databases and containers through the resource provider. It blocks the creation of autoscale resources. Default: deny
Allowed: (audit,deny,disabled)
none
2020-05-29 15:39:09
add: Policy
Monitoring 91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4 [Preview]: Deploy Dependency agent to Windows Azure Arc machines This policy deploys the Dependency agent to Windows Azure Arc machines if the agent isn't installed. Fixed: deployIfNotExists Log Analytics Contributor
2020-05-29 15:39:09
change: DisplayName
previous DisplayName: [Preview]: Deploy Dependency agent to hybrid Windows VMs managed in Azure Arc
Cache 7d092e0a-7acd-40d2-a975-dca21cae48c4 Azure Cache for Redis should reside within a virtual network Azure Cache for Redis has the ability to reside within a virtual network, which is a way for the resource to have a non-public endpoint controlled and managed by the user. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-05-21 16:06:38
add: Policy
Monitoring 69af7d4a-7b18-4044-93a9-2651498ef203 [Preview]: Deploy Log Analytics agent to Windows Azure Arc machines This policy deploys the Log Analytics agent to Windows Azure Arc machines if the agent isn't installed. Fixed: deployIfNotExists Log Analytics Contributor
2020-05-21 16:06:38
add: Policy
Machine Learning 77eeea86-7e81-4a7d-9067-de844d096752 [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes This policy helps provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting,disabled)
none
2020-05-13 05:56:52
add: Policy
Security Center 6df2fee6-a9ed-4fef-bced-e13be1b25f1c Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace. Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using ASC default workspace. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Contributor
2020-05-13 05:56:52
add: Policy
Machine Learning 3948394e-63de-11ea-bc55-0242ac130003 [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes This policy helps configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting,disabled)
none
2020-05-13 05:56:52
add: Policy
Monitoring 91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4 [Preview]: Deploy Dependency agent to Windows Azure Arc machines This policy deploys the Dependency agent to Windows Azure Arc machines if the agent isn't installed. Fixed: deployIfNotExists Log Analytics Contributor
2020-05-13 05:56:52
add: Policy
Machine Learning 53c70b02-63dd-11ea-bc55-0242ac130003 [Preview]: Configure allowed module authors for specified Azure Machine Learning computes This policy helps provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting,disabled)
none
2020-05-13 05:56:52
add: Policy
Security Center 8e7da0a5-0a0e-4bbc-bfc0-7773c018b616 Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace. Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using a custom workspace. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Contributor
2020-05-13 05:56:52
add: Policy
Machine Learning 5853517a-63de-11ea-bc55-0242ac130003 [Preview]: Configure allowed registries for specified Azure Machine Learning computes This policy helps provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting,disabled)
none
2020-05-13 05:56:52
add: Policy
Machine Learning 1d413020-63de-11ea-bc55-0242ac130003 [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes This policy helps provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting,disabled)
none
2020-05-13 05:56:52
add: Policy
Compute cccc23c7-8427-4f53-ad12-b6a63eb452b3 Allowed virtual machine size SKUs This policy enables you to specify a set of virtual machine size SKUs that your organization can deploy. Fixed: Deny none
2020-05-09 14:57:51
change: DisplayName
previous DisplayName: Allowed virtual machine SKUs
Storage 34c877ad-507e-4c82-993e-3452a6e0ad3c Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-05-09 14:57:51
change: DisplayName
previous DisplayName: Audit unrestricted network access to storage accounts
SQL d9844e8a-1437-4aeb-a32c-0c992f056095 Public network access should be disabled for MySQL servers This policy audits MySQL servers in your environment with public network access enabled. For more details, visit https://go.microsoft.com/fwlink/?linkid=2120014. Default: Audit
Allowed: (Audit,Disabled)
none
2020-04-28 14:50:57
add: Policy
SQL fdccbe47-f3e3-4213-ad5d-ea459b2fa077 Public network access should be disabled for MariaDB servers This policy audits MariaDB servers in your environment with public network access enabled. For more details, visit https://go.microsoft.com/fwlink/?linkid=2119542. Default: Audit
Allowed: (Audit,Disabled)
none
2020-04-28 14:50:57
add: Policy
Container Registry e8eef0a8-67cf-4eb4-9386-14b0e78733d4 Container registries should use private links Audit container registries that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. Public access can then be disabled to ensure that only private links can be used to connect to the registry. For more information, visit: https://aka.ms/acr/private-link. Default: Audit
Allowed: (Audit,Disabled)
none
2020-04-28 14:50:57
add: Policy
SQL 83cef61d-dbd1-4b20-a4fc-5fbc7da10833 Bring your own key data protection should be enabled for MySQL servers This policy audits MySQL servers in your environment without bring your own key data protection enabled. For more details, visit https://aka.ms/mysqlbyok. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-04-28 14:50:57
add: Policy
SQL 18adea5e-f416-4d0f-8aa8-d24321e3e274 Bring your own key data protection should be enabled for PostgreSQL servers This policy audits PostgreSQL servers in your environment without bring your own key data protection enabled. For more details, visit https://aka.ms/postgresqlbyok. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-04-28 14:50:57
add: Policy
SQL b52376f7-9612-48a1-81cd-1ffe4b61032c Public network access should be disabled for PostgreSQL servers This policy audits PostgreSQL servers in your environment with public network access enabled. For more details, visit https://go.microsoft.com/fwlink/?linkid=2120015. Default: Audit
Allowed: (Audit,Disabled)
none
2020-04-28 14:50:57
add: Policy
Kubernetes 233a2a17-77ca-4fb1-9b6b-69223d272a44 Ensure services listen only on allowed ports in Kubernetes cluster This policy enforces services to listen only on allowed ports in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-04-23 15:06:19
change: DisplayName
previous DisplayName: [Preview]: [AKS Engine] Ensure services listen only on allowed ports in Kubernetes cluster
Kubernetes 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Enforce HTTPS ingress in Kubernetes cluster This policy enforces HTTPS ingress in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-04-23 15:06:19
change: DisplayName
previous DisplayName: [Preview]: [AKS Engine] Enforce HTTPS ingress in Kubernetes cluster
Kubernetes 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 Enforce labels on pods in Kubernetes cluster This policy enforces the specified labels are provided for pods in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-04-23 15:06:19
change: DisplayName
previous DisplayName: [Preview]: [AKS Engine] Enforce labels on pods in Kubernetes cluster
Kubernetes b2fd3e59-6390-4f2b-8247-ea676bd03e2d [Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes cluster This policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-04-23 15:06:19
change: DisplayName
previous DisplayName: [Preview]: [AKS Engine] Enforce unique ingress hostnames across namespaces in Kubernetes cluster
Kubernetes 95edb821-ddaf-4404-9732-666045e056b4 Do not allow privileged containers in Kubernetes cluster This policy does not allow privileged containers creation in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-04-23 15:06:19
change: DisplayName
previous DisplayName: [Preview]: [AKS Engine] Do not allow privileged containers in Kubernetes cluster
Kubernetes e345eecc-fa47-480f-9e88-67dcc122b164 Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster This policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-04-23 15:06:19
change: DisplayName
previous DisplayName: [Preview]: [AKS Engine] Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster
Kubernetes 440b515e-a580-421e-abeb-b159a61ddcbc Ensure containers listen only on allowed ports in Kubernetes cluster This policy enforces containers to listen only on allowed ports in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-04-23 15:06:19
change: DisplayName
previous DisplayName: [Preview]: [AKS Engine] Ensure containers listen only on allowed ports in Kubernetes cluster
Kubernetes febd0533-8e55-448f-b837-bd0e06f16469 Ensure only allowed container images in Kubernetes cluster This policy ensures only allowed container images are running in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-04-23 15:06:19
change: DisplayName
previous DisplayName: [Preview]: [AKS Engine] Ensure only allowed container images in Kubernetes cluster
