AzureFeeds

Machine configuration provides a platform to extend azure policy into the VM operating system, to audit and configure OS settings at scale. Many machine configuration policies are assigned through Microsoft Defender for Cloud and are key components of other regulatory compliance initiatives. These policies govern key scenarios including Microsoft security baselines, managing your TLS and SSH settings at scale, managing installed software, and more. To leverage Machine configuration, the Guest Configuration extension must be installed across all targeted VMs. 

If the extension isn’t installed, Azure policy will not return a compliance state, and you could see unexpected behavior and miss important security signals.  

Here is a step-by-step guide on how to ensure your Azure Virtual Machines have the Machine Configuration prerequisites correctly enabled.

1. Identify subscriptions missing prerequisites

There are a couple of different ways to identify if your subscription is a state where you have policies assigned, but no extension installed. The first is, to navigate to a policy under the category “Guest Configuration” and see if your non-compliance message indicates that an extension is missing. The error code will be “GCExtensionMissing” 

To examine the state of your VMs at scale, we recommend leveraging the Azure Resource Graph ARG query for missing extension or missing managed identity, try running the query below to see if you have a subscription that is in an error state. 

 

policyresources
| where type =~ ‘microsoft.policyinsights/policystates’
| where properties.complianceState == ‘NonCompliant’
| extend complianceReasonCode = properties.complianceReasonCode
| where complianceReasonCode == ‘GCExtensionMissing’ or complianceReasonCode == ‘GCExtensionManagedIdentityMissing’ or complianceReasonCode == ‘GCExtensionIdentityMissing’ or complianceReasonCode == ‘UserIdentityMissing’ or complianceReasonCode == ‘GCExtensionUserIdentityMissing’
| distinct subscriptionId

2. Install Extension on Identified Subscriptions

To deploy the extension at scale we recommend deploying our Azure Policy pre-requisite initiative. This will deploy both the required extension, as well as identity, and make sure that as new VMs are created within the subscription, the extension will be installed by default.  

After the policy has been assigned, you can trigger a remediation task on the initiative in order to ensure that all existing VMs within the subscription will be brought into compliance.