-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathGuest Configuration.csv
More file actions
We can make this file beautiful and searchable if this error is corrected: Any value after quoted field isn't allowed in line 1.
77 lines (77 loc) · 41.9 KB
/
Guest Configuration.csv
File metadata and controls
77 lines (77 loc) · 41.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
"DisplayName";"Description";"Path"
"Windows machines should use the default NTP server";"Setup the 'time.windows.com' as the default NTP Server for all Windows machines to ensure logs across all systems have system clocks that are all in sync. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/ACAT_ InternetTimeDefaultNtpServer_AINE.json"
"Windows machines should configure Windows Defender to update protection signatures within one day";"To provide adequate protection against newly released malware, Windows Defender protection signatures need to be updated regularly to account for newly released malware. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/ACAT_ UpdateDefenderSignatureDaily_AINE.json"
"Windows machines should enable Windows Defender Real-time protection";"Windows machines should enable the Real-time protection in the Windows Defender to provide adequate protection against newly released malware. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/ACAT_WindowsDefenderRealtimeProtection_AINE.json"
"Windows machines should schedule Windows Defender to perform a scheduled scan every day";"Windows machines should schedule Windows Defender to perform a scheduled scan every day to ensure that malware is quickly identified to minimize the effect this may have to the environment. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/ACAT_WindowsDefenderScanScheduleDaily_AINE.json"
"Private endpoints for Guest Configuration assignments should be enabled";"Private endpoint connections enforce secure communication by enabling private connectivity to Guest Configuration for virtual machines. Virtual machines will be non-compliant unless they have the tag, 'EnablePrivateNetworkGC'. This tag enforces secure communication through private connectivity to Guest Configuration for Virtual Machines. Private connectivity limits access to traffic coming only from known networks and prevents access from all other IP addresses, including within Azure.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/Azure_PrivateLink_Deny.json"
"[Preview]: Configure Windows Server to disable local users.";"Creates a Guest Configuration assignment to configure disabling local users on Windows Server. This ensures that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_AADDisableLocalAuth_Deploy.json"
"Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities";"This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json"
"Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity";"This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json"
"[Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines";"This policy adds a user-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration. A user-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_AddUserIdentity_Prerequisite.json"
"Windows machines should meet requirements for 'Administrative Templates - Control Panel'";"Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Control Panel' for input personalization and prevention of enabling lock screens. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_AdministrativeTemplatesControlPanel_AINE.json"
"Windows machines should meet requirements for 'Administrative Templates - MSS (Legacy)'";"Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - MSS (Legacy)' for automatic logon, screen saver, network behavior, safe DLL, and event log. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_AdministrativeTemplatesMSSLegacy_AINE.json"
"Windows machines should meet requirements for 'Administrative Templates - Network'";"Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_AdministrativeTemplatesNetwork_AINE.json"
"Windows machines should meet requirements for 'Administrative Templates - System'";"Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - System' for settings that control the administrative experience and Remote Assistance. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_AdministrativeTemplatesSystem_AINE.json"
"Audit Windows machines that have extra accounts in the Administrators group";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_AdministratorsGroupMembers_AINE.json"
"Audit Windows machines that have the specified members in the Administrators group";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json"
"Audit Windows machines missing any of specified members in the Administrators group";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_AdministratorsGroupMembersToInclude_AINE.json"
"[Preview]: Linux machines should meet STIG compliance requirement for Azure compute";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in STIG compliance requirement for Azure compute. DISA (Defense Information Systems Agency) provides technical guides STIG (Security Technical Implementation Guide) to secure compute OS as required by Department of Defense (DoD). For more details, https://public.cyber.mil/stigs/.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_ASCSTIGLinuxBaseline_AINE.json"
"[Preview]: Windows machines should meet STIG compliance requirements for Azure compute";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in STIG compliance requirements for Azure compute. DISA (Defense Information Systems Agency) provides technical guides STIG (Security Technical Implementation Guide) to secure compute OS as required by Department of Defense (DoD). For more details, https://public.cyber.mil/stigs/.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_ASCSTIGWindowsBaseline_AINE.json"
"[Preview]: Linux machines should meet requirements for the Azure security baseline for Docker hosts";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. The machine is not configured correctly for one of the recommendations in the Azure security baseline for Docker hosts.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_AzureDockerBaseline_AINE.json"
"Linux machines should meet requirements for the Azure compute security baseline";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_AzureLinuxBaseline_AINE.json"
"Windows machines should meet requirements of the Azure compute security baseline";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_AzureWindowsBaseline_AINE.json"