Kubernetes 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e Enforce internal load balancers in Kubernetes cluster This policy enforces load balancers do not have public IPs in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-04-23 15:06:19
change: DisplayName
previous DisplayName: [Preview]: [AKS Engine] Enforce internal load balancers in Kubernetes cluster
Monitoring 053d3325-282c-4e5c-b944-24faffd30d77 Deploy Log Analytics agent for Linux VMs Deploy Log Analytics agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed. Fixed: deployIfNotExists Log Analytics Contributor
2020-04-22 04:43:16
change: DisplayName
previous DisplayName: [Preview]: Deploy Log Analytics Agent for Linux VMs
Monitoring 5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069 Deploy Log Analytics agent for Linux virtual machine scale sets Deploy Log Analytics agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExists Log Analytics Contributor
Virtual Machine Contributor
2020-04-22 04:43:16
change: DisplayName
previous DisplayName: [Preview]: Deploy Log Analytics Agent for Linux Virtual Machine Scale Sets
Monitoring 3c1b3629-c8f8-4bf6-862c-037cb9094038 Deploy Log Analytics agent for Windows virtual machine scale sets Deploy Log Analytics agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExists Log Analytics Contributor
Virtual Machine Contributor
2020-04-22 04:43:16
change: DisplayName
previous DisplayName: [Preview]: Deploy Log Analytics Agent for Windows Virtual Machine Scale Sets
Monitoring 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 Deploy Dependency agent for Linux virtual machine scale sets Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExists Virtual Machine Contributor
2020-04-22 04:43:16
change: DisplayName
previous DisplayName: [Preview]: Deploy Dependency Agent for Linux Virtual Machine Scale Sets
Monitoring 11ac78e3-31bc-4f0c-8434-37ab963cea07 Audit Dependency agent deployment - VM Image (OS) unlisted Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: auditIfNotExists none
2020-04-22 04:43:16
change: DisplayName
previous DisplayName: [Preview]: Audit Dependency Agent Deployment - VM Image (OS) unlisted
Monitoring 3be22e3b-d919-47aa-805e-8985dbeb0ad9 Deploy Dependency agent for Windows virtual machine scale sets Deploy Dependency agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExists Virtual Machine Contributor
2020-04-22 04:43:16
change: DisplayName
previous DisplayName: [Preview]: Deploy Dependency Agent for Windows Virtual Machine Scale Sets
Monitoring e2dd799a-a932-4e9d-ac17-d473bc3c6c10 Audit Dependency agent deployment in virtual machine scale sets - VM Image (OS) unlisted Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: auditIfNotExists none
2020-04-22 04:43:16
change: DisplayName
previous DisplayName: [Preview]: Audit Dependency Agent Deployment in Virtual Machine Scale Sets - VM Image (OS) unlisted
Monitoring 1c210e94-a481-4beb-95fa-1571b434fb04 Deploy Dependency agent for Windows virtual machines Deploy Dependency agent for Windows virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: deployIfNotExists Log Analytics Contributor
2020-04-22 04:43:16
change: DisplayName
previous DisplayName: [Preview]: Deploy Dependency Agent for Windows VMs
Monitoring f47b5582-33ec-4c5c-87c0-b010a6b2e917 Audit Log Analytics workspace for VM - Report Mismatch Reports VMs as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. Fixed: audit none
2020-04-22 04:43:16
change: DisplayName
previous DisplayName: [Preview]: Audit Log Analytics Workspace for VM - Report Mismatch
Monitoring 4da21710-ce6f-4e06-8cdb-5cc4c93ffbee Deploy Dependency agent for Linux virtual machines Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. Fixed: deployIfNotExists Log Analytics Contributor
2020-04-22 04:43:16
change: DisplayName
previous DisplayName: [Preview]: Deploy Dependency Agent for Linux VMs
Monitoring 5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138 Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: auditIfNotExists none
2020-04-22 04:43:16
change: DisplayName
previous DisplayName: [Preview]: Audit Log Analytics Agent Deployment in Virtual Machine Scale Sets - VM Image (OS) unlisted
Monitoring 0868462e-646c-4fe3-9ced-a733534b6a2c Deploy Log Analytics agent for Windows VMs Deploy Log Analytics agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: deployIfNotExists Log Analytics Contributor
2020-04-22 04:43:16
change: DisplayName
previous DisplayName: [Preview]: Deploy Log Analytics Agent for Windows VMs
Guest Configuration 5fc23db3-dd4d-4c56-bcc7-43626243e601 Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled This policy audits Windows virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-03-17 09:22:59
add: Policy
Guest Configuration 0d9b45ff-9ddd-43fc-bf59-fbd1c8423053 [Deprecated]: Show audit results from Windows VMs on which Windows Defender Exploit Guard is not enabled This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-03-17 09:22:59
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs on which Windows Defender Exploit Guard is not enabled
Network fc5e4038-4584-4632-8c85-c0448d374b2c [Preview]: All Internet traffic should be routed via your deployed Azure Firewall Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-03-17 09:22:59
add: Policy
Cosmos DB 0473574d-2d43-4217-aefe-941fcdf7e684 Azure Cosmos DB allowed locations This policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. Use to enforce your geo-compliance requirements. Default: deny
Allowed: (deny,audit,disabled)
none
2020-03-17 09:22:59
add: Policy
Guest Configuration 6a7a2bcf-f9be-4e35-9734-4f9657a70f1d [Deprecated]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled This policy creates a Guest Configuration assignment to audit Windows virtual machines on which Windows Defender Exploit Guard is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-03-17 09:22:59
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled
Guest Configuration bed48b13-6647-468e-aa2f-1af1d3f4dd40 Audit Windows machines on which Windows Defender Exploit Guard is not enabled Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the PowerShell command Get-MPPreference returns configuration details that does not match expected values. Windows Defender Exploit Guard helps protect against malware that uses exploits to infect devices and spread. Exploit Guard protection consists of a number of mitigations that can be applied to either the operating system or individual apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-03-17 09:22:59
add: Policy
Tags 96670d01-0a4d-4649-9c89-2d3abc0a5025 Require a tag on resource groups Enforces existence of a tag on resource groups. Fixed: deny none
2020-03-10 16:29:49
change: DisplayName
previous DisplayName: Require specified tag on resource groups
Tags 871b6d14-10aa-478d-b590-94f262ecfa99 Require a tag on resources Enforces existence of a tag. Does not apply to resource groups. Fixed: deny none
2020-03-10 16:29:49
change: DisplayName
previous DisplayName: Require specified tag
Tags 9ea02ca2-71db-412d-8b00-7c7ca9fcd32d Append a tag and its value from the resource group Appends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). Fixed: append none
2020-03-10 16:29:49
change: DisplayName
previous DisplayName: Append tag and its value from the resource group
Tags 2a0e14a6-b0a6-4fab-991a-187a4f81c498 Append a tag and its value to resources Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). Fixed: append none
2020-03-10 16:29:49
change: DisplayName
previous DisplayName: Append tag and its default value
Tags 8ce3da23-7156-49e4-b145-24f95f9dcb46 Require a tag and its value on resource groups Enforces a required tag and its value on resource groups. Fixed: deny none
2020-03-10 16:29:49
change: DisplayName
previous DisplayName: Require tag and its value on resource groups
Tags 1e30110a-5ceb-460c-a204-c1c3969c6d62 Require a tag and its value on resources Enforces a required tag and its value. Does not apply to resource groups. Fixed: deny none
2020-03-10 16:29:49
change: DisplayName
previous DisplayName: Require tag and its value
Tags 49c88fc8-6fd1-46fd-a676-f12d1d3a4c71 Append a tag and its value to resource groups Appends the specified tag and value when any resource group which is missing this tag is created or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). Fixed: append none
2020-03-10 16:29:49
change: DisplayName
previous DisplayName: Append tag and its default value to resource groups
Monitoring 3c1b3629-c8f8-4bf6-862c-037cb9094038 Deploy Log Analytics agent for Windows virtual machine scale sets Deploy Log Analytics agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExists Log Analytics Contributor
Virtual Machine Contributor
2020-02-29 21:43:10
change: DisplayName
previous DisplayName: [Preview]: Deploy Log Analytics Agent for Windows VM Scale Sets (VMSS)
