(Editorial) Updates from review

michaeltlombardi · michaeltlombardi · commit cada2d07c1f1 · 2024-10-07T12:20:48.000-05:00
diff --git a/articles/governance/machine-configuration/how-to/create-policy-definition.md b/articles/governance/machine-configuration/how-to/create-policy-definition.md
@@ -4,6 +4,7 @@ description: Learn how to create a machine configuration policy.
 ms.date: 02/01/2024
 ms.topic: how-to
 ---
+
 # How to create custom machine configuration policy definitions
 
 Before you begin, it's a good idea to read the overview page for [machine configuration][01], and
@@ -105,20 +106,31 @@ Parameters of the `New-GuestConfigurationPolicy` cmdlet:
 - **Description**: Policy description.
 - **Parameter**: Policy parameters provided in a hash table.
 - **PolicyVersion**: Policy version.
-- **Path**: Destination path where policy definitions are created. This is NOT a path a local copy of the package.
+- **Path**: Destination path where policy definitions are created. Don't specify this parameter as
+  the path to a local copy of the package.
 - **Platform**: Target platform (Windows/Linux) for machine configuration policy and content
   package.
-- **Mode**: (case sensitive: `ApplyAndMonitor`, `ApplyAndAutoCorrect`, `Audit`) choose if the policy should audit
-  or deploy the configuration. The default is `Audit`.
-- **Tag** adds one or more tag filters to the policy definition
-- **Category** sets the category metadata field in the policy definition
-- **LocalContentPath** (Optional) - The path to the local copy of the `.zip` Machine Configuration package file (Required if you are using a User Assigned Managed Identity to provide access to an Azure Storge blob)
-- **ManagedIdentityResourceId** (Optional) - The resourceId of the User Assigned Managed Identity with read access to the Azure Storage blob containing the `.zip` Machine Configuration package file (Required if you are using a User Assigned Managed Identity to provide access to an Azure Storge blob)
-- **`-ExcludeArcMachines`** (Optional) - A flag to exclude Arc machines from the generated Policy definition (Required if you are using a User Assigned Managed Identity to provide access to an Azure Storge blob)
+- **Mode**: (case sensitive: `ApplyAndMonitor`, `ApplyAndAutoCorrect`, `Audit`) choose if the
+  policy should audit or deploy the configuration. The default is `Audit`.
+- **Tag**: Adds one or more tag filters to the policy definition.
+- **Category**: Sets the category metadata field in the policy definition.
+- **LocalContentPath**: The path to the local copy of the `.zip` Machine Configuration package
+  file. This parameter is required if you're using a User Assigned Managed Identity to provide
+  access to an Azure Storge blob.
+- **ManagedIdentityResourceId**: The `resourceId` of the User Assigned Managed Identity that has
+  read access to the Azure Storage blob containing the `.zip` Machine Configuration package file.
+  This parameter is required if you're using a User Assigned Managed Identity to provide access to
+  an Azure Storge blob.
+- **ExcludeArcMachines**: Specifies that the Policy definition should exclude Arc machines. This
+  parameter is required if you are using a User Assigned Managed Identity to provide access to an
+  Azure Storge blob.
 
 > [!IMPORTANT]
-> - Please note that, unlike Azure VMs, Arc-connected machines currently do not support User Assigned Managed Identities. As a result, the `-ExcludeArcMachines` flag is required to ensure the exclusion of those machines from the policy definition.
-> - Additionally, for the Azure VM to download the assigned package and apply the policy, the Guest Configuration Windows Agent Version 1.29.82.0 OR Linux Agent Version 1.26.76.0 is required
+> Unlike Azure VMs, Arc-connected machines currently do not support User Assigned Managed
+> Identities. As a result, the `-ExcludeArcMachines` flag is required to ensure the exclusion of
+> those machines from the policy definition. For the Azure VM to download the assigned package and
+> apply the policy, the Guest Configuration Agent must be version `1.29.82.0` or higher for Windows
+> and version `1.26.76.0` or higher for Linux.
 
