{"id":17779,"date":"2019-06-07T02:32:43","date_gmt":"2019-06-07T10:32:43","guid":{"rendered":"http:\/\/devblogs.microsoft.com\/powershell\/?p=17779"},"modified":"2019-06-07T02:54:16","modified_gmt":"2019-06-07T10:54:16","slug":"azure-policy-guest-configuration-service","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/powershell\/azure-policy-guest-configuration-service\/","title":{"rendered":"Azure Policy Guest Configuration – Service"},"content":{"rendered":"

This post builds upon the introduction published earlier\u00a0<\/span>to the PowerShell blog<\/a>. In this post we are going to explore the Azure Policy Guest Configuration service.<\/span>\u00a0<\/span><\/p>\n

The full documentation for this service is available at the following short\u00a0url.<\/span>\u00a0<\/span><\/p>\n

https:\/\/aka.ms\/gcpol<\/a><\/p>\n

Resource provider<\/span><\/b>\u00a0<\/span><\/h3>\n

At a fundamental level, this solution includes a new resource provider in Azure named \u201cMicrosoft.GuestConfiguration\u201d and new virtual machine extensions named \u201cMicrosoft.GuestConfiguration.GuestConfigurationforLinux\u201d and \u201cMicrosoft.GuestConfiguration.GuestConfigurationforWindows\u201d.<\/span>\u00a0<\/span><\/p>\n

The new engine is delivered\u00a0<\/span>to the virtual machine\u00a0<\/span>by the extension. When the service\/daemon starts, it queries\u00a0<\/span>the\u00a0<\/span>service<\/span>\u00a0to see if there are any jobs for the virtual machine. If so, it downloads the content (DSC\u00a0<\/span>mof<\/span>\/modules, packaged in the same way as DSC extension), performs the work, and reports status<\/span>. Behind the scenes, microservices and big data platforms ensure data remains geographically local.<\/span>\u00a0<\/span><\/p>\n

The following diagram demonstrates the flow of requests as a Guest Assignment is published, the list of assignments\u00a0are\u00a0requested from the VM, the VM downloads and runs the configuration, status is returned to a regional location, and summary information is presented to Azure Policy.<\/span>\u00a0<\/span><\/p>\n

D<\/span>iagram<\/span>:<\/span>\u00a0<\/span><\/p>\n

\u00a0<\/span>\"\"<\/p>\n

You can think of the resource provider as surfacing VM scenarios in to Azure Resource Manager API. If you require that only one group of users should have administrative\u00a0<\/span>privilege<\/span>\u00a0inside a server, you can express that requirement as a Guest Assignment in Azure Resource Manager. This is just a reference to a configuration that checks (\u201cTest\u201d) whether only that group has the intended access and return who currently has access (\u201cGet\u201d). The scenario is given as a property of the virtual machine through a provider resource \u201cMicrosoft.GuestConfiguration\u201d.<\/span>\u00a0<\/span><\/p>\n

Here is an example of that in code:<\/span>\u00a0<\/span><\/p>\n

{<\/span><\/i><\/code>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/i>\"apiVersion\"<\/span><\/i>:<\/span><\/i>\u00a0<\/span><\/i>\"2018-11-20\"<\/span><\/i>,<\/span><\/i><\/code>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/i>\"type\"<\/span><\/i>:<\/span><\/i>\u00a0<\/span><\/i>\"Microsoft.Compute\/virtualMachines\/providers\/guestConfigurationAssignments\"<\/span><\/i>,<\/span><\/i><\/code>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/i>\"name\"<\/span><\/i>:<\/span><\/i>\u00a0<\/span><\/i>\"[concat(parameters('vmName'), '\/Microsoft.GuestConfiguration\/', parameters('configurationName'))]\"<\/span><\/i>,<\/span><\/i><\/code>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/i>\"location\"<\/span><\/i>:<\/span><\/i>\u00a0<\/span><\/i>\"[parameters('location')]\"<\/span><\/i>,<\/span><\/i><\/code>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/i>\"properties\"<\/span><\/i>:<\/span><\/i>\u00a0<\/span><\/i>{<\/span><\/i><\/code>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/i>\"guestConfiguration\"<\/span><\/i>:<\/span><\/i>\u00a0<\/span><\/i>{<\/span><\/i><\/code>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/i>\"name\"<\/span><\/i>:<\/span><\/i>\u00a0<\/span><\/i>\"[parameters('configurationName')]\"<\/span><\/i>,<\/span><\/i><\/code>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/i>\"version\"<\/span><\/i>:<\/span><\/i>\u00a0<\/span><\/i>\"1.*\"<\/span><\/i>,<\/span><\/i><\/code>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/i>\"configurationParameter\"<\/span><\/i>:<\/span><\/i>\u00a0<\/span><\/i>[<\/span><\/i><\/code>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/i>{<\/span><\/i><\/code>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/i>\"name\"<\/span><\/i>:<\/span><\/i>\u00a0<\/span><\/i>\"[LocalGroup]AdministratorsGroup;Members\"<\/span><\/i>,<\/span><\/i><\/code>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/i>\"value\"<\/span><\/i>:<\/span><\/i>\u00a0<\/span><\/i>\"[parameters('Members')]\"<\/span><\/i><\/code>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/i>}<\/span><\/i><\/code>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/i>]<\/span><\/i><\/code>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/i>}<\/span><\/i><\/code>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/i>}<\/span><\/i><\/code>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/i>}<\/span><\/i>,<\/span><\/i><\/b>\u00a0<\/span><\/code><\/p>\n

