I am currently investigating the guest configuration preview within our environment. Scoped to only security baseline monitoring and remediation. My goal is to try to use as much default policies as possible and prevent creating of custom packages. From what I can find current guest configuration policies are only meant for auditing. Which means I would require custom packages..
Creating a custom package of our baseline would end up in a package per OS and requiring policy filtering on different OS images to apply the correct policy. Not really manageable in my opinion.
Doing some digging. I found a script on git : link. With the following line :
Start-GuestConfigurationPackageRemediation -Path 'https://oaasguestconfigwcuss1.blob.core.windows.net/builtinconfig/AzureWindowsBaseline/AzureWindowsBaseline_18.104.22.168.zip'
This package contains a AzureWindowBaseline resource with compiled mof. I think it is also used by a preview policy definition. “[Preview]: Windows machines should meet requirements of the Azure compute security baseline”. The policy seems only limited to auditing. But the big plus I see in the mof is the ability to filter each settings to one of more operating systems and or role types. With that I would only have a single policy to apply to all vm’s.
Is/Will AzureWindowsBaseline (AzureOSBaseline) Dsc resource be publicly available. So additional settings could be set in a similar way. If not maybe propose additional attributes to AuditPolicyDSC, SecuretyPolicyDsc. Not sure what to do with registry settings..
Will overriding settings be a capability for the default policies. (Is yes, what is the ETA?) Needed to accommodate exceptions via alternate assignment and overriding defaults