Monitoring 3be22e3b-d919-47aa-805e-8985dbeb0ad9 Deploy Dependency agent for Windows virtual machine scale sets Deploy Dependency agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExists Virtual Machine Contributor
2020-02-29 21:43:10
change: DisplayName
previous DisplayName: [Preview]: Deploy Dependency Agent for Windows VM Scale Sets (VMSS)
Monitoring 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 Deploy Dependency agent for Linux virtual machine scale sets Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExists Virtual Machine Contributor
2020-02-29 21:43:10
change: DisplayName
previous DisplayName: [Preview]: Deploy Dependency Agent for Linux VM Scale Sets (VMSS)
Monitoring 5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069 Deploy Log Analytics agent for Linux virtual machine scale sets Deploy Log Analytics agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExists Log Analytics Contributor
Virtual Machine Contributor
2020-02-29 21:43:10
change: DisplayName
previous DisplayName: [Preview]: Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)
Monitoring e2dd799a-a932-4e9d-ac17-d473bc3c6c10 Audit Dependency agent deployment in virtual machine scale sets - VM Image (OS) unlisted Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: auditIfNotExists none
2020-02-29 21:43:10
change: DisplayName
previous DisplayName: [Preview]: Audit Dependency Agent Deployment in VMSS - VM Image (OS) unlisted
Monitoring 5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138 Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: auditIfNotExists none
2020-02-29 21:43:10
change: DisplayName
previous DisplayName: [Preview]: Audit Log Analytics Agent Deployment in VMSS - VM Image (OS) unlisted
SQL 0564d078-92f5-4f97-8398-b9f58a51f70b Private endpoint should be enabled for PostgreSQL servers This policy audits PostgreSQL servers not configured to use a private endpoint. For more details, visit https://aka.ms/pgprivatelink. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-02-27 09:26:21
add: Policy
SQL 3c14b034-bcb6-4905-94e7-5b8e98a47b65 PostgreSQL server should use a virtual network service endpoint This policy audits PostgreSQL servers not configured to use a virtual network service endpoint. For more details, visit https://aka.ms/postgresqlvnet. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-02-27 09:26:21
add: Policy
SQL dfbd9a64-6114-48de-a47d-90574dc2e489 MariaDB server should use a virtual network service endpoint This policy audits MariaDB servers not configured to use a virtual network service endpoint. For more details, visit https://aka.ms/mariadbvirtualnetwork. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-02-27 09:26:21
add: Policy
SQL 7595c971-233d-4bcf-bd18-596129188c49 Private endpoint should be enabled for MySQL servers This policy audits MySQL servers not configured to use a private endpoint. For more details, visit https://aka.ms/mysqlprivatelink. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-02-27 09:26:21
add: Policy
SQL 3375856c-3824-4e0e-ae6a-79e011dd4c47 MySQL server should use a virtual network service endpoint This policy audits MySQL servers not configured to use a virtual network service endpoint. For more details, visit https://aka.ms/mysqlvnet. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-02-27 09:26:21
add: Policy
SQL 0a1302fb-a631-4106-9753-f3d494733990 Private endpoint should be enabled for MariaDB servers This policy audits MariaDB servers not configured to use a private endpoint. For more details, visit https://aka.ms/mariadbprivatelink. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-02-27 09:26:21
add: Policy
Security Center 1a833ff1-d297-4a0f-9944-888428f8e0ff [Deprecated]: Access to App Services should be restricted Azure security center has discovered that the networking configuration of some of your app services are overly permissive and allow inbound traffic from ranges that are too broad Default: Disabled
Allowed: (AuditIfNotExists,Disabled)
none
2020-02-25 11:29:35
change: DisplayName
previous DisplayName: [Preview]: Access to App Services should be restricted
Tags 40df99da-1232-49b1-a39a-6da8d878f469 Inherit a tag from the subscription if missing Adds the specified tag with its value from the containing subscription when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Fixed: modify Contributor
2020-02-20 08:25:18
add: Policy
Tags b27a0cbd-a167-4dfa-ae64-4337be671140 Inherit a tag from the subscription Adds or replaces the specified tag and value from the containing subscription when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. Fixed: modify Contributor
2020-02-20 08:25:18
add: Policy
Security Center 201ea587-7c90-41c3-910f-c280ae01cfd6 [Deprecated]: Web ports should be restricted on Network Security Groups associated to your VM Azure security center has discovered that some of your virtual machines are running web applications, and the NSGs associated to these virtual machines are overly permissive with regards to the web application ports Default: Disabled
Allowed: (AuditIfNotExists,Disabled)
none
2020-02-20 08:25:18
change: DisplayName
previous DisplayName: Web ports should be restricted on Network Security Groups associated to your VM
Container Registry d0793b48-0edc-4296-a390-4c75d1bdfd71 Container registries should not allow unrestricted network access Audit container registries that do not have any network or firewall (IP) rules configured and so allow all network access by default. Restricting network access protects container registries from potential threats. Container registries with at least one IP / firewall rule or configured virtual network are deemed compliant. For more information on Container Registry network rules, visit: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. Default: Audit
Allowed: (Audit,Disabled)
none
2020-02-12 02:52:44
add: Policy
App Configuration 967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1 App Configuration should use a customer-managed key Customer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements. Default: Audit
Allowed: (Audit,Disabled)
none
2020-02-12 02:52:44
add: Policy
Container Registry 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580 Container registries should be encrypted with a customer-managed key (CMK) Audit container registries that do not have encryption enabled with customer-managed keys (CMK). Azure automatically encrypts registry contents at rest with service-managed keys. You can supplement default encryption with an additional encryption layer using a key that you create and manage in Azure Key Vault. For more information on CMK encryption, please visit: https://aka.ms/acr/CMK. Default: Audit
Allowed: (Audit,Disabled)
none
2020-02-12 02:52:44
add: Policy
App Configuration ca610c1d-041c-4332-9d88-7ed3094967c7 App Configuration should use a private link Private endpoint connections allow clients on a virtual network to securely access Azure App Configuration over a private link. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-02-12 02:52:44
add: Policy
Backup c717fb0c-d118-4c43-ab3d-ece30ac81fb3 [Preview]: Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. Deploy Diagnostic Settings for Recovery Services Vault to stream to Log Analytics workspace for Resource specific categories. If any of the Resource specific categories are not enabled, a new diagnostic setting is created. Fixed: deployIfNotExists Monitoring Contributor
Log Analytics Contributor
2020-02-12 02:52:44
add: Policy
App Platform 0f2d8593-4667-4932-acca-6a9f187af109 [Preview]: Audit Azure Spring Cloud instances where distributed tracing is not enabled Distributed tracing tools in Azure Spring Cloud allow debugging and monitoring the complex interconnections between microservices in an application. Distributed tracing tools should be enabled and in a healthy state. Default: Audit
Allowed: (Audit,Disabled)
none
2020-02-12 02:52:44
add: Policy
App Service 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc Ensure that 'Java version' is the latest, if used as a part of the Function app Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-02-08 03:50:24
change: DisplayName
previous DisplayName: Ensure that 'Java version' is the latest, if used as a part of the Funtion app
Guest Configuration 97646672-5efa-4622-9b54-740270ad60bf [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists none
2020-02-08 03:50:24
change: DisplayName
previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Adminstrative Templates - MSS (Legacy)'
Guest Configuration f1f4825d-58fb-4257-8016-8c00e3c9ed9d [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2020-02-08 03:50:24
change: DisplayName
previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Adminstrative Templates - MSS (Legacy)'
Monitoring 3b980d31-7904-4bb7-8575-5665739a8052 An activity log alert should exist for specific Security operations This policy audits specific Security operations with no activity log alerts configured. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-01-29 21:53:30
