Azure Policy built-in initiative definitions

This page is an index of Azure Policy built-in initiative definitions.

The name on each built-in links to the initiative definition source on the Azure Policy GitHub repo. The built-ins are grouped by the category property in metadata. To jump to a specific category, use the menu on the right side of the page. Otherwise, use Ctrl-F to use your browser's search feature.

Guest Configuration

Name Description Policies Version
Audit Linux VMs that do not have the specified applications installed This initiative deploys the policy requirements and audits Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol 2 1.1.0
Audit Linux VMs that have the specified applications installed This initiative deploys the policy requirements and audits Linux virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol 2 1.1.0
Audit VMs with insecure password security settings This initiative deploys the policy requirements and audits virtual machines with insecure password security settings. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol 18 1.1.0-preview
Audit Windows Server VMs on which Windows Serial Console is not enabled This initiative deploys the policy requirements and audits Windows Server virtual machines on which Windows Serial Console is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol 2 1.0.0
Audit Windows VMs in which the Administrators group contains any of the specified members This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol 2 1.0.0
Audit Windows VMs in which the Administrators group does not contain all of the specified members This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol 2 1.0.0
Audit Windows VMs in which the Administrators group does not contain only the specified members This initiative deploys the policy requirements and audits Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol 2 1.0.0
Audit Windows VMs on which the DSC configuration is not compliant This initiative deploys the policy requirements and audits Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol 2 1.0.0-preview
Audit Windows VMs on which the Log Analytics agent is not connected as expected This initiative deploys the policy requirements and audits Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol 2 1.0.0-preview
Audit Windows VMs on which the remote host connection status does not match the specified one This initiative deploys the policy requirements and audits Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol 2 1.0.0-preview
Audit Windows VMs on which the specified services are not installed and 'Running' This initiative deploys the policy requirements and audits Windows virtual machines on which the specified services are not installed and 'Running'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol 2 1.0.0
Audit Windows VMs on which Windows Defender Exploit Guard is not enabled This initiative deploys the policy requirements and audits Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol 2 1.0.0-preview
Audit Windows VMs that are not joined to the specified domain This initiative deploys the policy requirements and audits Windows virtual machines that are not joined to the specified domain. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol 2 1.0.0
Audit Windows VMs that are not set to the specified time zone This initiative deploys the policy requirements and audits Windows virtual machines that are not set to the specified time zone. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol 2 1.0.0
Audit Windows VMs that contain certificates expiring within the specified number of days This initiative deploys the policy requirements and audits Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol 2 1.0.0-preview
Audit Windows VMs that do not contain the specified certificates in Trusted Root This initiative deploys the policy requirements and audits Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol 2 1.0.0-preview
Audit Windows VMs that do not have the specified applications installed This initiative deploys the policy requirements and audits Windows virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol 2 1.0.0
Audit Windows VMs that do not have the specified Windows PowerShell execution policy This initiative deploys the policy requirements and audits Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol 2 1.0.0
Audit Windows VMs that do not have the specified Windows PowerShell modules installed This initiative deploys the policy requirements and audits Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol 2 1.0.0
Audit Windows VMs that do not match Azure security baseline settings This initiative deploys the policy requirements and audits Windows virtual machines with non-compliant Azure security baseline configurations. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol 58 1.0.0-preview
Audit Windows VMs that have not restarted within the specified number of days This initiative deploys the policy requirements and audits Windows virtual machines that have not restarted within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol 2 1.0.0-preview
Audit Windows VMs that have the specified applications installed This initiative deploys the policy requirements and audits Windows virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol 2 1.0.0
Audit Windows VMs with a pending reboot This initiative deploys the policy requirements and audits Windows virtual machines with a pending reboot. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol 2 1.0.0
Audit Windows web servers that are not using secure communication protocols This initiative deploys the policy requirements and audits Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol 2 1.0.0

Monitoring

Name Description Policies Version
Enable Azure Monitor for Virtual Machine Scale Sets Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. 6 1.0.1
Enable Azure Monitor for VMs Enable Azure Monitor for the Virtual Machines (VMs) in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. 6 1.0.1