 For more information about the **Mode** parameter, see the page
 [How to configure remediation options for machine configuration][02].
@@ -156,26 +168,29 @@ $PolicyConfig2      = @{
 New-GuestConfigurationPolicy @PolicyConfig2
 ```
 
-Create a policy definition that **enforces** a custom configuration package using a User-Assigned Managed Identity:
+Create a policy definition that **enforces** a custom configuration package using a User-Assigned
+Managed Identity:
 
 ```powershell
 $PolicyConfig3      = @{
-  PolicyId      = '_My GUID_'
-  ContentUri    = $contentUri
-  DisplayName   = 'My deployment policy'
-  Description   = 'My deployment policy'
-  Path          = './policies/deployIfNotExists.json'
-  Platform      = 'Windows'
-  PolicyVersion = 1.0.0
-  Mode          = 'ApplyAndAutoCorrect'
-  contentLocalPath = "C:\Local\Path\To\Package" # Required parameter for managed identity
-  managedIdentityResourceId = "YourManagedIdentityResourceId" # Required parameter for managed identity
+  PolicyId                  = '_My GUID_'
+  ContentUri                = $contentUri
+  DisplayName               = 'My deployment policy'
+  Description               = 'My deployment policy'
+  Path                      = './policies/deployIfNotExists.json'
+  Platform                  = 'Windows'
+  PolicyVersion             = 1.0.0
+  Mode                      = 'ApplyAndAutoCorrect'
+  ContentLocalPath          = "C:\Local\Path\To\Package"      # Required parameter for managed identity
+  ManagedIdentityResourceId = "YourManagedIdentityResourceId" # Required parameter for managed identity
 }
 
 New-GuestConfigurationPolicy @PolicyConfig3 -ExcludeArcMachines
 ```
+
 > [!NOTE]
-> You can retrieve the resorceId of a nmanaged identity using the `Get-AzUserAssignedIdentity` Powershell cmdlet.
+> You can retrieve the resorceId of a nmanaged identity using the `Get-AzUserAssignedIdentity`
+> PowerShell cmdlet.
 
 The cmdlet output returns an object containing the definition display name and path of the policy
 files. Definition JSON files that create audit policy definitions have the name
diff --git a/articles/governance/machine-configuration/how-to/develop-custom-package/4-publish-package.md b/articles/governance/machine-configuration/how-to/develop-custom-package/4-publish-package.md
@@ -110,7 +110,8 @@ $contentUri = New-AzStorageBlobSASToken @tokenParams
 ## Next step
 
 > [!div class="nextstepaction"]
-> [Sign a custom machine configuration package](./6-sign-package.md)
+> [Provide secure access to a custom machine configuration package](./5-access-package.md)
+
 
 <!-- Reference link definitions -->
 [01]: ../../overview.md
diff --git a/articles/governance/machine-configuration/how-to/develop-custom-package/5-access-package.md b/articles/governance/machine-configuration/how-to/develop-custom-package/5-access-package.md
@@ -7,22 +7,43 @@ ms.custom: devx-track-azurepowershell
 ---
 
 # How to provide secure access to custom machine configuration packages
-This page provides a guide on how to provide access to Machine Configuration packages stored in Azure storage by using the resource ID of a user-assigned managed identity or a Shared Access Signature (SAS) token. 
+
+This page provides a guide on how to provide access to Machine Configuration packages stored in
+Azure storage by using the resource ID of a user-assigned managed identity or a Shared Access
+Signature (SAS) token.
 
 ## Prerequisites
+
 - Azure subscription
 - Azure Storage account with the Machine Configuration package
-  
+
 ## Steps to provide access to the package
+
+The following steps prepare your resources for more secure operations. TThe code snippets for the
+steps include values in angle brackets, like `<storage-account-container-name>`, which you must
+replace with a valid value when following the steps. If you just copy and paste the code, the
+commands may raise errors due to invalid values.
+
 ### Using a User Assigned Identity 
 
 > [!IMPORTANT]
-> Please note that, unlike Azure VMs, Arc-connected machines currently do not support User-Assigned Managed Identities.
+> Please note that, unlike Azure VMs, Arc-connected machines currently do not support User-Assigned
+> Managed Identities.
 
-You can grant private access to a machine configuration package in an Azure Storage blob by assigning a [User-Assigned Identity][01] to a scope of Azure VMs.  For this to work, you need to grant the managed identity read access to the Azure storage blob. This involves assigning the “Storage Blob Data Reader” role to the identity at the scope of the blob container. This setup ensures that your Azure VMs can securely read from the specified blob container using the user-assigned managed identity. You can assign a User Assigned Identity at scale in your server fleet using Azure Policy, learn more [here][02].
+You can grant private access to a machine configuration package in an Azure Storage blob by
+assigning a [User-Assigned Identity][01] to a scope of Azure VMs. For this to work, you need to
+grant the managed identity read access to the Azure storage blob. This involves assigning the
+"Storage Blob Data Reader" role to the identity at the scope of the blob container. This setup
+ensures that your Azure VMs can securely read from the specified blob container using the
+user-assigned managed identity. To learn how you can assign a User Assigned Identity at scale, see
+[Use Azure Policy to assign managed identities][02].
 
-### Using a SAS Token 
-Optionally, you can add a shared access signature (SAS) token in the URL to ensure secure access to the package. The below example generates a blob SAS token with read access and returns the full blob URI with the shared access signature token. In this example, the token has a time limit of three years.
+### Using a SAS Token
+
+Optionally, you can add a shared access signature (SAS) token in the URL to ensure secure access to
+the package. The below example generates a blob SAS token with read access and returns the full
+blob URI with the shared access signature token. In this example, the token has a time limit of
+three years.
 