"Audit Windows machines that contain certificates expiring within the specified number of days";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if certificates in the specified store have an expiration date out of range for the number of days given as parameter. The policy also provides the option to only check for specific certificates or exclude specific certificates, and whether to report on expired certificates.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_CertificateExpiration_AINE.json"
"Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs";"This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json"
"Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs";"This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json"
"Audit Linux machines that don't have the specified applications installed";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_InstalledApplicationForLinux_AINE.json"
"Audit Windows machines that don't have the specified applications installed";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is not found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_InstalledApplicationForWindows_AINE.json"
"Linux machines should have Log Analytics agent installed on Azure Arc";"Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled Linux server.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_LinuxLogAnalyticsAgentInstalled_AINE.json"
"Authentication to Linux machines should require SSH keys";"Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_LinuxNoPasswordForSSH_AINE.json"
"Audit Linux machines that allow remote connections from accounts without passwords";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_LinuxPassword110_AINE.json"
"Audit Linux machines that do not have the passwd file permissions set to 0644";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_LinuxPassword121_AINE.json"
"Audit Linux machines that have accounts without passwords";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_LinuxPassword232_AINE.json"
"[Preview]: Linux machines should encrypt temp disks, caches, and data flows between Compute and Storage resources.";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Use Azure Disk Encryption or Encryption At Host to protect your virtual machine's OS and data disks, temp disks, data caches and any data flowing between compute and storage. To learn more about different disk encryption offerings, see https://aka.ms/diskencryptioncomparison.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_LinuxVMEncryption_AINE.json"
"Linux machines should only have local accounts that are allowed";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_LocalUsers_Linux_AINE.json"
"Windows machines should only have local accounts that are allowed";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. This definition is not supported on Windows Server 2012 or 2012 R2. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_LocalUsers_Windows_AINE.json"
"Audit Windows machines that have not restarted within the specified number of days";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the WMI property LastBootUpTime in class Win32_Operatingsystem is outside the range of days provided by the policy parameter.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_MachineLastBootUpTime_AINE.json"
"Audit Linux machines that have the specified applications installed";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_NotInstalledApplicationForLinux_AINE.json"
"Audit Windows machines that have the specified applications installed";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_NotInstalledApplicationForWindows_AINE.json"
"Windows web servers should be configured to use secure communication protocols";"To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_SecureWebProtocol_AINE.json"
"Windows machines should meet requirements for 'Security Options - Accounts'";"Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_SecurityOptionsAccounts_AINE.json"
"Windows machines should meet requirements for 'Security Options - Devices'";"Windows machines should have the specified Group Policy settings in the category 'Security Options - Devices' for undocking without logging on, installing print drivers, and formatting/ejecting media. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_SecurityOptionsDevices_AINE.json"
"Windows machines should meet requirements for 'Security Options - Interactive Logon'";"Windows machines should have the specified Group Policy settings in the category 'Security Options - Interactive Logon' for displaying last user name and requiring ctrl-alt-del. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_SecurityOptionsInteractiveLogon_AINE.json"
"Windows machines should meet requirements for 'Security Options - Microsoft Network Client'";"Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_SecurityOptionsMicrosoftNetworkClient_AINE.json"
"Windows machines should meet requirements for 'Security Options - Microsoft Network Server'";"Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_SecurityOptionsMicrosoftNetworkServer_AINE.json"
"Windows machines should meet requirements for 'Security Options - Network Access'";"Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_SecurityOptionsNetworkAccess_AINE.json"
"Windows machines should meet requirements for 'Security Options - Network Security'";"Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_SecurityOptionsNetworkSecurity_AINE.json"
"Windows machines should meet requirements for 'Security Options - Recovery console'";"Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_SecurityOptionsRecoveryconsole_AINE.json"
"Windows machines should meet requirements for 'Security Options - Shutdown'";"Windows machines should have the specified Group Policy settings in the category 'Security Options - Shutdown' for allowing shutdown without logon and clearing the virtual memory pagefile. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_SecurityOptionsShutdown_AINE.json"
"Windows machines should meet requirements for 'Security Options - System objects'";"Windows machines should have the specified Group Policy settings in the category 'Security Options - System objects' for case insensitivity for non-Windows subsystems and permissions of internal system objects. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_SecurityOptionsSystemobjects_AINE.json"
"Windows machines should meet requirements for 'Security Options - System settings'";"Windows machines should have the specified Group Policy settings in the category 'Security Options - System settings' for certificate rules on executables for SRP and optional subsystems. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_SecurityOptionsSystemsettings_AINE.json"
