@@ -168,6 +168,46 @@ inside Linux and Windows machines* contains 18 policies. There are six **DeployI
168168** AuditIfNotExists** pairs for Windows and three pairs for Linux. The [ policy definition] ( definition-structure.md#policy-rule )
169169logic validates that only the target operating system is evaluated.
170170
171+ #### Auditing operating system settings following industry baselines
172+
173+ One of the initiatives available in Azure Policy provides the ability to audit operating system settings
174+ inside virtual machines following a "baseline" from Microsoft. The definition,
175+ * [ Preview] : Audit Windows VMs that do not match Azure security baseline settings*
176+ includes a complete set of audit rules based on settings from Active Directory Group Policy.
177+
178+ Most of the settings are available as parameters. This functionality allows you to customize
179+ what will be audited to align the policy with your organizational requirements,
180+ or to map the policy to 3rd party information such as industry regulatory standards.
181+
182+ Some parameters support an integer value range. For example, the Maximum Password Age
183+ parameter can be set using a range operator to give flexibility to machine
184+ owners. You could audit that the effective Group Policy setting
185+ requiring user to change their passwords should be no more than 70 days,
186+ but shouldn't be less than 1 day. As described in the info-bubble for the parameter,
187+ to make this the effective audit value, set the value to "1,70".
188+
189+ If you assign the policy using an Azure Resource Manager dployment template,
190+ you can use a parameters file to manage these settings from source control.
191+ Using a tool such as Git to manage changes to Audit policies with comments
192+ at each check-in, will document evidence as to why an assignment
193+ should be in exception to the expected value.
194+
195+ #### Applying configurations using Guest Configuration
196+
197+ The latest feature of Azure Policy configures settings inside machines.
198+ The definition * Configure the time zone on Windows machines* will
199+ make changes to the machine by configuring the time zone.
200+
201+ When assigning definitions that begin with * Configure* , you must also assign
202+ the definition * Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.*
203+ You can combine these definitions in an initiative if you choose.
204+
205+ #### Assigning policies to machines outside of Azure
206+
207+ The Audit policies available for Guest Configuration include the ** Microsoft.HybridCompute/machines**
208+ resource type. Any machines onboarded to Azure Arc that are in the scope of the assignment
209+ will automatically be included.
210+
171211### Multiple assignments
172212
173213Guest Configuration policies currently only support assigning the same Guest Assignment once per
@@ -238,4 +278,4 @@ Samples for Policy Guest Configuration are available in the following locations:
238278- Understand how to [ programmatically create policies] ( ../how-to/programmatically-create.md ) .
239279- Learn how to [ get compliance data] ( ../how-to/getting-compliance-data.md ) .
240280- Learn how to [ remediate non-compliant resources] ( ../how-to/remediate-resources.md ) .
241- - Review what a management group is with [ Organize your resources with Azure management groups] ( ../../management-groups/overview.md ) .
281+ - Review what a management group is with [ Organize your resources with Azure management groups] ( ../../management-groups/overview.md ) .
0 commit comments