Loading...

Apply CIS compliant Azure Security baselines through Azure Automanage!

Apply CIS compliant Azure Security baselines through Azure Automanage!

We are thrilled to announce that Azure Automanage Machine Best Practices now enables you to apply CIS aligned Azure security baselines through Automanage Machine Configuration.

 

Azure Automanage Machine Best Practices is a consolidated management solution that simplifies daily server management through effortless automation by handling the initial setup and configuration of Azure best practice services. Automanage continuously monitors machines across their entire lifecycle, automatically bringing them back into conformance should they drift from the desired state. And the best part - Automanage machine best practices is generally available and free to use! You only pay for the services you enable, just as you would if you were doing it all manually, without any additional cost.

 

Azure has released a new Windows server security benchmark that is fully compliant with the newly released CIS Azure Compute Microsoft Windows Server 2019 Benchmark. Working in partnership with CIS, this new compute benchmark includes cloud-specific security controls and removes non-applicable controls that have no significant risk impact in cloud environment.

 

 

What’s new for Azure Automanage machine best practices and server security baselines

 

Using Automanage Machine Best Practices, you can now apply the CIS compliant Windows baselines by leveraging the Automanage Machine Configuration offering.  Machine Configuration is a key service that you can enable on your Azure Virtual Machines and Arc-enabled servers through an Automanage configuration profile. Just as Machine Best Practices lets customers describe desired state for management services, Machine Configuration provides the same functionality within the actual resources, by auditing or configuring operating system settings as code. When you select Machine Configuration in your configuration profile, Machine Configuration will automatically apply Azure Windows security baseline settings*.

 

Machine Configuration can deliver changes within a machine in three different ways. This can be done by assigning the following modes as a parameter of machine configuration definitions that support the policy effect DeployIfNotExists (DINE) -

 

  • Audit - This mode reports the current state of the machine but does not implement any change.
  • Apply and monitor - This mode applies the recommended change to the machine once and then monitors it for deflections. If the configuration becomes non-compliant at any time, a manual remediation needs to be triggered to make any change. 
  • Apply and autocorrect - This mode applies the changes to the machine. If there is a deflection, the local service within the machine corrects it at the next evaluation.

 

These modes can be assigned through the Automanage Portal experience here (details in the Get started section below) or through an ARM template.

 

JuliaMWang_0-1679513894541.png

 

 

Get started

 

Let’s dive deeper and show you how to get started:

 

- To enable Azure Automanage for servers in Azure and Arc-enabled servers, start by browsing to the Automanage portal and click “Enable on existing machine”.

 

JuliaMWang_1-1679513894547.png


- Then create a custom configuration profile in the Configuration profile selection option.

JuliaMWang_2-1679513894555.png

 

- Enable the Machine Configuration service in the custom configuration profile and select the Assignment type/mode of your choice.

JuliaMWang_3-1679513894561.png

 

- After you choose/create your profile, select the Azure virtual machines and/or Arc-enabled servers that you want your custom profile applied to.

JuliaMWang_4-1679513894564.png

 

- Once you have selected the machines, you can click on “Review + Create”. This will initiate the Configuration profile assignment process. Automanage has now configured your machines with the best practices services. You can click on the status column to get the latest Automanage status report for your machines.

JuliaMWang_5-1679513894567.png

 

- You can query the compliance status for your entire environment using the Guest Assignments page in the Azure Portal, and through the Machine Configuration menu item within the Arc-enabled servers table of contents.

 

Through Guest Assignments:

 

Through the Guest Assignments view for Azure VMs and Arc-enabled servers, you can see all the configuration details for the selected subscriptions. At a high level, you are able to glance at the compliance across your environment.

JuliaMWang_6-1679513894572.png

 

Through clicking into an individual Guest Assignment, you can see a breakdown of this compliance on a per-rule basis as well as some additional context for the reasons for non-compliance.

JuliaMWang_7-1679513894579.png

 

Through Arc-enabled servers Table of Contents:

 

This view is only for non-Azure machines – here you can see all the compliance across your Arc-enabled servers.

JuliaMWang_8-1679513894583.png

 

Clicking into an individual entry links to a Guest Assignment, showing you the breakdown of this compliance on a per-rule basis and reasons for non-compliance.

JuliaMWang_9-1679513894589.png

 

Voila! With Azure Automanage, now you can just point and click to apply CIS compliant Azure Security baselines to your environment and view its compliance.

 

 

*Note: The Windows and Linux security baselines can be applied independently of Azure Automanage. The Linux security baseline is in private preview right now.

 

 

Related Resources

 

To keep learning about the exciting new capabilities of Azure Automanage:

 

Published on:

Learn more
Azure Governance and Management Blog articles
Azure Governance and Management Blog articles

Azure Governance and Management Blog articles

Share post:

Related posts

How to Integrate Azure Service Bus with Microsoft Dynamics 365 CRM Step by Step with Example?

Keeping data flowing between applications is critical in today’s connected business world. Organizations using Microsoft Dynamics 365 CR...

1 day ago

Enhancing Secure Sign-Ins with Temporary Access Pass in Azure Active Directory

Introduction While working on improving user account recovery scenarios, a common challenge often arises: how to securely allow a user to sign...

2 days ago

Azure SDK Release (September 2025)

Azure SDK releases every month. In this post, you'll find this month's highlights and release notes. The post Azure SDK Release (September 202...

3 days ago

Batch Processing Triggered Pipeline Runs in Azure Synapse

This post describes a pattern for batch processing triggered pipeline runs in Azure Synapse

3 days ago

Reliably refreshing a Semantic Model from Azure Data Factory or Synapse Pipelines

This post describes a pattern for reliably refreshing Power BI semantic models from Azure Data Factory or Azure Synapse Pipelines.

3 days ago

Power Pages Fundamentals #24: Boosting Portal Security with Azure Single Sign-On: Quick Read Series

Contoso Motors is a large automotive service company.They have built a Power Pages customer portal for their external partners and customers t...

5 days ago

Building Azure functions that never store secrets — ever

What if your function could hit Microsoft Graph with no client secrets, no certs, and no Key Vault entries? That is exactly what a Managed id...

10 days ago

Azure Functions missing after zip deploy from GitHub Actions

Learn how to troubleshoot Azure Functions that don't appear after zip deployment from GitHub Actions, including platform architecture configur...

10 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy