last sync: 2020-Nov-30 15:25:09 UTC

Azure Policy Initiative

[Preview]: Windows machines should meet requirements for the Azure security baseline

Name[Preview]: Windows machines should meet requirements for the Azure security baseline
Azure Portal
Idbe7a78aa-3e10-4153-a5fd-8c6506dbc821
Version2.0.0-preview
details on versioning
CategoryGuest Configuration
Microsoft docs
DescriptionThis initiative audits Windows machines with settings that do not meet the Azure security baseline. For details, please visit https://aka.ms/gcpol
TypeBuiltIn
DeprecatedFalse
PreviewTrue
History
Date/Time (UTC ymd) (i) Changes
2020-08-21 13:50:30 add Initiative be7a78aa-3e10-4153-a5fd-8c6506dbc821
Policy count Total Policies: 29
Builtin Policies: 29
Static Policies: 0
Policy used
Policy DisplayName Policy Id Category Effect State
Windows machines should meet requirements for 'Administrative Templates - Control Panel' 3aa2661b-02d7-4ba6-99bc-dc36b10489fd Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'Administrative Templates - MSS (Legacy)' e0a7e899-2ce2-4253-8a13-d808fdeb75af Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'Administrative Templates - Network' 67e010c1-640d-438e-a3a5-feaccb533a98 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'Administrative Templates - System' 968410dc-5ca0-4518-8a5b-7b55f0530ea9 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'Security Options - Accounts' ee984370-154a-4ee8-9726-19d900e56fc0 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'Security Options - Audit' 33936777-f2ac-45aa-82ec-07958ec9ade4 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'Security Options - Devices' 8794ff4f-1a35-4e18-938f-0b22055067cd Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'Security Options - Interactive Logon' d472d2c9-d6a3-4500-9f5f-b15f123005aa Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'Security Options - Microsoft Network Client' d6c69680-54f0-4349-af10-94dd05f4225e Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'Security Options - Microsoft Network Server' caf2d518-f029-4f6b-833b-d7081702f253 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'Security Options - Network Access' 3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'Security Options - Network Security' 1221c620-d201-468c-81e7-2817e6107e84 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'Security Options - Recovery console' f71be03e-e25b-4d0f-b8bc-9b3e309b66c0 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'Security Options - Shutdown' b4a4d1eb-0263-441b-84cb-a44073d8372d Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'Security Options - System objects' 2f262ace-812a-4fd0-b731-b38ba9e9708d Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'Security Options - System settings' 12017595-5a75-4bb1-9d97-4c2c939ea3c3 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'Security Options - User Account Control' 492a29ed-d143-4f03-b6a4-705ce081b463 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'Security Settings - Account Policies' f2143251-70de-4e81-87a8-36cee5a2f29d Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'System Audit Policies - Account Logon' 43bb60fe-1d7e-4b82-9e93-496bfc99e7d5 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'System Audit Policies - Account Management' 94d9aca8-3757-46df-aa51-f218c5f11954 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 58383b73-94a9-4414-b382-4146eb02611b Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff' 19be9779-c776-4dfa-8a15-a2fd5dc843d6 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'System Audit Policies - Object Access' 35781875-8026-4628-b19b-f6efb4d88a1d Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'System Audit Policies - Policy Change' 2a7a701e-dff3-4da9-9ec5-42cb98594c0b Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'System Audit Policies - Privilege Use' 87845465-c458-45f3-af66-dcd62176f397 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'System Audit Policies - System' 8316fa92-d69c-4810-8124-62414f560dcf Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'User Rights Assignment' e068b215-0026-4354-b347-8fb2766f73a2 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'Windows Components' 8537fe96-8cbe-43de-b0ef-131bc72bc22a Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows machines should meet requirements for 'Windows Firewall Properties' 35d9882c-993d-44e6-87d2-db66ce21b636 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Json
{
  "properties": {
  "displayName": "[Preview]: Windows machines should meet requirements for the Azure security baseline",
    "policyType": "BuiltIn",
    "description": "This initiative audits Windows machines with settings that do not meet the Azure security baseline. For details, please visit https://aka.ms/gcpol",
    "metadata": {
      "version": "2.0.0-preview",
      "category": "Guest Configuration",
      "preview": true
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "EnableInsecureGuestLogons": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Enable insecure guest logons",
          "description": "Specifies whether the SMB client will allow insecure guest logons to an SMB server."
        },
        "defaultValue": "0"
      },
      "AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Allow simultaneous connections to the Internet or a Windows Domain",
          "description": "Specify whether to prevent computers from connecting to both a domain based network and a non-domain based network at the same time. A value of 0 allows simultaneous connections, and a value of 1 blocks them."
        },
        "defaultValue": "1"
      },
      "TurnOffMulticastNameResolution": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Turn off multicast name resolution",
          "description": "Specifies whether LLMNR, a secondary name resolution protocol that transmits using multicast over a local subnet link on a single subnet, is enabled."
        },
        "defaultValue": "1"
      },
      "AlwaysUseClassicLogon": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Always use classic logon",
          "description": "Specifies whether to force the user to log on to the computer using the classic logon screen. This setting only works when the computer is not on a domain."
        },
        "defaultValue": "0"
      },
      "BootStartDriverInitializationPolicy": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Boot-Start Driver Initialization Policy",
          "description": "Specifies which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver."