 ```powershell
 $startTime = Get-Date
@@ -31,23 +52,32 @@ $endTime   = $startTime.AddYears(3)
 $tokenParams = @{
     StartTime  = $startTime
     ExpiryTime = $endTime
-    Container  = 'machine-configuration'
-    Blob       = 'MyConfig.zip'
+    Container  = '<storage-account-container-name>'
+    Blob       = '<configuration-blob-name>'
     Permission = 'r'
-    Context    = $context
+    Context    = '<storage-account-context>'
     FullUri    = $true
 }
+
 $contentUri = New-AzStorageBlobSASToken @tokenParams
 ```
 
 ## Summary
-By using the resource ID of a user-assigned managed identity or SAS token, you can securely provide access to Machine Configuration packages stored in Azure storage. The additional parameters and flags ensure that the package is retrieved using the managed identity and that Azure Arc machines are not included in the policy scope.
+
+By using the resource ID of a user-assigned managed identity or SAS token, you can securely provide
+access to Machine Configuration packages stored in Azure storage. The additional parameters ensure
+that the package is retrieved using the managed identity and that Azure Arc machines aren't
+included in the policy scope.
 
 ## Next Steps
-- After creating the policy definition, you can assign it to the appropriate scope (e.g., management group, subscription, resource group) within your Azure environment.
-- Remember to monitor the policy compliance status and make any necessary adjustments to your Machine Configuration package or policy assignment to meet your organizational requirements.
+- After creating the policy definition, you can assign it to the appropriate scope, like management
+  group, subscription, or resource group, within your Azure environment.
+- Remember to monitor the policy compliance status and make any necessary adjustments to your
+  Machine Configuration package or policy assignment to meet your organizational requirements.
 
-<!-- Reference link definitions -->
-[01]: https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/managed-identity-best-practice-recommendations#using-user-assigned-identities-to-reduce-administration
-[02]: https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/how-to-assign-managed-identity-via-azure-policy
+> [!div class="nextstepaction"]
+> [Sign a custom machine configuration package](./6-sign-package.md)
 
+<!-- Reference link definitions -->
+[01]: /entra/identity/managed-identities-azure-resources/managed-identity-best-practice-recommendations#using-user-assigned-identities-to-reduce-administration
+[02]: /entra/identity/managed-identities-azure-resources/how-to-assign-managed-identity-via-azure-policy
diff --git a/articles/governance/machine-configuration/how-to/develop-custom-package/6-sign-package.md b/articles/governance/machine-configuration/how-to/develop-custom-package/6-sign-package.md
@@ -8,12 +8,14 @@ ms.custom: linux-related-content
 
 # How to sign machine configuration packages
 
-Machine configuration custom policies use SHA256 hash to validate the policy package hasn't
+Machine configuration custom policies use a SHA256 hash to validate that the policy package hasn't
 changed. Optionally, customers may also use a certificate to sign packages and force the machine
 configuration extension to only allow signed content.
 
-To enable this scenario, there are two steps you need to complete. Run the cmdlet to sign the