add: Policy
Network e372f825-a257-4fb8-9175-797a8a8627d6 RDP access from the Internet should be blocked This policy audits any network security rule that allows RDP access from Internet Default: Audit
Allowed: (Audit,Disabled)
none
2020-01-29 21:53:30
add: Policy
Monitoring c5447c04-a4d7-4ba8-a263-c9ee321a6858 An activity log alert should exist for specific Policy operations This policy audits specific Policy operations with no activity log alerts configured. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-01-29 21:53:30
add: Policy
Monitoring b954148f-4c11-4c38-8221-be76711e194a An activity log alert should exist for specific Administrative operations This policy audits specific Administrative operations with no activity log alerts configured. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-01-29 21:53:30
add: Policy
Network 2c89a2e5-7285-40fe-afe0-ae8654b92fab SSH access from the Internet should be blocked This policy audits any network security rule that allows SSH access from Internet Default: Audit
Allowed: (Audit,Disabled)
none
2020-01-29 21:53:30
add: Policy
Security Center ac076320-ddcf-4066-b451-6154267e8ad2 Enable Azure Security Center on your subscription Identifies existing subscriptions that are not monitored by Azure Security Center (ASC). Subscriptions not monitored by ASC will be registered to the free pricing tier. Subscriptions already monitored by ASC (free or standard), will be considered compliant. To register newly created subscriptions, open the compliance tab, select the relevant non-compliant assignment and create a remediation task. Repeat this step when you have one or more new subscriptions you want to monitor with Security Center. Fixed: deployIfNotExists Security Admin
2020-01-29 21:53:30
add: Policy
Security Center af8051bf-258b-44e2-a2bf-165330459f9d [Deprecated]: Monitor unaudited SQL servers in Azure Security Center SQL servers which don't have SQL auditing turned on will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: 'Auditing should be enabled on advanced data security settings on SQL Server' Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-01-29 05:56:46
change: DisplayName
previous DisplayName: [Deprecated] Monitor unaudited SQL servers in Azure Security Center
Security Center a8bef009-a5c9-4d0f-90d7-6018734e8a16 [Deprecated]: Monitor unencrypted SQL databases in Azure Security Center Unencrypted SQL databases will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: Transparent Data Encryption on SQL databases should be enabled' Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-01-29 05:56:46
change: DisplayName
previous DisplayName: [Deprecated] Monitor unencrypted SQL databases in Azure Security Center
Security Center 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 Adaptive Network Hardening recommendations should be applied on internet facing virtual machines Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-01-10 16:39:23
change: DisplayName
previous DisplayName: Network Security Group Rules for Internet facing virtual machines should be hardened
SQL a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-01-10 16:39:23
change: DisplayName
previous DisplayName: Auditing should be enabled on advanced data security settings on SQL Server
Security Center f6de0be7-9a8a-4b8a-b349-43cf02d22f7c Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-01-10 16:39:23
change: DisplayName
previous DisplayName: Virtual machines should be associated with a Network Security Group
Security Center 201ea587-7c90-41c3-910f-c280ae01cfd6 [Deprecated]: Web ports should be restricted on Network Security Groups associated to your VM Azure security center has discovered that some of your virtual machines are running web applications, and the NSGs associated to these virtual machines are overly permissive with regards to the web application ports Default: Disabled
Allowed: (AuditIfNotExists,Disabled)
none
2020-01-10 16:39:23
change: DisplayName
previous DisplayName: The NSGs rules for web applications on IaaS should be hardened
Guest Configuration 6481cc21-ed6e-4480-99dd-ea7c5222e897 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Devices'
Guest Configuration ec7ac234-2af5-4729-94d2-c557c071799d [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Administrative Templates - Control Panel'
Guest Configuration e425e402-a050-45e5-b010-bd3f934589fc [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - User Account Control'
Guest Configuration 36e17963-7202-494a-80c3-f508211c826b [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Network Security'
Guest Configuration 815dcc9f-6662-43f2-9a03-1b83e9876f24 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'User Rights Assignment'
Guest Configuration 12ae2d24-3805-4b37-9fa9-465968bfbcfa [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - System objects'
Guest Configuration f1f4825d-58fb-4257-8016-8c00e3c9ed9d [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Adminstrative Templates - MSS (Legacy)'
Guest Configuration 985285b7-b97a-419c-8d48-c88cc934c8d8 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Administrative Templates - Network'
Guest Configuration 97b595c8-fd10-400e-8543-28e2b9138b13 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Policy Change'
Guest Configuration 1f8c20ce-3414-4496-8b26-0e902a1541da [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Shutdown'
Guest Configuration 3750712b-43d0-478e-9966-d2c26f6141b9 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Interactive Logon'
Guest Configuration c1e289c0-ffad-475d-a924-adc058765d65 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Account Logon'
Guest Configuration 40917425-69db-4018-8dae-2a0556cef899 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Administrative Templates - System'
Guest Configuration 86880e5c-df35-43c5-95ad-7e120635775e [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Microsoft Network Server'
Guest Configuration ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Recovery console'
Guest Configuration e3d95ab7-f47a-49d8-a347-784177b6c94c [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Settings - Account Policies'
Guest Configuration bbcdd8fa-b600-4ee3-85b8-d184e3339652 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Microsoft Network Client'
Guest Configuration 437a1f8f-8552-47a8-8b12-a2fee3269dd5 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - System settings'
Guest Configuration c04255ee-1b9f-42c1-abaa-bf1553f79930 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff'
Guest Configuration 7040a231-fb65-4412-8c0a-b365f4866c24 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Windows Components'
Guest Configuration 8e170edb-e0f5-497a-bb36-48b3280cec6a [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Object Access'
Guest Configuration ce2370f6-0ac5-4d85-8ab4-10721cc640b0 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Privilege Use'
Guest Configuration 498b810c-59cd-4222-9338-352ba146ccf3 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Audit'
Guest Configuration 0a9991e6-21be-49f9-8916-a06d934bcf29 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Account Management'
Guest Configuration 42a07bbf-ffcf-459a-b4b1-30ecd118a505 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking'
Guest Configuration f56a3ab2-89d1-44de-ac0d-2ada5962e22a [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Network Access'
Guest Configuration f8b0158d-4766-490f-bea0-259e52dba473 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - System'
Guest Configuration 909c958d-1b99-4c74-b88f-46a5c5bc34f9 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Windows Firewall Properties'
Guest Configuration e5b81f87-9185-4224-bf00-9f505e9f89f3 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor
2019-12-17 15:43:46
change: DisplayName
previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Accounts'
Backup 013e242c-8828-4970-87b3-ab247555486d Azure Backup should be enabled for Virtual Machines Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-12-11 09:18:30
add: Policy
App Service c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8 Authentication should be enabled on your Function app Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-12-11 09:18:30
add: Policy
Monitoring fbb99e8e-e444-4da0-9ff1-75c92f5a85b2 Storage account containing the container with activity logs must be encrypted with BYOK This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-12-11 09:18:30
add: Policy
Guest Configuration 6141c932-9384-44c6-a395-59e4c057d7c9 Configure time zone on Windows machines. This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. Fixed: deployIfNotExists Contributor
2019-12-11 09:18:30
change: DisplayName
previous DisplayName: Configure time zone on Windows machines.
