Merge pull request #300572 from ameyaiam3/patch-5

prmerger-automator[bot] · web-flow · commit 2343df81da9d · 2025-07-24T23:50:29.000Z
Update create-policy-definition.md
diff --git a/articles/governance/machine-configuration/how-to/create-policy-definition.md b/articles/governance/machine-configuration/how-to/create-policy-definition.md
@@ -124,13 +124,24 @@ Parameters of the `New-GuestConfigurationPolicy` cmdlet:
 - **ExcludeArcMachines**: Specifies that the Policy definition should exclude Arc machines. This
   parameter is required if you are using a User Assigned Managed Identity to provide access to an
   Azure Storage blob.
+- **UseSystemAssignedIdentity**: This is the option to use the system assigned identity for
+  downloading package from storage account container instead of using SaS URL.
+  
+  You can't use this option with the **ManagedIdentityResourceId**. The options are mutually
+  exclusive.
+  
+  You can use this parameter without **ExcludeArcMachines** option as the system assigned
+  identity is available for Arc machines.
 
 > [!IMPORTANT]
 > Unlike Azure VMs, Arc-connected machines currently do not support User Assigned Managed
 > Identities. As a result, the `-ExcludeArcMachines` flag is required to ensure the exclusion of
 > those machines from the policy definition. For the Azure VM to download the assigned package and
 > apply the policy, the Guest Configuration Agent must be version `1.29.82.0` or higher for Windows
 > and version `1.26.76.0` or higher for Linux.
+>
+> For Arc-connected machines, you can also use System Assigned Managed Identities to download
+> packages.
 
 For more information about the **Mode** parameter, see the page
 [How to configure remediation options for machine configuration][02].
@@ -191,6 +202,27 @@ New-GuestConfigurationPolicy @PolicyConfig3 -ExcludeArcMachines
 For this scenario, you need to disable the **Allow Blob anonymous access** setting and assign the
 role **Storage Blob Data Reader** on the storage account to the identity.
 
+Create a policy definition that _enforces_ a custom configuration package using a System-Assigned
+Managed Identity:
+
+```powershell
+$PolicyConfig4      = @{
+  PolicyId                  = '_My GUID_'
+  ContentUri                = $contentUri
+  DisplayName               = 'My deployment policy'
+  Description               = 'My deployment policy'
+  Path                      = './policies/deployIfNotExists.json'
+  Platform                  = 'Windows'
+  PolicyVersion             = 1.0.0
+  Mode                      = 'ApplyAndAutoCorrect'
+  LocalContentPath          = "C:\Local\Path\To\Package"      # Required parameter for managed identity
+}
+New-GuestConfigurationPolicy @PolicyConfig4 -UseSystemAssignedIdentity
+```
+
+For this scenario, you need to disable the **Allow Blob anonymous access** setting and assign the
+role **Storage Blob Data Reader** on the storage account to the system identity.
+
 > [!NOTE]
 > You can retrieve the resourceId of a managed identity using the `Get-AzUserAssignedIdentity`
 > PowerShell cmdlet.
