Update create-policy-definition.md

ameyaiam3 · web-flow · commit a99337b0978f · 2025-05-29T10:35:50.000-07:00
Added support for system-assigned identity to download custom policy packages.
diff --git a/articles/governance/machine-configuration/how-to/create-policy-definition.md b/articles/governance/machine-configuration/how-to/create-policy-definition.md
@@ -124,13 +124,15 @@ Parameters of the `New-GuestConfigurationPolicy` cmdlet:
 - **ExcludeArcMachines**: Specifies that the Policy definition should exclude Arc machines. This
   parameter is required if you are using a User Assigned Managed Identity to provide access to an
   Azure Storage blob.
+- **UseSystemAssignedIdentity**: This is the option to use the system assigned identity for downloading   package from storage account container instead of using SaS url. When this option is enabled you        cannot use the ManagedIdentityResourceId. Only one of the options should be used at a time. You can     use this parameter without ExcludeArcMachines option as the system assigned identity is available for   Arc machines.
 
 > [!IMPORTANT]
 > Unlike Azure VMs, Arc-connected machines currently do not support User Assigned Managed
 > Identities. As a result, the `-ExcludeArcMachines` flag is required to ensure the exclusion of
 > those machines from the policy definition. For the Azure VM to download the assigned package and
 > apply the policy, the Guest Configuration Agent must be version `1.29.82.0` or higher for Windows
 > and version `1.26.76.0` or higher for Linux.
+> As an alternative System Assigned Managed Identities can be used to download packages for Arc-connected machines, and similar support has been provided for Azure options.
 
 For more information about the **Mode** parameter, see the page
 [How to configure remediation options for machine configuration][02].
@@ -191,6 +193,26 @@ New-GuestConfigurationPolicy @PolicyConfig3 -ExcludeArcMachines
 For this scenario, you need to disable the **Allow Blob anonymous access** setting and assign the
 role **Storage Blob Data Reader** on the storage account to the identity.
 
+Create a policy definition that **enforces** a custom configuration package using a System-Assigned
+Managed Identity:
+
+```powershell
+$PolicyConfig4      = @{
+  PolicyId                  = '_My GUID_'
+  ContentUri                = $contentUri
+  DisplayName               = 'My deployment policy'
+  Description               = 'My deployment policy'
+  Path                      = './policies/deployIfNotExists.json'
+  Platform                  = 'Windows'
+  PolicyVersion             = 1.0.0
+  Mode                      = 'ApplyAndAutoCorrect'
+  LocalContentPath          = "C:\Local\Path\To\Package"      # Required parameter for managed identity
+}
+New-GuestConfigurationPolicy @PolicyConfig4 -UseSystemAssignedIdentity
+```
+For this scenario, you need to disable the **Allow Blob anonymous access** setting and assign the
+role **Storage Blob Data Reader** on the storage account to the system identity.
+
 > [!NOTE]
 > You can retrieve the resourceId of a managed identity using the `Get-AzUserAssignedIdentity`
 > PowerShell cmdlet.