App Service 95bccee9-a7f8-4bec-9ee9-62c3473701fc Authentication should be enabled on your web app Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-12-11 09:18:30
add: Policy
App Service c4ebc54a-46e1-481a-bee2-d4411e95d828 Authentication should be enabled on your API app Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-12-11 09:18:30
add: Policy
Monitoring 04c4380f-3fae-46e8-96c9-30193528f602 [Preview]: Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-27 16:06:41
add: Policy
Monitoring 2f2ee1de-44aa-4762-b6bd-0893fc3f306d [Preview]: Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-27 16:06:41
add: Policy
Key Vault 1151cede-290b-4ba0-8b38-0ad145ac888f [Preview]: Certificates should use allowed key types Manage your organizational compliance requirements by restricting the key types allowed for certificates. Default: audit
Allowed: (audit,deny,disabled)
none
2019-11-19 11:26:09
change: DisplayName
previous DisplayName: [Preview]: Certificates should have the specified key types
Key Vault f772fb64-8e40-40ad-87bc-7706e1949427 [Preview]: Certificates should not expire within the specified number of days Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. Default: audit
Allowed: (audit,deny,disabled)
none
2019-11-19 11:26:09
change: DisplayName
previous DisplayName: [Preview]: Certificates should not expire in the specified number of days
Key Vault 8e826246-c976-48f6-b03e-619bb92b3d82 [Preview]: Certificates should be issued by the specified integrated certificate authority Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. Default: audit
Allowed: (audit,deny,disabled)
none
2019-11-19 11:26:09
change: DisplayName
previous DisplayName: [Preview]: Certificates should be issued by an approved Azure Key Vault supported Certificate Authority provider
Key Vault a22f4a40-01d3-4c7d-8071-da157eeff341 [Preview]: Certificates should be issued by the specified non-integrated certificate authority Manage your organizational compliance requirements by specifying the custom or internal certificate authorities that can issue certificates in your key vault. Default: audit
Allowed: (audit,deny,disabled)
none
2019-11-19 11:26:09
change: DisplayName
previous DisplayName: [Preview]: Certificates should be issued by an approved custom Certificate Authority provider
Backup 09ce66bc-1220-4153-8104-e3f51c936913 Configure backup on VMs of a location to an existing central Vault in the same location This policy configures Azure Backup protection on VMs in a given location to an existing central vault in the same location. It applies to only those VMs that are not already configured for backup. It is recommended that this policy is assigned to not more than 200 VMs. If the policy is assigned for more than 200 VMs, it can result in the backup getting triggered a few hours beyond the defined schedule. This policy will be enhanced to support more VM images. Default: deployIfNotExists
Allowed: (deployIfNotExists,auditIfNotExists,disabled)
Virtual Machine Contributor
Backup Contributor
2019-11-19 11:26:09
change: DisplayName
previous DisplayName: Deploy prerequisites to backup VMs of a location to an existing central Vault in the same location
Key Vault cee51871-e572-4576-855c-047c820360f0 [Preview]: Certificates using RSA cryptography should have the specified minimum key size Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. Default: audit
Allowed: (audit,deny,disabled)
none
2019-11-19 11:26:09
change: DisplayName
previous DisplayName: [Preview]: Certificate key sizes should be sufficiently large
Key Vault 12ef42cb-9903-4e39-9c26-422d29570417 [Preview]: Certificates should have the specified lifetime action triggers Manage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. Default: audit
Allowed: (audit,deny,disabled)
none
2019-11-19 11:26:09
change: DisplayName
previous DisplayName: [Preview]: Certificates should have the specified lifetime action trigger
Key Vault 0a075868-4c26-42ef-914c-5bc007359560 [Preview]: Certificates should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. Default: audit
Allowed: (audit,deny,disabled)
none
2019-11-19 11:26:09
change: DisplayName
previous DisplayName: [Preview]: Certificates should not have a lengthy validity period
App Service 7008174a-fd10-4ef0-817e-fc820a951d73 Ensure that 'Python version' is the latest, if used as a part of the Web app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: Policy
Kubernetes service 7ce7ac02-a5c6-45d6-8d1b-844feb1c1531 [Deprecated]: Do not allow privileged containers in AKS This policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2019-11-12 19:11:12
change: DisplayName
previous DisplayName: [Limited Preview]: Do not allow privileged containers in AKS
Kubernetes service 16c6ca72-89d2-4798-b87e-496f9de7fcb7 [Deprecated]: Enforce labels on pods in AKS This policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2019-11-12 19:11:12
change: DisplayName
previous DisplayName: [Limited Preview]: Enforce labels on pods in AKS
App Service 7261b898-8a84-4db8-9e04-18527132abb3 Ensure that 'PHP version' is the latest, if used as a part of the WEB app Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: Policy
App Service e2c1c086-2d84-4019-bff3-c44ccd95113c Ensure that 'HTTP Version' is the latest, if used to run the Function app Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: Policy
App Service f0473e7a-a1ba-4e86-afb2-e829e11b01d8 [Deprecated]: Ensure that Register with Azure Active Directory is enabled on Function App This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: Policy
App Service 0c192fe8-9cbb-4516-85b3-0ade8bd03886 Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On' Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Default: Audit
Allowed: (Audit,Disabled)
none
2019-11-12 19:11:12
add: Policy
App Service 8c122334-9d20-4eb8-89ea-ac9a705b74ae Ensure that 'HTTP Version' is the latest, if used to run the Web app Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: Policy
Kubernetes service a74d8f00-2fd9-4ce4-968e-0ee1eb821698 [Deprecated]: Enforce internal load balancers in AKS This policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2019-11-12 19:11:12
change: DisplayName
previous DisplayName: [Limited Preview]: Enforce internal load balancers in AKS
App Service 991310cd-e9f3-47bc-b7b6-f57b557d07db Ensure that 'HTTP Version' is the latest, if used to run the Api app Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: Policy
App Service 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc Ensure that 'Java version' is the latest, if used as a part of the Function app Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: Policy
App Service 58d94fc1-a072-47c2-bd37-9cdb38e77453 [Deprecated]: Ensure Function app is using the latest version of TLS encryption Please use /providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193 instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
change: DisplayName
previous DisplayName: Ensure Function app is using the latest version of TLS encryption
App Service aa81768c-cb87-4ce2-bfaa-00baa10d760c [Deprecated]: Ensure that Register with Azure Active Directory is enabled on WEB App This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332 instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: Policy
App Service c2e7ca55-f62c-49b2-89a4-d41eb661d2f0 [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the API app This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: Policy
App Service 1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba Ensure that 'PHP version' is the latest, if used as a part of the Api app Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: Policy
App Service 6ad61431-88ce-4357-a0e1-6da43f292bd7 [Deprecated]: Ensure WEB app is using the latest version of TLS encryption Please use /providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
change: DisplayName
previous DisplayName: Ensure WEB app is using the latest version of TLS encryption