-content package, and append a tag to the machines that should require code to be signed.
+To enable this scenario, there are two steps you need to complete:
+
+1. Run the cmdlet to sign the content package.
+1. Append a tag to the machines that should require code to be signed.
 
 ## Signature validation using a code signing certificate
 
@@ -24,7 +26,7 @@ testing purposes to follow along with the example.
 
 ## Windows signature validation
 
-```azurepowershell-interactive
+```powershell
 # How to create a self sign cert and use it to sign Machine Configuration
 # custom policy package
 
@@ -34,26 +36,35 @@ $codeSigningParams = @{
     DnsName       = 'GCEncryptionCertificate'
     HashAlgorithm = 'SHA256'
 }
-$mycert = New-SelfSignedCertificate @codeSigningParams
+$certificate = New-SelfSignedCertificate @codeSigningParams
 
 # Export the certificates
-$mypwd = ConvertTo-SecureString -String "Password1234" -Force -AsPlainText
-$mycert | Export-PfxCertificate -FilePath C:\demo\GCPrivateKey.pfx -Password $mypwd
-$mycert | Export-Certificate -FilePath "C:\demo\GCPublicKey.cer" -Force
+$privateKey = @{
+    Cert     = $certificate
+    Password = Read-Host "Enter password for private key" -AsSecureString
+    FilePath = '<full-path-to-export-private-key-pfx-file>'
+}
+$publicKey = @{
+    Cert     = $certificate
+    FilePath = '<full-path-to-export-public-key-cer-file>'
+    Force    = $true
+}
+Export-PfxCertificate @privateKey
+Export-Certificate    @publicKey
 
 # Import the certificate
 $importParams = @{
-    FilePath          = 'C:\demo\GCPrivateKey.pfx'
-    Password          = $mypwd
+    FilePath          = $privateKey.FilePath
+    Password          = $privateKey.Password
     CertStoreLocation = 'Cert:\LocalMachine\My'
 }
 Import-PfxCertificate @importParams
 
 # Sign the policy package
-$certToSignThePackage = Get-ChildItem -Path cert:\LocalMachine\My |
-    Where-Object { $_.Subject-eq "CN=GCEncryptionCertificate" }
+$certToSignThePackage = Get-ChildItem -Path Cert:\LocalMachine\My |
+    Where-Object { $_.Subject -eq "CN=GCEncryptionCertificate" }
 $protectParams = @{
-    Path        = 'C:\demo\AuditWindowsService.zip'
+    Path        = '<path-to-package-to-sign>'
     Certificate = $certToSignThePackage
     Verbose     = $true
 }
@@ -62,51 +73,64 @@ Protect-GuestConfigurationPackage @protectParams
 
 ## Linux signature validation
 
-```azurepowershell-interactive
+```powershell
 # generate gpg key
 gpg --gen-key
 
+$emailAddress      = '<email-id-used-to-generate-gpg-key>'
+$publicGpgKeyPath  = '<full-path-to-export-public-key-gpg-file>'
+$privateGpgKeyPath = '<full-path-to-export-private-key-gpg-file>'
+
 # export public key
-gpg --output public.gpg --export <email-id-used-to-generate-gpg-key>
+gpg --output $publicGpgKeyPath --export $emailAddress
 
 # export private key
-gpg --output private.gpg --export-secret-key <email-id-used-to-generate-gpg-key>
+gpg --output $privateGpgKeyPath --export-secret-key $emailAddress
 
 # Sign linux policy package
 Import-Module GuestConfiguration
 $protectParams = @{
-    Path              = './not_installed_application_linux.zip'
-    PrivateGpgKeyPath = './private.gpg'
-    PublicGpgKeyPath  = './public.gpg'
+    Path              = '<path-to-package-to-sign>'
+    PrivateGpgKeyPath = $privateGpgKeyPath
+    PublicGpgKeyPath  = $publicGpgKeyPath
     Verbose           = $true
 }
 Protect-GuestConfigurationPackage
 ```
 