        },
        "defaultValue": "3"
      },
      "EnableWindowsNTPClient": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Enable Windows NTP Client",
          "description": "Specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers."
        },
        "defaultValue": "1"
      },
      "TurnOnConveniencePINSignin": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Turn on convenience PIN sign-in",
          "description": "Specifies whether a domain user can sign in using a convenience PIN."
        },
        "defaultValue": "0"
      },
      "AccountsGuestAccountStatus": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Accounts: Guest account status",
          "description": "Specifies whether the local Guest account is disabled."
        },
        "defaultValue": "0"
      },
      "AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Audit: Shut down system immediately if unable to log security audits",
          "description": "Audits if the system will shut down when unable to log Security events."
        },
        "defaultValue": "0"
      },
      "DevicesAllowedToFormatAndEjectRemovableMedia": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Devices: Allowed to format and eject removable media",
          "description": "Specifies who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges."
        },
        "defaultValue": "0"
      },
      "MicrosoftNetworkClientDigitallySignCommunicationsAlways": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Microsoft network client: Digitally sign communications (always)",
          "description": "Specifies whether packet signing is required by the SMB client component."
        },
        "defaultValue": "1"
      },
      "MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Microsoft network client: Send unencrypted password to third-party SMB servers",
          "description": "Specifies whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it."
        },
        "defaultValue": "0"
      },
      "MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Microsoft network server: Amount of idle time required before suspending session",
          "description": "Specifies the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. The format of the value is two integers separated by a comma, denoting an inclusive range."
        },
        "defaultValue": "1,15"
      },
      "MicrosoftNetworkServerDigitallySignCommunicationsAlways": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Microsoft network server: Digitally sign communications (always)",
          "description": "Specifies whether packet signing is required by the SMB server component."
        },
        "defaultValue": "1"
      },
      "MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Microsoft network server: Disconnect clients when logon hours expire",
          "description": "Specifies whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable 'Network security: Force logoff when logon hours expire'"
        },
        "defaultValue": "1"
      },
      "NetworkAccessRemotelyAccessibleRegistryPaths": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Network access: Remotely accessible registry paths",
          "description": "Specifies which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."
        },
        "defaultValue": "System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"
      },
      "NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Network access: Remotely accessible registry paths and sub-paths",
          "description": "Specifies which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."
        },
        "defaultValue": "System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"
      },
      "NetworkAccessSharesThatCanBeAccessedAnonymously": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Network access: Shares that can be accessed anonymously",
          "description": "Specifies which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server."
        },
        "defaultValue": "0"
      },
      "NetworkSecurityConfigureEncryptionTypesAllowedForKerberos": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Network Security: Configure encryption types allowed for Kerberos",
          "description": "Specifies the encryption types that Kerberos is allowed to use."
        },
        "defaultValue": "2147483644"
      },
      "NetworkSecurityLANManagerAuthenticationLevel": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Network security: LAN Manager authentication level",
          "description": "Specify which challenge-response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers."
        },
        "defaultValue": "5"
      },
      "NetworkSecurityLDAPClientSigningRequirements": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Network security: LDAP client signing requirements",
          "description": "Specify the level of data signing that is requested on behalf of clients that issue LDAP BIND requests."
        },
        "defaultValue": "1"
      },
      "NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",
          "description": "Specifies which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers for more information."
        },
        "defaultValue": "537395200"
      },
      "NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",
          "description": "Specifies which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services."
        },
        "defaultValue": "537395200"
      },
      "RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Recovery console: Allow floppy copy and access to all drives and all folders",
          "description": "Specifies whether to make the Recovery Console SET command available, which allows setting of recovery console environment variables."
        },
        "defaultValue": "0"
      },
      "ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Shutdown: Allow system to be shut down without having to log on",
          "description": "Specifies whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen."
        },
        "defaultValue": "0"
      },
      "ShutdownClearVirtualMemoryPagefile": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Shutdown: Clear virtual memory pagefile",
          "description": "Specifies whether the virtual memory pagefile is cleared when the system is shut down. When this policy setting is enabled, the system pagefile is cleared each time that the system shuts down properly. For systems with large amounts of RAM, this could result in substantial time needed to complete the shutdown."
        },
        "defaultValue": "0"
      },
      "SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies",
          "description": "Specifies whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .exe file name extension. It enables or disables certificate rules (a type of software restriction policies rule). For certificate rules to take effect in software restriction policies, you must enable this policy setting."
        },
        "defaultValue": "1"
      },
      "UACAdminApprovalModeForTheBuiltinAdministratorAccount": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: UAC: Admin Approval Mode for the Built-in Administrator account",
          "description": "Specifies the behavior of Admin Approval Mode for the built-in Administrator account."
        },
        "defaultValue": "1"
      },
      "UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode",
          "description": "Specifies the behavior of the elevation prompt for administrators."
        },
        "defaultValue": "2"
      },
      "UACDetectApplicationInstallationsAndPromptForElevation": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: UAC: Detect application installations and prompt for elevation",
          "description": "Specifies the behavior of application installation detection for the computer."