Kubernetes service d011d9f7-ba32-4005-b727-b3d09371ca60 [Deprecated]: Enforce unique ingress hostnames across namespaces in AKS This policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2019-11-12 19:11:12
change: DisplayName
previous DisplayName: [Limited Preview]: Enforce unique ingress hostnames across namespaces in AKS
Kubernetes service 0f636243-1b1c-4d50-880f-310f6199f2cb [Deprecated]: Ensure containers listen only on allowed ports in AKS This policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2019-11-12 19:11:12
change: DisplayName
previous DisplayName: [Limited Preview]: Ensure containers listen only on allowed ports in AKS
App Service 496223c3-ad65-4ecd-878a-bae78737e9ed Ensure that 'Java version' is the latest, if used as a part of the Web app Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: Policy
Kubernetes service 25dee3db-6ce0-4c02-ab5d-245887b24077 [Deprecated]: Ensure services listen only on allowed ports in AKS This policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2019-11-12 19:11:12
change: DisplayName
previous DisplayName: [Limited Preview]: Ensure services listen only on allowed ports in AKS
App Service 86d97760-d216-4d81-a3ad-163087b2b6c3 [Deprecated]: Ensure that Register with Azure Active Directory is enabled on API app This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3ee instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: Policy
App Service 88999f4c-376a-45c8-bcb3-4058f713cf39 Ensure that 'Java version' is the latest, if used as a part of the Api app Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: Policy
App Service eaebaea7-8013-4ceb-9d14-7eb32271373c Ensure Function app has 'Client Certificates (Incoming client certificates)' set to 'On' Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Default: Audit
Allowed: (Audit,Disabled)
none
2019-11-12 19:11:12
add: Policy
App Service 10c1859c-e1a7-4df3-ab97-a487fa8059f6 [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Function App This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: Policy
Kubernetes service 2fbff515-eecc-4b7e-9b63-fcc7138b7dc3 [Deprecated]: Enforce HTTPS ingress in AKS This policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2019-11-12 19:11:12
change: DisplayName
previous DisplayName: [Limited Preview]: Enforce HTTPS ingress in AKS
Kubernetes service a2d3ed81-8d11-4079-80a5-1faadc0024f4 [Deprecated]: Ensure CPU and memory resource limits defined on containers in AKS This policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2019-11-12 19:11:12
change: DisplayName
previous DisplayName: [Limited Preview]: Ensure CPU and memory resource limits defined on containers in AKS
App Service e567365d-4228-430f-ac39-7d5d46e617ac Ensure API app is using the latest version of TLS encryption The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. Fixed: n/a
2019-11-12 19:11:12
remove: Policy (i)
Kubernetes service 5f86cb6e-c4da-441b-807c-44bd0cc14e66 [Deprecated]: Ensure only allowed container images in AKS This policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2019-11-12 19:11:12
change: DisplayName
previous DisplayName: [Limited Preview]: Ensure only allowed container images in AKS
App Service 843664e0-7563-41ee-a9cb-7522c382d2c4 [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Web app This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: Policy
App Service 74c3584d-afae-46f7-a20a-6f8adba71a16 Ensure that 'Python version' is the latest, if used as a part of the Api app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: Policy
App Service 5bb220d9-2698-4ee4-8404-b9c30c9df609 Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Default: Audit
Allowed: (Audit,Disabled)
none
2019-11-12 19:11:12
add: Policy
App Service 7238174a-fd10-4ef0-817e-fc820a951d73 Ensure that 'Python version' is the latest, if used as a part of the Function app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: Policy
App Service ab965db2-d2bf-4b64-8b39-c38ec8179461 [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the Function app PHP cannot be used with Function apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: Policy
Key Vault bd78111f-4953-4367-9fd5-7e08808b54bf [Preview]: Certificates using elliptic curve cryptography should have allowed curve names Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy. Default: audit
Allowed: (audit,deny,disabled)
none
2019-11-02 10:12:34
add: Policy
App Service f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b Latest TLS version should be used in your Web App Upgrade to the latest TLS version Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-29 23:04:36
add: Policy
App Service c4d441f8-f9d9-4a9e-9cef-e82117cb3eef Managed identity should be used in your API App Use a managed identity for enhanced authentication security Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-29 23:04:36
add: Policy
Monitoring 4daddf25-4823-43d4-88eb-2419eb6dcc08 Deploy Diagnostic Settings for Data Lake Analytics to Event Hub Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Contributor
2019-10-29 23:04:36
add: Policy
App Service 8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e Latest TLS version should be used in your API App Upgrade to the latest TLS version Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-29 23:04:36
add: Policy
Lighthouse 76bed37b-484f-430f-a009-fd7592dff818 Audit delegation of scopes to a managing tenant Audit delegation of scopes to a managing tenant via Azure Lighthouse. Default: Audit
Allowed: (Audit,Disabled)
none
2019-10-29 23:04:36
add: Policy
Monitoring 237e0f7e-b0e8-4ec4-ad46-8c12cb66d673 Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Monitoring Contributor
Log Analytics Contributor
2019-10-29 23:04:36
add: Policy
Kubernetes 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 Enforce labels on pods in Kubernetes cluster This policy enforces the specified labels are provided for pods in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2019-10-29 23:04:36
add: Policy
Monitoring ef7b61ef-b8e4-4c91-8e78-6946c6b0023f Deploy Diagnostic Settings for Event Hub to Event Hub Deploys the diagnostic settings for Event Hub to stream to a regional Event Hub when any Event Hub which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Contributor
2019-10-29 23:04:36
add: Policy
Kubernetes 233a2a17-77ca-4fb1-9b6b-69223d272a44 Ensure services listen only on allowed ports in Kubernetes cluster This policy enforces services to listen only on allowed ports in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2019-10-29 23:04:36
add: Policy
App Service 4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b FTPS should be required in your Web App Enable FTPS enforcement for enhanced security Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-29 23:04:36
add: Policy
App Service f9d614c5-c173-4d56-95a7-b4437057d193 Latest TLS version should be used in your Function App Upgrade to the latest TLS version Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-29 23:04:36
add: Policy
App Service 399b2637-a50f-4f95-96f8-3a145476eb15 FTPS only should be required in your Function App Enable FTPS enforcement for enhanced security Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-29 23:04:36
add: Policy
Kubernetes 440b515e-a580-421e-abeb-b159a61ddcbc Ensure containers listen only on allowed ports in Kubernetes cluster This policy enforces containers to listen only on allowed ports in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2019-10-29 23:04:36
add: Policy
SQL 48af4db5-9b8b-401c-8e74-076be876a430 Geo-redundant backup should be enabled for Azure Database for PostgreSQL This policy audits any Azure Database for PostgreSQL with geo-redundant backup not enabled. Default: Audit
Allowed: (Audit,Disabled)
none
2019-10-29 23:04:36
add: Policy
Custom Provider c15c281f-ea5c-44cd-90b8-fc3c14d13f0c Deploy associations for a custom provider Deploys an association resource that associates selected resource types to the specified custom provider. This policy deployment does not support nested resource types. Fixed: deployIfNotExists Contributor
