Merge pull request #104111 from MicrosoftDocs/release-policy-samples

Release policy samples

Author: ttorble

.openpublishing.redirection.json

@@ -204,19 +204,7 @@ Azure Policy is targeted at the subscription level. The service provides a centr
 - Enforce compliance
 - Manage exceptions
 
-Along with many built-in definitions, administrators can define their own custom definitions by using simple JSON templates. Microsoft recommends the prioritization of auditing over enforcement, where possible.
-
-The following sample policies can be used for TIC compliance scenarios:
-
-|Policy  |Sample scenario  |Template  |
-|---------|---------|---------|
-|Enforce user-defined route table. | Ensure that the default route on all virtual networks points to an approved virtual network gateway for routing to on-premises.	| Get started with this [template](../../governance/policy/samples/no-user-defined-route-table.md). |
-|Audit if Network Watcher isn't enabled for a region.  | Ensure that Network Watcher is enabled for all used regions.  | Get started with this [template](../../governance/policy/samples/network-watcher-not-enabled.md). |
-|NSG x on every subnet.  | Ensure that an NSG (or a set of approved NSGs) with internet traffic blocked is applied to all subnets in every virtual network. | Get started with this [template](../../governance/policy/samples/nsg-on-subnet.md). |
-|NSG x on every NIC. | Ensure that an NSG with internet traffic blocked is applied to all NICs on all virtual machines. | Get started with this [template](../../governance/policy/samples/nsg-on-nic.md). |
-|Use an approved virtual network for virtual machine network interfaces.  | Ensure that all NICs are on an approved virtual network. | Get started with this [template](../../governance/policy/samples/use-approved-vnet-vm-nics.md). |
-|Allowed locations. | Ensure that all resources are deployed to regions with compliant virtual networks and Network Watcher configuration.  | Get started with this [template](../../governance/policy/samples/allowed-locations.md). |
-|Not allowed resource types, such as **PublicIPs**. | Prohibit the deployment of resource types that don't have a compliance plan. Use this policy to prohibit the deployment of public IP address resources. While NSG rules can be used to effectively block inbound internet traffic, preventing the use of public IPs further reduces the attack surface.	| Get started with this [template](../../governance/policy/samples/not-allowed-resource-types.md).  |
+Along with many [built-in policy definitions](../../governance/policy/samples/built-in-policies.md), administrators can define their own custom definitions by using simple JSON templates. Microsoft recommends the prioritization of auditing over enforcement, where possible.
 
 ### Network Watcher traffic analytics
 

articles/azure-government/compliance/compliance-tic.md

@@ -37,7 +37,7 @@ To apply tags to resources, the user must have write access to that resource typ
 
 You can use [Azure Policy](../../governance/policy/overview.md) to enforce tagging rules and conventions. By creating a policy, you avoid the scenario of resources being deployed to your subscription that don't comply with the expected tags for your organization. Instead of manually applying tags or searching for resources that aren't compliant, you can create a policy that automatically applies the needed tags during deployment. Tags can also now be applied to existing resources with the new [Modify](../../governance/policy/concepts/effects.md#modify) effect and a [remediation task](../../governance/policy/how-to/remediate-resources.md). The following section shows example policies for tags.
 
-[!INCLUDE [Tag policies](../../../includes/azure-policy-samples-general-tags.md)]
+[!INCLUDE [Tag policies](../../../includes/azure-policy-samples-policies-tags.md)]
 
 ## PowerShell
 

articles/azure-resource-manager/management/tag-resources.md

@@ -315,8 +315,7 @@ When using the **match** and **notMatch** conditions, provide `#` to match a dig
 letter, `.` to match any character, and any other character to match that actual character. While,
 **match** and **notMatch** are case-sensitive, all other conditions that evaluate a _stringValue_
 are case-insensitive. Case-insensitive alternatives are available in **matchInsensitively** and
-**notMatchInsensitively**. For examples, see
-[Allow several name patterns](../samples/allow-multiple-name-patterns.md).
+**notMatchInsensitively**.
 
 In an **\[\*\] alias** array field value, each element in the array is evaluated individually with
 logical **and** between elements. For more information, see [Evaluating the \[\*\]
@@ -336,7 +335,7 @@ The following fields are supported:
 - `kind`
 - `type`
 - `location`
-  - Use **global** for resources that are location agnostic. For an example, see [Samples - Allowed locations](../samples/allowed-locations.md).
+  - Use **global** for resources that are location agnostic.
 - `identity.type`
   - Returns the type of [managed identity](../../../active-directory/managed-identities-azure-resources/overview.md)
     enabled on the resource.

articles/governance/policy/concepts/definition-structure.md

@@ -250,10 +250,11 @@ egrep -B $linesToIncludeBeforeMatch -A $linesToIncludeAfterMatch 'DSCEngine|DSCM
 
 ## Guest Configuration samples
 
-Samples for Policy Guest Configuration are available in the following locations:
+Source for the Policy Guest Configuration built-in initiatives are available in the following
+locations:
 
-- [Samples index - Guest Configuration](../samples/index.md#guest-configuration)
-- [Azure Policy samples GitHub repo](https://github.com/Azure/azure-policy/tree/master/samples/GuestConfiguration)
+- [Built-in initiatives - Guest Configuration](../samples/built-in-initiatives.md#guest-configuration)
+- [Azure Policy samples GitHub repo](https://github.com/Azure/azure-policy/tree/master/built-in-policies/policySetDefinitions/Guest Configuration)
 
 ## Next steps
 

articles/governance/policy/concepts/guest-configuration.md

@@ -496,9 +496,9 @@ A good reference for creating GPG keys to use with Linux machines is provided by
 GitHub, [Generating a new GPG key](https://help.github.com/en/articles/generating-a-new-gpg-key).
 
 After your content is published, append a tag with name `GuestConfigPolicyCertificateValidation` and
-value `enabled` to all virtual machines where code signing should be required. This tag can be
-delivered at scale using Azure Policy. See the [Apply tag and its default value](../samples/apply-tag-default-value.md)
-sample. Once this tag is in place, the policy definition generated using the
+value `enabled` to all virtual machines where code signing should be required. See the
+[Tag samples](../samples/built-in-policies.md#tags) for how tags can be delivered at scale using
+Azure Policy. Once this tag is in place, the policy definition generated using the
 `New-GuestConfigurationPolicy` cmdlet enables the requirement through the Guest Configuration
 extension.