Using built-in policies<\/span><\/b>\u00a0<\/span><\/h3>\n

One of our learnings from DSC has been to reduce complexity. We are aiming for a solution that you can just enable and immediately see value. A good example of this approach was Active Directory Group Policy. While Group Policy presented challenges for developers looking to rapidly iterate between builds, the concept of just picking the settings you need and turning them on has been popular with large enterprises.<\/span>\u00a0<\/span><\/p>\n

Our current list of built-in content\u00a0<\/span>is below.\u00a0 This is growing nearly every week.\u00a0 You can view this list in the Azure Portal by opening Policy and clicking Definitions, then changing the \u2018Type\u2019 filter to \u2018Initiative\u2019 and the \u2018Category\u2019 filter to \u2018Guest Configuration\u2019.<\/span>\u00a0<\/span>\u00a0You can also run the following command to g<\/span>et a current list using PowerShell with the Az cmdlet.<\/span>\u00a0<\/span><\/p>\n

Get-AzPolicySetDefinition\u00a0-Builtin\u00a0| ?\u00a0{$_.Properties.Metadata.Category\u00a0-eq \"Guest Configuration\"} | % {$_.Properties.DisplayName}<\/span>\u00a0<\/span><\/code><\/p>\n

NOTE: it is important when assigning these policies to use the Initiative.\u00a0 The\u00a0<\/span>DeployIfNotExists<\/span>\u00a0policy loads the VM extension, which is a requirement for Audit\/<\/span>AuditIfNotExists<\/span>\u00a0policies in Guest Configuration to work\u00a0<\/span>properly<\/span>.<\/span>\u00a0<\/span><\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Policy initiative\u00a0display\u00a0name\u00a0<\/strong><\/td>\n<\/tr>\n
Audit Windows VMs in which the Administrators group does not contain only the specified members<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
[Preview]: Audit Windows VMs on which the Log Analytics agent is not connected as expected<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
Audit Windows VMs in which the Administrators group does not contain\u00a0<\/span>all of<\/span>\u00a0the specified members<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
Audit Windows VMs that do not have the specified applications installed<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
[Preview]: Audit VMs with insecure password security settings<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
Audit Windows VMs that are not set to the specified time zone<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
Audit Windows VMs that are not joined to the specified domain<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
Audit Windows web servers that are not using secure communication protocols<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
[Preview]: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
Audit Windows Server VMs on which Windows Serial Console is not enabled<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
Audit Windows VMs in which the Administrators group contains any of the specified members<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
[Preview]: Audit Windows VMs that contain certificates expiring within the specified number of days<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
[Preview]: Audit Windows VMs that have not restarted within the specified number of days<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
[Preview]: Audit Windows VMs on which the DSC configuration is not compliant<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
Audit Linux VMs that do not have the specified applications installed<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
Audit Windows VMs with a pending reboot<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
Audit Windows VMs that do not have the specified Windows PowerShell modules installed<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
[Preview]: Audit Windows VMs that do not contain the specified certificates in Trusted Root<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
Audit Windows VMs that have the specified applications installed<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
Audit Linux VMs that have the specified applications installed<\/span>\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Viewing results<\/span><\/b>\u00a0<\/span><\/h3>\n

You can view the results of the policy in Azure Portal (as described\u00a0<\/span>here<\/span><\/i><\/a>)\u00a0<\/span>and<\/span>\u00a0you also can get results using the cmdlets provided by a new module named\u00a0<\/span>Az.GuestConfiguration<\/span><\/i>. A step by step\u00a0<\/span>gudie<\/span>\u00a0for using these cmdlets is available\u00a0<\/span>here<\/span><\/i><\/a>.<\/span>\u00a0<\/span><\/p>\n

The key scenario for the cmdlets is to use the\u00a0<\/span>Get-AzVmGuestPolicyStatusHistory<\/span><\/b>\u00a0cmdlet with the -ShowOnlyChange\u00a0parameter. This will tell you every time a VM was out of compliance over the reporting period and why.<\/span>\u00a0<\/span><\/p>\n

The Az Guest Configuration cmdlets are documented\u00a0<\/span>here<\/span><\/i><\/a>.<\/span>\u00a0<\/span><\/p>\n

You can also directly query the Azure Policy Guest Configuration REST API to see the results of your audits. This includes the \u201cCompliance Reasons\u201d data the returns the raw information from the tool used to perform the audit. For Windows this data includes the name of the DSC resource used to run Test and Get, and the data returned. For Linux this includes the fully formatted output from InSpec. For both platforms, we intend to be open and extensible going forward.<\/span>\u00a0<\/span><\/p>\n

The API for getting compliance details is documented\u00a0<\/span>here<\/span><\/i><\/a>.<\/span>\u00a0<\/span><\/p>\n

Thank you!<\/span>\nMichael Greene<\/span>\nPrincipal Program Manger<\/span>\nMicrosoft Azure<\/span>\n@migreene<\/span><\/i><\/a>\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

This post builds upon the introduction published yesterday\u00a0to the PowerShell blog. In this post we are going to explore the Azure Policy Guest Configuration service.\u00a0<\/p>\n","protected":false},"author":658,"featured_media":13641,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[142],"class_list":["post-17779","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-powershell","tag-desired-state-configuration"],"acf":[],"blog_post_summary":"

This post builds upon the introduction published yesterday\u00a0to the PowerShell blog. In this post we are going to explore the Azure Policy Guest Configuration service.\u00a0<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts\/17779","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/users\/658"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/comments?post=17779"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts\/17779\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/media\/13641"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/media?parent=17779"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/categories?post=17779"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/tags?post=17779"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}