 Parameters of the `Protect-GuestConfigurationPackage` cmdlet:
 
-- **Path**: Full path of the machine configuration package.
+- **Path**: Full path to the machine configuration package.
 - **Certificate**: Code signing certificate to sign the package. This parameter is only supported
   when signing content for Windows.
+- **PrivateGpgKeyPath**: Full path to the private key `.gpg` file. This parameter is only supported
+  when signing content for Linux.
+- **PublicGpgKeyPath**: Full path to the public key `.gpg` file. This parameter is only supported
+  when signing content for Linux.
+
 
 ## Certificate requirements
 
-The machine configuration agent expects the certificate public key to be present in "Trusted Publishers" on Windows machines and in the path `/usr/local/share/ca-certificates/gc`
-on Linux machines. For the node to verify signed content, install the certificate public key on the
-machine before applying the custom policy. This process can be done using any technique inside the
-VM or by using Azure Policy. An example template is available
-[to deploy a machine with a certificate][01]. The Key Vault access policy must allow the Compute
-resource provider to access certificates during deployments. For detailed steps, see
+The machine configuration agent expects the certificate public key to be present in "Trusted
+Publishers" on Windows machines and in the path `/usr/local/share/ca-certificates/gc` on Linux
+machines. For the node to verify signed content, install the certificate public key on the machine
+before applying the custom policy.
+
+You can install the certificate public key using normal tools inside the VM or by using Azure
+Policy. An [example template using Azure Policy][01] shows how you can deploy a machine with a
+certificate. The Key Vault access policy must allow the Compute resource provider to access
+certificates during deployments. For detailed steps, see
 [Set up Key Vault for virtual machines in Azure Resource Manager][02].
 
 Following is an example to export the public key from a signing certificate, to import to the
 machine.
 
 ```azurepowershell-interactive
-$Cert = Get-ChildItem -Path cert:\LocalMachine\My |
-    Where-Object { $_.Subject-eq "CN=mycert3" } |
+$Cert = Get-ChildItem -Path Cert:\LocalMachine\My |
+    Where-Object { $_.Subject-eq 'CN=<CN-of-your-signing-certificate>' } |
     Select-Object -First 1
-$Cert | Export-Certificate -FilePath "$env:temp\DscPublicKey.cer" -Force
+
+$Cert | Export-Certificate -FilePath '<path-to-export-public-key-cer-file>' -Force
 ```
 
 ## Tag requirements
diff --git a/redirects/.openpublishing.redirection.machine-configuration.json b/redirects/.openpublishing.redirection.machine-configuration.json
@@ -125,10 +125,15 @@
             "source_path_from_root": "/articles/governance/policy/how-to/guest-configuration-create-publish.md",
             "redirect_document_id": false
         },
+        {
+            "redirect_url": "/azure/governance/machine-configuration/how-to/develop-custom-package/6-sign-package",
+            "source_path_from_root": "/articles/governance/machine-configuration/how-to/develop-custom-package/5-sign-package.md",
+            "redirect_document_id": true
+        },
         {
             "redirect_url": "/azure/governance/machine-configuration/how-to/develop-custom-package/5-sign-package",
             "source_path_from_root": "/articles/governance/machine-configuration/how-to-sign-package.md",
-            "redirect_document_id": true
+            "redirect_document_id": false
         },
         {
             "redirect_url": "/azure/governance/machine-configuration/how-to/develop-custom-package/5-sign-package",
