You may already know Azure Policy, introduced during Ignite 2018.

If no, Azure Policy has the capability to apply audit settings on virtual machines (VM’s) running on Azure. The first policies can audit password security settings on both Windows and Linux VM’s or the encryption protocol used by IIS (aka TLS – in this case the VM is compliant if TLS 1.1 or 1.2 is enabled and other protocols disabled).

A new policy (prefixes with Preview) has been introduced to audit application installed on Windows.

Enable the audit policy

Using the portal

    • Access the Subscriptions blade (if you have multiple subscriptions you have to repeat the next step for each)

image

    • Reach the Resource providers configuration blade and search for Microsoft.GuestConfiguration to enable it

image

The registration process may take few minutes

Using PowerShell

    • You must have the Azure PowerShell module installed
    • Connect to your Azure tenant

Connect-AzureRmAccount

image

    • Execute the following command (keep in mind it will register the provide for the default/current subscription you are connected to; if you have multiple subscriptions you will have to repeat it)

Once executed, the command returns the RegistrationState as registering

Register-AzureRmResourceProvider -ProviderNamespace ‘Microsoft.GuestConfiguration’

image

You can check the registration process is completed using the command; it must then return Registered for the RegistratonState

Get-AzureRmResourceProvider -ProviderNamespace ‘Microsoft.GuestConfiguration’

image

 

Apply the policy

  • You can apply a policy using either Desired State Configuration for Windows machine or Chef InSpec for Linux machine

The policies are available through the Policy blade on the Azure portal

image

When you go to the Definitions blade and filter for the Guest Configuration category you will be able to see all the policies applied – including the new ones prefixed with Preview

image

You can then assign the policy/policies you want using the Policy Assignment\Assign policy and add the policy you want to apply

imageimage

 

Compliance

The compliance results are available through the Compliance blade

image