        },
        "defaultValue": "1"
      },
      "UACRunAllAdministratorsInAdminApprovalMode": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: UAC: Run all administrators in Admin Approval Mode",
          "description": "Specifies the behavior of all User Account Control (UAC) policy settings for the computer."
        },
        "defaultValue": "1"
      },
      "EnforcePasswordHistory": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Enforce password history",
          "description": "Specifies limits on password reuse - how many times a new password must be created for a user account before the password can be repeated."
        },
        "defaultValue": "24"
      },
      "MaximumPasswordAge": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Maximum password age",
          "description": "Specifies the maximum number of days that may elapse before a user account password must be changed. The format of the value is two integers separated by a comma, denoting an inclusive range."
        },
        "defaultValue": "1,70"
      },
      "MinimumPasswordAge": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Minimum password age",
          "description": "Specifies the minimum number of days that must elapse before a user account password can be changed."
        },
        "defaultValue": "1"
      },
      "MinimumPasswordLength": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Minimum password length",
          "description": "Specifies the minimum number of characters that a user account password may contain."
        },
        "defaultValue": "14"
      },
      "PasswordMustMeetComplexityRequirements": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Password must meet complexity requirements",
          "description": "Specifies whether a user account password must be complex. If required, a complex password must not contain part of  user's account name or full name; be at least 6 characters long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."
        },
        "defaultValue": "1"
      },
      "AuditCredentialValidation": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Audit Credential Validation",
          "description": "Specifies whether audit events are generated when credentials are submitted for a user account logon request.  This setting is especially useful for monitoring unsuccessful attempts, to find brute-force attacks, account enumeration, and potential account compromise events on domain controllers."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "Success and Failure"
      },
      "AuditProcessTermination": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Audit Process Termination",
          "description": "Specifies whether audit events are generated when a process has exited. Recommended for monitoring termination of critical processes."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      },
      "AuditGroupMembership": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Audit Group Membership",
          "description": "Specifies whether audit events are generated when group memberships are enumerated on the client computer."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "Success"
      },
      "AuditDetailedFileShare": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Audit Detailed File Share",
          "description": "If this policy setting is enabled, access to all shared files and folders on the system is audited. Auditing for Success can lead to very high volumes of events."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      },
      "AuditFileShare": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Audit File Share",
          "description": "Specifies whether to audit events related to file shares: creation, deletion, modification, and access attempts. Also, it shows failed SMB SPN checks. Event volumes can be high on DCs and File Servers."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      },
      "AuditFileSystem": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Audit File System",
          "description": "Specifies whether audit events are generated when users attempt to access file system objects. Audit events are generated only for objects that have configured system access control lists (SACLs)."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      },
      "AuditAuthenticationPolicyChange": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Audit Authentication Policy Change",
          "description": "Specifies whether audit events are generated when changes are made to authentication policy. This setting is useful for tracking changes in domain-level and forest-level trust and privileges that are granted to user accounts or groups."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "Success"
      },
      "AuditAuthorizationPolicyChange": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Audit Authorization Policy Change",
          "description": "Specifies whether audit events are generated for assignment and removal of user rights in user right policies, changes in security token object permission, resource attributes changes and Central Access Policy changes for file system objects."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      },
      "AuditOtherSystemEvents": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Audit Other System Events",
          "description": "Specifies whether audit events are generated for Windows Firewall Service and Windows Firewall driver start and stop events, failure events for these services and Windows Firewall Service policy processing failures."
        },
        "allowedValues": [
          "No Auditing",
          "Success",
          "Failure",
          "Success and Failure"
        ],
        "defaultValue": "No Auditing"
      },
      "UsersOrGroupsThatMayAccessThisComputerFromTheNetwork": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Users or groups that may access this computer from the network",
          "description": "Specifies which remote users on the network are permitted to connect to the computer. This does not include Remote Desktop Connection."
        },
        "defaultValue": "Administrators, Authenticated Users"
      },
      "UsersOrGroupsThatMayLogOnLocally": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Users or groups that may log on locally",
          "description": "Specifies which users or groups can interactively log on to the computer. Users who attempt to log on via Remote Desktop Connection or IIS also require this user right."
        },
        "defaultValue": "Administrators"
      },
      "UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Users or groups that may log on through Remote Desktop Services",
          "description": "Specifies which users or groups are permitted to log on as a Terminal Services client, Remote Desktop, or for Remote Assistance."
        },
        "defaultValue": "Administrators, Remote Desktop Users"
      },
      "UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Users and groups that are denied access to this computer from the network",
          "description": "Specifies which users or groups are explicitly prohibited from connecting to the computer across the network."
        },
        "defaultValue": "Guests"
      },
      "UsersOrGroupsThatMayManageAuditingAndSecurityLog": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Users or groups that may manage auditing and security log",
          "description": "Specifies users and groups permitted to change the auditing options for files and directories and clear the Security log."
        },
        "defaultValue": "Administrators"
      },
      "UsersOrGroupsThatMayBackUpFilesAndDirectories": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Users or groups that may back up files and directories",
          "description": "Specifies users and groups allowed to circumvent file and directory permissions to back up the system."
        },
        "defaultValue": "Administrators, Backup Operators"
      },
      "UsersOrGroupsThatMayChangeTheSystemTime": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Users or groups that may change the system time",
          "description": "Specifies which users and groups are permitted to change the time and date on the internal clock of the computer."