2019-10-29 23:04:36
add: Policy
Monitoring bef3f64c-5290-43b7-85b0-9b254eef4c47 Deploy Diagnostic Settings for Key Vault to Log Analytics workspace Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Monitoring Contributor
Log Analytics Contributor
2019-10-29 23:04:36
add: Policy
Guest Configuration fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50 [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExists Contributor
2019-10-29 23:04:36
add: Policy
Monitoring b889a06c-ec72-4b03-910a-cb169ee18721 Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace Deploys the diagnostic settings for Logic Apps to stream to a regional Log Analytics workspace when any Logic Apps which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Monitoring Contributor
Log Analytics Contributor
2019-10-29 23:04:36
add: Policy
Monitoring 25763a0a-5783-4f14-969e-79d4933eb74b Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Monitoring Contributor
Log Analytics Contributor
2019-10-29 23:04:36
add: Policy
Managed Application 17763ad9-70c0-4794-9397-53d765932634 Deploy associations for a managed application Deploys an association resource that associates selected resource types to the specified managed application. This policy deployment does not support nested resource types. Fixed: deployIfNotExists Contributor
2019-10-29 23:04:36
add: Policy
Kubernetes 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Enforce HTTPS ingress in Kubernetes cluster This policy enforces HTTPS ingress in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2019-10-29 23:04:36
add: Policy
Kubernetes 95edb821-ddaf-4404-9732-666045e056b4 Do not allow privileged containers in Kubernetes cluster This policy does not allow privileged containers creation in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2019-10-29 23:04:36
add: Policy
Monitoring c84e5349-db6d-4769-805e-e14037dab9b5 Deploy Diagnostic Settings for Batch Account to Log Analytics workspace Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Monitoring Contributor
Log Analytics Contributor
2019-10-29 23:04:36
add: Policy
Guest Configuration 0ecd903d-91e7-4726-83d3-a229d7f2e293 [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExists Contributor
2019-10-29 23:04:36
add: Policy
Monitoring 6b51af03-9277-49a9-a3f8-1c69c9ff7403 Deploy Diagnostic Settings for Service Bus to Event Hub Deploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Contributor
2019-10-29 23:04:36
add: Policy
SQL 82339799-d096-41ae-8538-b108becf0970 Geo-redundant backup should be enabled for Azure Database for MySQL This policy audits any Azure Database for MySQL with geo-redundant backup not enabled. Default: Audit
Allowed: (Audit,Disabled)
none
2019-10-29 23:04:36
add: Policy
Monitoring 1f6e93e8-6b31-41b1-83f6-36e449a42579 Deploy Diagnostic Settings for Event Hub to Log Analytics workspace Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Monitoring Contributor
Log Analytics Contributor
2019-10-29 23:04:36
add: Policy
Monitoring 04d53d87-841c-4f23-8a5b-21564380b55e Deploy Diagnostic Settings for Service Bus to Log Analytics workspace Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Monitoring Contributor
Log Analytics Contributor
2019-10-29 23:04:36
add: Policy
Monitoring edf3780c-3d70-40fe-b17e-ab72013dafca Deploy Diagnostic Settings for Stream Analytics to Event Hub Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Contributor
2019-10-29 23:04:36
add: Policy
Kubernetes febd0533-8e55-448f-b837-bd0e06f16469 Ensure only allowed container images in Kubernetes cluster This policy ensures only allowed container images are running in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2019-10-29 23:04:36
add: Policy
SQL 0ec47710-77ff-4a3d-9181-6aa50af424d0 Geo-redundant backup should be enabled for Azure Database for MariaDB This policy audits any Azure Database for MariaDB with geo-redundant backup not enabled. Default: Audit
Allowed: (Audit,Disabled)
none
2019-10-29 23:04:36
add: Policy
Storage bf045164-79ba-4215-8f95-f8048dc1780b Geo-redundant storage should be enabled for Storage Accounts This policy audits any Storage Account with geo-redundant storage not enabled. Default: Audit
Allowed: (Audit,Disabled)
none
2019-10-29 23:04:36
add: Policy
Monitoring db51110f-0865-4a6e-b274-e2e07a5b2cd7 Deploy Diagnostic Settings for Batch Account to Event Hub Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Contributor
2019-10-29 23:04:36
add: Policy
e567365d-4228-430f-ac39-7d5d46e617ac Fixed: none
2019-10-29 23:04:36
add: Policy
Monitoring a1dae6c7-13f3-48ea-a149-ff8442661f60 Deploy Diagnostic Settings for Logic Apps to Event Hub Deploys the diagnostic settings for Logic Apps to stream to a regional Event Hub when any Logic Apps which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Contributor
2019-10-29 23:04:36
add: Policy
Monitoring 3d5da587-71bd-41f5-ac95-dd3330c2d58d Deploy Diagnostic Settings for Search Services to Event Hub Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Contributor
2019-10-29 23:04:36
add: Policy
Kubernetes b2fd3e59-6390-4f2b-8247-ea676bd03e2d [Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes cluster This policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2019-10-29 23:04:36
add: Policy
Monitoring d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03 Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Monitoring Contributor
Log Analytics Contributor
2019-10-29 23:04:36
add: Policy
SQL d38fc420-0735-4ef3-ac11-c806f651a570 Long-term geo-redundant backup should be enabled for Azure SQL Databases This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-29 23:04:36
add: Policy
Monitoring e8d096bc-85de-4c5f-8cfb-857bd1b9d62d Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Contributor
2019-10-29 23:04:36
add: Policy
App Service 0da106f2-4ca3-48e8-bc85-c638fe6aea8f Managed identity should be used in your Function App Use a managed identity for enhanced authentication security Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-29 23:04:36
add: Policy
App Service 9a1b8c48-453a-4044-86c3-d8bfd823e4f5 FTPS only should be required in your API App Enable FTPS enforcement for enhanced security Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-29 23:04:36
add: Policy
Monitoring 08ba64b8-738f-4918-9686-730d2ed79c7d Deploy Diagnostic Settings for Search Services to Log Analytics workspace Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Monitoring Contributor
Log Analytics Contributor
2019-10-29 23:04:36
add: Policy
App Service 2b9ad585-36bc-4615-b300-fd4435808332 Managed identity should be used in your Web App Use a managed identity for enhanced authentication security Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-29 23:04:36
add: Policy
Kubernetes e345eecc-fa47-480f-9e88-67dcc122b164 Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster This policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2019-10-29 23:04:36
add: Policy
Kubernetes 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e Enforce internal load balancers in Kubernetes cluster This policy enforces load balancers do not have public IPs in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2019-10-29 23:04:36
add: Policy
SQL 464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf [Deprecated]: Require SQL Server version 12.0 This policy ensures all SQL servers use version 12.0. This policy is deprecated because it is no longer possible to create an Azure SQL server with any version other than 12.0. Fixed: Deny none
2019-10-29 21:52:54
change: DisplayName
previous DisplayName: Require SQL Server version 12.0
Network c4857be7-912a-4c75-87e6-e30292bcdf78 [Preview]: Container Registry should use a virtual network service endpoint This policy audits any Container Registry not configured to use a virtual network service endpoint. Default: Audit
Allowed: (Audit,Disabled)
none
2019-10-11 00:02:54
add: Policy
Network 2d21331d-a4c2-4def-a9ad-ee4e1e023beb App Service should use a virtual network service endpoint This policy audits any App Service not configured to use a virtual network service endpoint. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-11 00:02:54