"Windows machines should meet requirements for 'Security Options - User Account Control'";"Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_SecurityOptionsUserAccountControl_AINE.json"
"Windows machines should meet requirements for 'Security Settings - Account Policies'";"Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_SecuritySettingsAccountPolicies_AINE.json"
"Configure secure communication protocols(TLS 1.1 or TLS 1.2) on Windows servers";"Creates a Guest Configuration assignment to configure specified secure protocol version(TLS 1.1 or TLS 1.2) on Windows server";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_SetSecureProtocol_Deploy.json"
"Configure time zone on Windows machines.";"This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_SetWindowsTimeZone_Deploy.json"
"Windows machines should meet requirements for 'User Rights Assignment'";"Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_UserRightsAssignment_AINE.json"
"Audit Windows machines that do not contain the specified certificates in Trusted Root";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_WindowsCertificateInTrustedRoot_AINE.json"
"Windows machines should meet requirements for 'Windows Components'";"Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_WindowsComponents_AINE.json"
"Windows Defender Exploit Guard should be enabled on your machines";"Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_WindowsDefenderExploitGuard_AINE.json"
"Audit Windows machines that are not joined to the specified domain";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the Domain property in WMI class win32_computersystem does not match the value in the policy parameter.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_WindowsDomainMembership_AINE.json"
"Audit Windows machines on which the DSC configuration is not compliant";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-DSCConfigurationStatus returns that the DSC configuration for the machine is not compliant.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_WindowsDscConfiguration_AINE.json"
"Windows machines should meet requirements for 'Windows Firewall Properties'";"Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_WindowsFirewallProperties_AINE.json"
"Audit Windows machines on which the Log Analytics agent is not connected as expected";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_WindowsLogAnalyticsAgentConnection_AINE.json"
"Windows machines should have Log Analytics agent installed on Azure Arc";"Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled windows server.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_WindowsLogAnalyticsAgentInstalled_AINE.json"
"Audit Windows machines that do not have a maximum password age of 70 days";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_WindowsMaximumPassword_AINE.json"
"Audit Windows machines that do not have a minimum password age of 1 day";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a minimum password age of 1 day";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_WindowsMinimumPassword_AINE.json"
"Audit Windows machines that do not have the password complexity setting enabled";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_WindowsPasswordComplexity_AINE.json"
"Audit Windows machines that do not store passwords using reversible encryption";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_WindowsPasswordEncryption_AINE.json"
"Audit Windows machines that allow re-use of the previous 24 passwords";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_WindowsPasswordEnforce_AINE.json"
"Audit Windows machines that do not restrict the minimum password length to 14 characters";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_WindowsPasswordLength_AINE.json"
"Audit Windows VMs with a pending reboot";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is pending reboot for any of the following reasons: component based servicing, Windows Update, pending file rename, pending computer rename, configuration manager pending reboot. Each detection has a unique registry path.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_WindowsPendingReboot_AINE.json"
"Audit Windows machines that do not have the specified Windows PowerShell execution policy";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_WindowsPowerShellExecutionPolicy_AINE.json"
"Audit Windows machines that do not have the specified Windows PowerShell modules installed";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a module isn't available in a location specified by the environment variable PSModulePath.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_WindowsPowerShellModules_AINE.json"
"Audit Windows machines network connectivity";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a network connection status to an IP and TCP port does not match the policy parameter.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_WindowsRemoteConnection_AINE.json"
"Audit Windows machines on which Windows Serial Console is not enabled";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine does not have the Serial Console software installed or if the EMS port number or baud rate are not configured with the same values as the policy parameters.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_WindowsSerialConsole_AINE.json"
"Audit Windows machines on which the specified services are not installed and 'Running'";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if result of the Windows PowerShell command Get-Service do not include the service name with matching status as specified by the policy parameter.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_WindowsServiceStatus_AINE.json"
"Audit Windows machines that are not set to the specified time zone";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the property StandardName in WMI class Win32_TimeZone does not match the selected time zone for the policy parameter.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_WindowsTimeZone_AINE.json"
"[Preview]: Windows machines should encrypt temp disks, caches, and data flows between Compute and Storage resources.";"Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Use Azure Disk Encryption or Encryption At Host to protect your virtual machine's OS and data disks, temp disks, data caches and any data flowing between compute and storage. To learn more about different disk encryption offerings, see https://aka.ms/diskencryptioncomparison.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Guest Configuration/GuestConfiguration_WindowsVMEncryption_AINE.json"