        },
        "defaultValue": "Administrators, LOCAL SERVICE"
      },
      "UsersOrGroupsThatMayChangeTheTimeZone": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Users or groups that may change the time zone",
          "description": "Specifies which users and groups are permitted to change the time zone of the computer."
        },
        "defaultValue": "Administrators, LOCAL SERVICE"
      },
      "UsersOrGroupsThatMayCreateATokenObject": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Users or groups that may create a token object",
          "description": "Specifies which users and groups are permitted to create an access token, which may provide elevated rights to access sensitive data."
        },
        "defaultValue": "No One"
      },
      "UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Users and groups that are denied logging on as a batch job",
          "description": "Specifies which users and groups are explicitly not permitted to log on to the computer as a batch job (i.e. scheduled task)."
        },
        "defaultValue": "Guests"
      },
      "UsersAndGroupsThatAreDeniedLoggingOnAsAService": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Users and groups that are denied logging on as a service",
          "description": "Specifies which service accounts are explicitly not permitted to register a process as a service."
        },
        "defaultValue": "Guests"
      },
      "UsersAndGroupsThatAreDeniedLocalLogon": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Users and groups that are denied local logon",
          "description": "Specifies which users and groups are explicitly not permitted to log on to the computer."
        },
        "defaultValue": "Guests"
      },
      "UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Users and groups that are denied log on through Remote Desktop Services",
          "description": "Specifies which users and groups are explicitly not permitted to log on to the computer via Terminal Services/Remote Desktop Client."
        },
        "defaultValue": "Guests"
      },
      "UserAndGroupsThatMayForceShutdownFromARemoteSystem": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: User and groups that may force shutdown from a remote system",
          "description": "Specifies which users and groups are permitted to shut down the computer from a remote location on the network."
        },
        "defaultValue": "Administrators"
      },
      "UsersAndGroupsThatMayRestoreFilesAndDirectories": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Users and groups that may restore files and directories",
          "description": "Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories."
        },
        "defaultValue": "Administrators, Backup Operators"
      },
      "UsersAndGroupsThatMayShutDownTheSystem": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Users and groups that may shut down the system",
          "description": "Specifies which users and groups who are logged on locally to the computers in your environment are permitted to shut down the operating system with the Shut Down command."
        },
        "defaultValue": "Administrators"
      },
      "UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Users or groups that may take ownership of files or other objects",
          "description": "Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects to give ownership to the specified user."
        },
        "defaultValue": "Administrators"
      },
      "SendFileSamplesWhenFurtherAnalysisIsRequired": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Send file samples when further analysis is required",
          "description": "Specifies whether and how Windows Defender will submit samples of suspected malware  to Microsoft for further analysis when opt-in for MAPS telemetry is set."
        },
        "defaultValue": "1"
      },
      "AllowIndexingOfEncryptedFiles": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Allow indexing of encrypted files",
          "description": "Specifies whether encrypted items are allowed to be indexed."
        },
        "defaultValue": "0"
      },
      "AllowTelemetry": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Allow Telemetry",
          "description": "Specifies configuration of the amount of diagnostic and usage data reported to Microsoft. The data is transmitted securely and sensitive data is not sent."
        },
        "defaultValue": "2"
      },
      "AllowUnencryptedTraffic": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Allow unencrypted traffic",
          "description": "Specifies whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network."
        },
        "defaultValue": "0"
      },
      "AlwaysInstallWithElevatedPrivileges": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Always install with elevated privileges",
          "description": "Specifies whether Windows Installer should use system permissions when it installs any program on the system."
        },
        "defaultValue": "0"
      },
      "AlwaysPromptForPasswordUponConnection": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Always prompt for password upon connection",
          "description": "Specifies whether Terminal Services/Remote Desktop Connection always prompts the client computer for a password upon connection."
        },
        "defaultValue": "1"
      },
      "ApplicationSpecifyTheMaximumLogFileSizeKB": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Application: Specify the maximum log file size (KB)",
          "description": "Specifies the maximum size for the Application event log in kilobytes."
        },
        "defaultValue": "32768"
      },
      "AutomaticallySendMemoryDumpsForOSgeneratedErrorReports": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Automatically send memory dumps for OS-generated error reports",
          "description": "Specifies if memory dumps in support of OS-generated error reports can be sent to Microsoft automatically."
        },
        "defaultValue": "1"
      },
      "ConfigureDefaultConsent": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Configure Default consent",
          "description": "Specifies setting of the default consent handling for error reports sent to Microsoft."
        },
        "defaultValue": "4"
      },
      "ConfigureWindowsSmartScreen": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Configure Windows SmartScreen",
          "description": "Specifies how to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled."
        },
        "defaultValue": "1"
      },
      "DisallowDigestAuthentication": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Disallow Digest authentication",
          "description": "Specifies whether the Windows Remote Management (WinRM) client will not use Digest authentication."
        },
        "defaultValue": "0"
      },
      "DisallowWinRMFromStoringRunAsCredentials": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Disallow WinRM from storing RunAs credentials",
          "description": "Specifies whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins."
        },
        "defaultValue": "1"
      },
      "DoNotAllowPasswordsToBeSaved": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Do not allow passwords to be saved",
          "description": "Specifies whether to prevent Remote Desktop Services - Terminal Services clients from saving passwords on a computer."