add: Policy
Network d416745a-506c-48b6-8ab1-83cb814bcaa3 Virtual machines should be connected to an approved virtual network This policy audits any virtual machine connected to a virtual network that is not approved. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2019-10-11 00:02:54
add: Policy
Network ea4d6841-2173-4317-9747-ff522a45120f Key Vault should use a virtual network service endpoint This policy audits any Key Vault not configured to use a virtual network service endpoint. Default: Audit
Allowed: (Audit,Disabled)
none
2019-10-11 00:02:54
add: Policy
Network 235359c5-7c52-4b82-9055-01c75cf9f60e Service Bus should use a virtual network service endpoint This policy audits any Service Bus not configured to use a virtual network service endpoint. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-11 00:02:54
add: Policy
Network ae5d2f14-d830-42b6-9899-df6cfe9c71a3 SQL Server should use a virtual network service endpoint This policy audits any SQL Server not configured to use a virtual network service endpoint. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-11 00:02:54
add: Policy
Network f1776c76-f58c-4245-a8d0-2b207198dc8b Virtual networks should use specified virtual network gateway This policy audits any virtual network if the default route does not point to the specified virtual network gateway. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-11 00:02:54
add: Policy
Network 60d21c4f-21a3-4d94-85f4-b924e6aeeda4 Storage Accounts should use a virtual network service endpoint This policy audits any Storage Account not configured to use a virtual network service endpoint. Default: Audit
Allowed: (Audit,Disabled)
none
2019-10-11 00:02:54
add: Policy
Network d63edb4a-c612-454d-b47d-191a724fcbf0 Event Hub should use a virtual network service endpoint This policy audits any Event Hub not configured to use a virtual network service endpoint. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-11 00:02:54
add: Policy
Monitoring efbde977-ba53-4479-b8e9-10b957924fbf The Log Analytics agent should be installed on Virtual Machine Scale Sets This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-11 00:02:54
add: Policy
Monitoring a70ca396-0a34-413a-88e1-b956c1e683be The Log Analytics agent should be installed on virtual machines This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-11 00:02:54
add: Policy
Network e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9 Cosmos DB should use a virtual network service endpoint This policy audits any Cosmos DB not configured to use a virtual network service endpoint. Default: Audit
Allowed: (Audit,Disabled)
none
2019-10-11 00:02:54
add: Policy
General c1b9cbed-08e3-427d-b9ce-7c535b1e9b94 [Deprecated]: Allow resource creation only in Asia data centers Allows resource creation in the following locations only: East Asia, Southeast Asia, West India, South India, Central India, Japan East, Japan West Fixed: Deny none
2019-10-08 15:55:12
change: DisplayName
previous DisplayName: Allow resource creation only in Asia data centers
SQL 06a78e20-9358-41c9-923c-fb736d382a12 [Deprecated]: Audit SQL DB Level Audit Setting Audit DB level audit setting for SQL databases Fixed: AuditIfNotExists none
2019-10-08 15:55:12
change: DisplayName
previous DisplayName: Audit SQL DB Level Audit Setting
General e01598e8-6538-41ed-95e8-8b29746cd697 [Deprecated]: Allow resource creation only in Japan data centers Allows resource creation in the following locations only: Japan East, Japan West Fixed: Deny none
2019-10-08 15:55:12
change: DisplayName
previous DisplayName: Allow resource creation only in Japan data centers
General 5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54 [Deprecated]: Allow resource creation only in India data centers Allows resource creation in the following locations only: West India, South India, Central India Fixed: Deny none
2019-10-08 15:55:12
change: DisplayName
previous DisplayName: Allow resource creation only in India data centers
General 983211ba-f348-4758-983b-21fa29294869 [Deprecated]: Allow resource creation only in United States data centers Allows resource creation in the following locations only: Central US, East US, East US2, North Central US, South Central US, West US Fixed: Deny none
2019-10-08 15:55:12
change: DisplayName
previous DisplayName: Allow resource creation only in United States data centers
Security Center abcc6037-1fc4-47f6-aac5-89706589be24 [Deprecated]: Automatic provisioning of security monitoring agent Installs security agent on VMs for advanced security alerts and preventions in Azure Security Center. Applies only for subscriptions that use Azure Security Center. Fixed: AuditIfNotExists none
2019-10-08 15:55:12
change: DisplayName
previous DisplayName: Automatic provisioning of security monitoring agent
General 94c19f19-8192-48cd-a11b-e37099d3e36b [Deprecated]: Allow resource creation only in European data centers Allows resource creation in the following locations only: North Europe, West Europe Fixed: Deny none
2019-10-08 15:55:12
change: DisplayName
previous DisplayName: Allow resource creation only in European data centers
Compute 3d8640fc-63f6-4734-8dcb-cfd3d8c78f38 [Deprecated]: Deploy default Log Analytics Agent for Ubuntu VMs This policy deploys the Log Analytics Agent on Ubuntu VMs, and connects to the selected Log Analytics workspace Fixed: deployIfNotExists Log Analytics Contributor
2019-10-08 15:55:12
change: DisplayName
previous DisplayName: Deploy default Log Analytics Agent for Ubuntu VMs
Tags ac7e5fc0-c029-4b12-91d4-a8500ce697f9 [Deprecated]: Allow resource creation if 'environment' tag value in allowed values Allows resource creation if the 'environment' tag is set to one of the following values: production, dev, test, staging Fixed: Deny none
2019-10-08 15:55:12
change: DisplayName
previous DisplayName: Allow resource creation if 'environment' tag value in allowed values
Tags cd8dc879-a2ae-43c3-8211-1877c5755064 [Deprecated]: Allow resource creation if 'department' tag set Allows resource creation only if the 'department' tag is set Fixed: Deny none
2019-10-08 15:55:12
change: DisplayName
previous DisplayName: Allow resource creation if 'department' tag set
General 6fdb9205-3462-4cfc-87d8-16c7860b53f4 [Deprecated]: Allow resource creation only in Japan data centers Allows resource creation in the following locations only: Japan East, Japan West Fixed: Deny none
2019-10-08 15:55:12
change: DisplayName
previous DisplayName: Allow resource creation only in Japan data centers
SQL eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3 Log duration should be enabled for PostgreSQL database servers This policy helps audit any PostgreSQL databases in your environment without log_duration setting enabled. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-03 22:58:00
add: Policy
SQL 057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9 Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports Ensure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-03 22:58:00
add: Policy
SQL eb6f77b9-bd53-4e35-a23d-7f65d5f0e446 Disconnections should be logged for PostgreSQL database servers. This policy helps audit any PostgreSQL databases in your environment without log_disconnections enabled. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-03 22:58:00
add: Policy
SQL eb6f77b9-bd53-4e35-a23d-7f65d5f0e442 Log connections should be enabled for PostgreSQL database servers This policy helps audit any PostgreSQL databases in your environment without log_connections setting enabled. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-03 22:58:00
add: Policy
SQL eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d Log checkpoints should be enabled for PostgreSQL database servers This policy helps audit any PostgreSQL databases in your environment without log_checkpoints setting enabled. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-03 22:58:00
add: Policy