Regulatory Compliance

Name Description Policies Version
[Preview]: Audit Canada Federal PBMM controls and deploy specific VM Extensions to support audit requirements This initiative includes audit and VM Extension deployment policies that address a subset of Canada Federal PBMM controls. Additional policies will be added in upcoming releases. For more information, please visit https://aka.ms/canadafederalPBMM-blueprint 67 2.0.0-preview
[Preview]: Audit CIS Microsoft Azure Foundations Benchmark 1.1.0 recommendations and deploy specific supporting VM Extensions This initiative includes audit and VM Extension deployment policies that address a subset of CIS Microsoft Azure Foundations Benchmark recommendations. Additional policies will be added in upcoming releases. For more information, please visit https://aka.ms/cisazure-blueprint. 83 2.0.0-preview
[Preview]: Audit FedRAMP Moderate controls and deploy specific VM Extensions to support audit requirements This initiative includes audit and VM Extension deployment policies that address a subset of FedRAMP M controls. Additional policies will be added in upcoming releases. For more information, please visit https://aka.ms/fedrampm-blueprint. 70 2.0.0-preview
[Preview]: Audit IRS1075 September 2016 controls and deploy specific VM Extensions to support audit requirements This initiative includes audit and VM Extension deployment policies that address a subset of IRS1075 September 2016 controls. Additional policies will be added in upcoming releases. For more information, please visit https://aka.ms/irs1075-blueprint. 70 2.0.0-preview
[Preview]: Audit ISO 27001:2013 controls and deploy specific VM Extensions to support audit requirements This initiative includes audit and VM Extension deployment policies that address a subset of ISO 27001:2013 controls. Additional policies will be added in upcoming releases. For more information, please visit https://aka.ms/iso27001-blueprint. 58 2.0.0-preview
[Preview]: Audit NIST SP 800-53 R4 controls and deploy specific VM Extensions to support audit requirements This initiative includes audit and VM Extension deployment policies that address a subset of NIST SP 800-53 R4 controls. Additional policies will be added in upcoming releases. For more information, please visit https://aka.ms/nist80053-blueprint. 798 2.0.0-preview
[Preview]: Audit PCI v3.2.1:2018 controls and deploy specific VM Extensions to support audit requirements This initiative includes audit and VM Extension deployment policies that address a subset of PCI v3.2.1:2018 controls. Additional policies will be added in upcoming releases. For more information, please visit https://aka.ms/pciv321-init. 39 1.0.0-preview
[Preview]: Audit SWIFT CSP-CSCF v2020 controls and deploy specific VM Extensions to support audit requirements This initiative includes audit and VM Extension deployment policies that address a subset of SWIFT CSP-CSCF v2020 controls. Additional policies will be added in upcoming releases. For more information, please visit https://aka.ms/SWIFT-blueprint. 71 1.0.0-preview
[Preview]: Audit UK OFFICIAL and UK NHS controls and deploy specific VM Extensions to support audit requirements This initiative includes policies that address a subset of UK OFFICIAL and UK NHS controls. Additional policies will be added in upcoming releases. For more information, please visit https://aka.ms/ukofficial-blueprint and https://aka.ms/uknhs-blueprint 66 2.0.0-preview
Audit Azure Security Benchmark recommendations and deploy specific supporting VM Extensions This initiative includes audit and VM Extension deployment policies that address a subset of Azure Security Benchmark recommendations. Additional policies will be added in upcoming releases. For more information, please visit https://aka.ms/azsecbm. 148 2.0.0-preview
Audit DoD Impact Level 4 controls and deploy specific VM Extensions to support audit requirements This initiative includes audit and VM Extension deployment policies that address a subset of DoD Impact Level 4 controls. Additional policies will be added in upcoming releases. For more information, please visit https://aka.ms/DoDIL4-blueprint. 108 3.0.0-preview
Audit FedRAMP High controls and deploy specific VM Extensions to support audit requirements This initiative includes audit and VM Extension deployment policies that address a subset of FedRAMP H controls. Additional policies will be added in upcoming releases. For more information, please visit https://aka.ms/fedramph-blueprint. 80 2.0.0-preview
Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements This initiative includes policies that address a subset of HITRUST/HIPAA controls. Additional policies will be added in upcoming releases. https://aka.ms/hipaa-blueprint 57 1.0.0
Audit Motion Picture Association of America (MPAA) controls and deploy specific VM Extensions to support audit requirements This initiative includes policies that address a subset of Motion Picture Association of America (MPAA) security and guidelines controls. Additional policies will be added in upcoming releases. For more information, please visit https://aka.ms/mpaa-blueprint 45 1.0.0-preview

Security Center

Name Description Policies Version
[Preview]: Enable Data Protection Suite Enable data protection for SQL servers. This initiative is assigned automatically by Azure Security Center Standard Tier. 1 1.0.0-preview
Enable Monitoring in Azure Security Center Monitor all the available security recommendations in Azure Security Center. This is the default policy for Azure Security Center. 96 2.0.1

Next steps