        },
        "defaultValue": "1"
      },
      "SecuritySpecifyTheMaximumLogFileSizeKB": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Security: Specify the maximum log file size (KB)",
          "description": "Specifies the maximum size for the Security event log in kilobytes."
        },
        "defaultValue": "196608"
      },
      "SetClientConnectionEncryptionLevel": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Set client connection encryption level",
          "description": "Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption."
        },
        "defaultValue": "3"
      },
      "SetTheDefaultBehaviorForAutoRun": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Set the default behavior for AutoRun",
          "description": "Specifies the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines."
        },
        "defaultValue": "1"
      },
      "SetupSpecifyTheMaximumLogFileSizeKB": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Setup: Specify the maximum log file size (KB)",
          "description": "Specifies the maximum size for the Setup event log in kilobytes."
        },
        "defaultValue": "32768"
      },
      "SystemSpecifyTheMaximumLogFileSizeKB": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: System: Specify the maximum log file size (KB)",
          "description": "Specifies the maximum size for the System event log in kilobytes."
        },
        "defaultValue": "32768"
      },
      "TurnOffDataExecutionPreventionForExplorer": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Turn off Data Execution Prevention for Explorer",
          "description": "Specifies whether to turn off Data Execution Prevention for Windows File Explorer. Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer."
        },
        "defaultValue": "0"
      },
      "SpecifyTheIntervalToCheckForDefinitionUpdates": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Specify the interval to check for definition updates",
          "description": "Specifies an interval at which to check for Windows Defender definition updates. The time value is represented as the number of hours between update checks."
        },
        "defaultValue": "8"
      },
      "WindowsFirewallDomainUseProfileSettings": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Windows Firewall (Domain): Use profile settings",
          "description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Domain profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainBehaviorForOutboundConnections": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Windows Firewall (Domain): Behavior for outbound connections",
          "description": "Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallDomainApplyLocalConnectionSecurityRules": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Windows Firewall (Domain): Apply local connection security rules",
          "description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Domain profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainApplyLocalFirewallRules": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Windows Firewall (Domain): Apply local firewall rules",
          "description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Domain profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainDisplayNotifications": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Windows Firewall (Domain): Display notifications",
          "description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Domain profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateUseProfileSettings": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Windows Firewall (Private): Use profile settings",
          "description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Private profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateBehaviorForOutboundConnections": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Windows Firewall (Private): Behavior for outbound connections",
          "description": "Specifies the behavior for outbound connections for the Private profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPrivateApplyLocalConnectionSecurityRules": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Windows Firewall (Private): Apply local connection security rules",
          "description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Private profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateApplyLocalFirewallRules": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Windows Firewall (Private): Apply local firewall rules",
          "description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Private profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateDisplayNotifications": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Windows Firewall (Private): Display notifications",
          "description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Private profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicUseProfileSettings": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Windows Firewall (Public): Use profile settings",
          "description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Public profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicBehaviorForOutboundConnections": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Windows Firewall (Public): Behavior for outbound connections",
          "description": "Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPublicApplyLocalConnectionSecurityRules": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Windows Firewall (Public): Apply local connection security rules",
          "description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Public profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicApplyLocalFirewallRules": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Windows Firewall (Public): Apply local firewall rules",
          "description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Public profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicDisplayNotifications": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Windows Firewall (Public): Display notifications",
          "description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Public profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainAllowUnicastResponse": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Windows Firewall: Domain: Allow unicast response",
          "description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Domain profile."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPrivateAllowUnicastResponse": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Windows Firewall: Private: Allow unicast response",
          "description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Private profile."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPublicAllowUnicastResponse": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Windows Firewall: Public: Allow unicast response",
          "description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Public profile."
