update guest config samples

timwarner-msft · timwarner-msft · commit 04b2611e9088 · 2022-05-12T13:23:05.000-05:00
diff --git a/articles/governance/policy/samples/guest-configuration-baseline-linux.md b/articles/governance/policy/samples/guest-configuration-baseline-linux.md
@@ -1,7 +1,7 @@
 ---
 title: Reference - Azure Policy guest configuration baseline for Linux
 description: Details of the Linux baseline on Azure implemented through Azure Policy guest configuration.
-ms.date: 03/08/2022
+ms.date: 05/12/2022
 ms.topic: reference
 ms.custom: generated
 ---
@@ -188,7 +188,6 @@ For more information, see [Azure Policy guest configuration](../concepts/guest-c
 |Ensure system accounts are non-login<br /><sub>(157.15)</sub> |Description: It is important to make sure that accounts that are not being used by regular users are prevented from being used to provide an interactive shell. By default, Ubuntu sets the password field for these accounts to an invalid string, but it is also recommended that the shell field in the password file be set to `/usr/sbin/nologin`. This prevents the account from potentially being used to run any commands. |Set the shell for any accounts returned by the audit script to `/sbin/nologin` |
 |Ensure default group for the root account is GID 0<br /><sub>(157.16)</sub> |Description: Using GID 0 for the `_root_ `account helps prevent `_root_`-owned files from accidentally becoming accessible to non-privileged users. |Run the following command to set the `root` user default group to GID `0` : ``` # usermod -g 0 root ``` |
 |Ensure root is the only UID 0 account<br /><sub>(157.18)</sub> |Description: This access must be limited to only the default `root `account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism. |Remove any users other than `root` with UID `0` or assign them a new UID if appropriate. |
-|Remove unnecessary packages<br /><sub>(158)</sub> |Description:  |Run '/opt/microsoft/omsagent/plugin/omsremediate -r remove-landscape-common |
 |Remove unnecessary accounts<br /><sub>(159)</sub> |Description: For compliance |Remove the unnecessary accounts |
 |Ensure auditd service is enabled<br /><sub>(162)</sub> |Description: The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring. |Install audit package (systemctl enable auditd) |
 |Run AuditD service<br /><sub>(163)</sub> |Description: The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring. |Run AuditD service (systemctl start auditd) |
diff --git a/articles/governance/policy/samples/guest-configuration-baseline-windows.md b/articles/governance/policy/samples/guest-configuration-baseline-windows.md
@@ -1,7 +1,7 @@
 ---
 title: Reference - Azure Policy guest configuration baseline for Windows
 description: Details of the Windows baseline on Azure implemented through Azure Policy guest configuration.
-ms.date: 03/08/2022
+ms.date: 05/12/2022
 ms.topic: reference
 ms.custom: generated
 ---
@@ -199,7 +199,7 @@ For more information, see [Azure Policy guest configuration](../concepts/guest-c
 |Name<br /><sub>(ID)</sub> |Details |Expected value<br /><sub>(Type)</sub> |Severity |
 |---|---|---|---|
 |Audit PNP Activity<br /><sub>(AZ-WIN-00182)</sub> |**Description**: This policy setting allows you to audit when plug and play detects an external device. The recommended state for this setting is: `Success`. **Note:** A Windows 10, Server 2016 or higher OS is required to access and set this value in Group Policy.<br />**Key Path**: {0CCE9248-69AE-11D9-BED3-505054503030}<br />**OS**: WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\>\= Success<br /><sub>(Audit)</sub> |Critical |
-|Audit Process Creation<br /><sub>(CCE-36059-4)</sub> |**Description**: This subcategory reports the creation of a process and the name of the program or user that created it. Events for this subcategory include: - 4688: A new process has been created. - 4696: A primary token was assigned to process. For more information please see: [Threats and Countermeasures Guide: Security Settings in Windows Server 2008 and Windows Vista](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd349791(v=ws.10)?redirectedfrom=MSDN) for the most recent information about this setting. The recommended state for this setting is: `Success`.<br />**Key Path**: {0CCE922B-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\>\= Success<br /><sub>(Audit)</sub> |Critical |
+|Audit Process Creation<br /><sub>(CCE-36059-4)</sub> |**Description**: This subcategory reports the creation of a process and the name of the program or user that created it. Events for this subcategory include: - 4688: A new process has been created. - 4696: A primary token was assigned to process. Refer to Microsoft Knowledge Base article 947226: [Description of security events in Windows Vista and in Windows Server 2008](https://support.microsoft.com/en-us/kb/947226) for the most recent information about this setting. The recommended state for this setting is: `Success`.<br />**Key Path**: {0CCE922B-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\>\= Success<br /><sub>(Audit)</sub> |Critical |
 
 ## System Audit Policies - Logon-Logoff
 