        },
        "defaultValue": "1"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_AdministrativeTemplatesControlPanel",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3aa2661b-02d7-4ba6-99bc-dc36b10489fd",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_AdministrativeTemplatesNetwork",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67e010c1-640d-438e-a3a5-feaccb533a98",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          },
          "EnableInsecureGuestLogons": {
          "value": "[parameters('EnableInsecureGuestLogons')]"
          },
          "AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain": {
          "value": "[parameters('AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain')]"
          },
          "TurnOffMulticastNameResolution": {
          "value": "[parameters('TurnOffMulticastNameResolution')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_AdministrativeTemplatesSystem",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/968410dc-5ca0-4518-8a5b-7b55f0530ea9",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          },
          "AlwaysUseClassicLogon": {
          "value": "[parameters('AlwaysUseClassicLogon')]"
          },
          "BootStartDriverInitializationPolicy": {
          "value": "[parameters('BootStartDriverInitializationPolicy')]"
          },
          "EnableWindowsNTPClient": {
          "value": "[parameters('EnableWindowsNTPClient')]"
          },
          "TurnOnConveniencePINSignin": {
          "value": "[parameters('TurnOnConveniencePINSignin')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_AdminstrativeTemplatesMSSLegacy",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e0a7e899-2ce2-4253-8a13-d808fdeb75af",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SecurityOptionsAccounts",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee984370-154a-4ee8-9726-19d900e56fc0",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          },
          "AccountsGuestAccountStatus": {
          "value": "[parameters('AccountsGuestAccountStatus')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SecurityOptionsAudit",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/33936777-f2ac-45aa-82ec-07958ec9ade4",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          },
          "AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits": {
          "value": "[parameters('AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SecurityOptionsDevices",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8794ff4f-1a35-4e18-938f-0b22055067cd",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          },
          "DevicesAllowedToFormatAndEjectRemovableMedia": {
          "value": "[parameters('DevicesAllowedToFormatAndEjectRemovableMedia')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SecurityOptionsInteractiveLogon",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d472d2c9-d6a3-4500-9f5f-b15f123005aa",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SecurityOptionsMicrosoftNetworkClient",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6c69680-54f0-4349-af10-94dd05f4225e",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          },
          "MicrosoftNetworkClientDigitallySignCommunicationsAlways": {
          "value": "[parameters('MicrosoftNetworkClientDigitallySignCommunicationsAlways')]"
          },
          "MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers": {
          "value": "[parameters('MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers')]"
          },
          "MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession": {
          "value": "[parameters('MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession')]"
          },
          "MicrosoftNetworkServerDigitallySignCommunicationsAlways": {
          "value": "[parameters('MicrosoftNetworkServerDigitallySignCommunicationsAlways')]"
          },
          "MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire": {
          "value": "[parameters('MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SecurityOptionsMicrosoftNetworkServer",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/caf2d518-f029-4f6b-833b-d7081702f253",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SecurityOptionsNetworkAccess",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          },
          "NetworkAccessRemotelyAccessibleRegistryPaths": {
          "value": "[parameters('NetworkAccessRemotelyAccessibleRegistryPaths')]"
          },
          "NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths": {
          "value": "[parameters('NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths')]"
          },
          "NetworkAccessSharesThatCanBeAccessedAnonymously": {
          "value": "[parameters('NetworkAccessSharesThatCanBeAccessedAnonymously')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SecurityOptionsNetworkSecurity",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1221c620-d201-468c-81e7-2817e6107e84",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          },
          "NetworkSecurityConfigureEncryptionTypesAllowedForKerberos": {
          "value": "[parameters('NetworkSecurityConfigureEncryptionTypesAllowedForKerberos')]"
          },
          "NetworkSecurityLANManagerAuthenticationLevel": {
          "value": "[parameters('NetworkSecurityLANManagerAuthenticationLevel')]"
          },
          "NetworkSecurityLDAPClientSigningRequirements": {
          "value": "[parameters('NetworkSecurityLDAPClientSigningRequirements')]"
          },
          "NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients": {
          "value": "[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients')]"
          },
          "NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers": {
          "value": "[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SecurityOptionsRecoveryconsole",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f71be03e-e25b-4d0f-b8bc-9b3e309b66c0",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          },
          "RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders": {
          "value": "[parameters('RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SecurityOptionsShutdown",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4a4d1eb-0263-441b-84cb-a44073d8372d",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          },
          "ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn": {
          "value": "[parameters('ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn')]"
          },
          "ShutdownClearVirtualMemoryPagefile": {
          "value": "[parameters('ShutdownClearVirtualMemoryPagefile')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SecurityOptionsSystemobjects",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2f262ace-812a-4fd0-b731-b38ba9e9708d",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SecurityOptionsSystemsettings",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12017595-5a75-4bb1-9d97-4c2c939ea3c3",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          },
          "SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies": {
          "value": "[parameters('SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SecurityOptionsUserAccountControl",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/492a29ed-d143-4f03-b6a4-705ce081b463",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          },
          "UACAdminApprovalModeForTheBuiltinAdministratorAccount": {
          "value": "[parameters('UACAdminApprovalModeForTheBuiltinAdministratorAccount')]"
          },
          "UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode": {
          "value": "[parameters('UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode')]"
          },
          "UACDetectApplicationInstallationsAndPromptForElevation": {
          "value": "[parameters('UACDetectApplicationInstallationsAndPromptForElevation')]"
          },
          "UACRunAllAdministratorsInAdminApprovalMode": {
          "value": "[parameters('UACRunAllAdministratorsInAdminApprovalMode')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SecuritySettingsAccountPolicies",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f2143251-70de-4e81-87a8-36cee5a2f29d",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          },
          "EnforcePasswordHistory": {
          "value": "[parameters('EnforcePasswordHistory')]"
          },
          "MaximumPasswordAge": {
          "value": "[parameters('MaximumPasswordAge')]"
          },
          "MinimumPasswordAge": {
          "value": "[parameters('MinimumPasswordAge')]"
          },
          "MinimumPasswordLength": {
          "value": "[parameters('MinimumPasswordLength')]"
          },
          "PasswordMustMeetComplexityRequirements": {
          "value": "[parameters('PasswordMustMeetComplexityRequirements')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SystemAuditPoliciesAccountLogon",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/43bb60fe-1d7e-4b82-9e93-496bfc99e7d5",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          },
          "AuditCredentialValidation": {
          "value": "[parameters('AuditCredentialValidation')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SystemAuditPoliciesAccountManagement",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94d9aca8-3757-46df-aa51-f218c5f11954",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SystemAuditPoliciesDetailedTracking",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/58383b73-94a9-4414-b382-4146eb02611b",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          },
          "AuditProcessTermination": {
          "value": "[parameters('AuditProcessTermination')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SystemAuditPoliciesLogonLogoff",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/19be9779-c776-4dfa-8a15-a2fd5dc843d6",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          },
          "AuditGroupMembership": {
          "value": "[parameters('AuditGroupMembership')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SystemAuditPoliciesObjectAccess",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/35781875-8026-4628-b19b-f6efb4d88a1d",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          },
          "AuditDetailedFileShare": {
          "value": "[parameters('AuditDetailedFileShare')]"
          },
          "AuditFileShare": {
          "value": "[parameters('AuditFileShare')]"
          },
          "AuditFileSystem": {
          "value": "[parameters('AuditFileSystem')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SystemAuditPoliciesPolicyChange",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a7a701e-dff3-4da9-9ec5-42cb98594c0b",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          },
          "AuditAuthenticationPolicyChange": {
          "value": "[parameters('AuditAuthenticationPolicyChange')]"
          },
          "AuditAuthorizationPolicyChange": {
          "value": "[parameters('AuditAuthorizationPolicyChange')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SystemAuditPoliciesPrivilegeUse",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87845465-c458-45f3-af66-dcd62176f397",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_SystemAuditPoliciesSystem",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8316fa92-d69c-4810-8124-62414f560dcf",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          },
          "AuditOtherSystemEvents": {
          "value": "[parameters('AuditOtherSystemEvents')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_UserRightsAssignment",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e068b215-0026-4354-b347-8fb2766f73a2",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          },
          "UsersOrGroupsThatMayAccessThisComputerFromTheNetwork": {
          "value": "[parameters('UsersOrGroupsThatMayAccessThisComputerFromTheNetwork')]"
          },
          "UsersOrGroupsThatMayLogOnLocally": {
          "value": "[parameters('UsersOrGroupsThatMayLogOnLocally')]"
          },
          "UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices": {
          "value": "[parameters('UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices')]"
          },
          "UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork": {
          "value": "[parameters('UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork')]"
          },
          "UsersOrGroupsThatMayManageAuditingAndSecurityLog": {
          "value": "[parameters('UsersOrGroupsThatMayManageAuditingAndSecurityLog')]"
          },
          "UsersOrGroupsThatMayBackUpFilesAndDirectories": {
          "value": "[parameters('UsersOrGroupsThatMayBackUpFilesAndDirectories')]"
          },
          "UsersOrGroupsThatMayChangeTheSystemTime": {
          "value": "[parameters('UsersOrGroupsThatMayChangeTheSystemTime')]"
          },
          "UsersOrGroupsThatMayChangeTheTimeZone": {
          "value": "[parameters('UsersOrGroupsThatMayChangeTheTimeZone')]"
          },
          "UsersOrGroupsThatMayCreateATokenObject": {
          "value": "[parameters('UsersOrGroupsThatMayCreateATokenObject')]"
          },
          "UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob": {
          "value": "[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob')]"
          },
          "UsersAndGroupsThatAreDeniedLoggingOnAsAService": {
          "value": "[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsAService')]"
          },
          "UsersAndGroupsThatAreDeniedLocalLogon": {
          "value": "[parameters('UsersAndGroupsThatAreDeniedLocalLogon')]"
          },
          "UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices": {
          "value": "[parameters('UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices')]"
          },
          "UserAndGroupsThatMayForceShutdownFromARemoteSystem": {
          "value": "[parameters('UserAndGroupsThatMayForceShutdownFromARemoteSystem')]"
          },
          "UsersAndGroupsThatMayRestoreFilesAndDirectories": {
          "value": "[parameters('UsersAndGroupsThatMayRestoreFilesAndDirectories')]"
          },
          "UsersAndGroupsThatMayShutDownTheSystem": {
          "value": "[parameters('UsersAndGroupsThatMayShutDownTheSystem')]"
          },
          "UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects": {
          "value": "[parameters('UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_WindowsComponents",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8537fe96-8cbe-43de-b0ef-131bc72bc22a",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          },
          "SendFileSamplesWhenFurtherAnalysisIsRequired": {
          "value": "[parameters('SendFileSamplesWhenFurtherAnalysisIsRequired')]"
          },
          "AllowIndexingOfEncryptedFiles": {
          "value": "[parameters('AllowIndexingOfEncryptedFiles')]"
          },
          "AllowTelemetry": {
          "value": "[parameters('AllowTelemetry')]"
          },
          "AllowUnencryptedTraffic": {
          "value": "[parameters('AllowUnencryptedTraffic')]"
          },
          "AlwaysInstallWithElevatedPrivileges": {
          "value": "[parameters('AlwaysInstallWithElevatedPrivileges')]"
          },
          "AlwaysPromptForPasswordUponConnection": {
          "value": "[parameters('AlwaysPromptForPasswordUponConnection')]"
          },
          "ApplicationSpecifyTheMaximumLogFileSizeKB": {
          "value": "[parameters('ApplicationSpecifyTheMaximumLogFileSizeKB')]"
          },
          "AutomaticallySendMemoryDumpsForOSgeneratedErrorReports": {
          "value": "[parameters('AutomaticallySendMemoryDumpsForOSgeneratedErrorReports')]"
          },
          "ConfigureDefaultConsent": {
          "value": "[parameters('ConfigureDefaultConsent')]"
          },
          "ConfigureWindowsSmartScreen": {
          "value": "[parameters('ConfigureWindowsSmartScreen')]"
          },
          "DisallowDigestAuthentication": {
          "value": "[parameters('DisallowDigestAuthentication')]"
          },
          "DisallowWinRMFromStoringRunAsCredentials": {
          "value": "[parameters('DisallowWinRMFromStoringRunAsCredentials')]"
          },
          "DoNotAllowPasswordsToBeSaved": {
          "value": "[parameters('DoNotAllowPasswordsToBeSaved')]"
          },
          "SecuritySpecifyTheMaximumLogFileSizeKB": {
          "value": "[parameters('SecuritySpecifyTheMaximumLogFileSizeKB')]"
          },
          "SetClientConnectionEncryptionLevel": {
          "value": "[parameters('SetClientConnectionEncryptionLevel')]"
          },
          "SetTheDefaultBehaviorForAutoRun": {
          "value": "[parameters('SetTheDefaultBehaviorForAutoRun')]"
          },
          "SetupSpecifyTheMaximumLogFileSizeKB": {
          "value": "[parameters('SetupSpecifyTheMaximumLogFileSizeKB')]"
          },
          "SystemSpecifyTheMaximumLogFileSizeKB": {
          "value": "[parameters('SystemSpecifyTheMaximumLogFileSizeKB')]"
          },
          "TurnOffDataExecutionPreventionForExplorer": {
          "value": "[parameters('TurnOffDataExecutionPreventionForExplorer')]"
          },
          "SpecifyTheIntervalToCheckForDefinitionUpdates": {
          "value": "[parameters('SpecifyTheIntervalToCheckForDefinitionUpdates')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AINE_AzureBaseline_WindowsFirewallProperties",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/35d9882c-993d-44e6-87d2-db66ce21b636",
        "parameters": {
          "IncludeArcMachines": {
          "value": "[parameters('IncludeArcMachines')]"
          },
          "WindowsFirewallDomainUseProfileSettings": {
          "value": "[parameters('WindowsFirewallDomainUseProfileSettings')]"
          },
          "WindowsFirewallDomainBehaviorForOutboundConnections": {
          "value": "[parameters('WindowsFirewallDomainBehaviorForOutboundConnections')]"
          },
          "WindowsFirewallDomainApplyLocalConnectionSecurityRules": {
          "value": "[parameters('WindowsFirewallDomainApplyLocalConnectionSecurityRules')]"
          },
          "WindowsFirewallDomainApplyLocalFirewallRules": {
          "value": "[parameters('WindowsFirewallDomainApplyLocalFirewallRules')]"
          },
          "WindowsFirewallDomainDisplayNotifications": {
          "value": "[parameters('WindowsFirewallDomainDisplayNotifications')]"
          },
          "WindowsFirewallPrivateUseProfileSettings": {
          "value": "[parameters('WindowsFirewallPrivateUseProfileSettings')]"
          },
          "WindowsFirewallPrivateBehaviorForOutboundConnections": {
          "value": "[parameters('WindowsFirewallPrivateBehaviorForOutboundConnections')]"
          },
          "WindowsFirewallPrivateApplyLocalConnectionSecurityRules": {
          "value": "[parameters('WindowsFirewallPrivateApplyLocalConnectionSecurityRules')]"
          },
          "WindowsFirewallPrivateApplyLocalFirewallRules": {
          "value": "[parameters('WindowsFirewallPrivateApplyLocalFirewallRules')]"
          },
          "WindowsFirewallPrivateDisplayNotifications": {
          "value": "[parameters('WindowsFirewallPrivateDisplayNotifications')]"
          },
          "WindowsFirewallPublicUseProfileSettings": {
          "value": "[parameters('WindowsFirewallPublicUseProfileSettings')]"
          },
          "WindowsFirewallPublicBehaviorForOutboundConnections": {
          "value": "[parameters('WindowsFirewallPublicBehaviorForOutboundConnections')]"
          },
          "WindowsFirewallPublicApplyLocalConnectionSecurityRules": {
          "value": "[parameters('WindowsFirewallPublicApplyLocalConnectionSecurityRules')]"
          },
          "WindowsFirewallPublicApplyLocalFirewallRules": {
          "value": "[parameters('WindowsFirewallPublicApplyLocalFirewallRules')]"
          },
          "WindowsFirewallPublicDisplayNotifications": {
          "value": "[parameters('WindowsFirewallPublicDisplayNotifications')]"
          },
          "WindowsFirewallDomainAllowUnicastResponse": {
          "value": "[parameters('WindowsFirewallDomainAllowUnicastResponse')]"
          },
          "WindowsFirewallPrivateAllowUnicastResponse": {
          "value": "[parameters('WindowsFirewallPrivateAllowUnicastResponse')]"
          },
          "WindowsFirewallPublicAllowUnicastResponse": {
          "value": "[parameters('WindowsFirewallPublicAllowUnicastResponse')]"
          }
        }
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/be7a78aa-3e10-4153-a5fd-8c6506dbc821",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "be7a78aa-3e10-4153-a5fd-8c6506dbc821"
}