MicrosoftDocs
diff --git a/‎articles/governance/machine-configuration/how-to/assign-built-in-policies.md‎
Lines changed: 117 additions & 0 deletions b/‎articles/governance/machine-configuration/how-to/assign-built-in-policies.md‎
Lines changed: 117 additions & 0 deletions
diff --git a/‎articles/governance/machine-configuration/how-to/assign-security-baselines/deploy-a-baseline-policy-assignment.md‎
Lines changed: 132 additions & 0 deletions b/‎articles/governance/machine-configuration/how-to/assign-security-baselines/deploy-a-baseline-policy-assignment.md‎
Lines changed: 132 additions & 0 deletions
diff --git a/‎articles/governance/machine-configuration/how-to/assign-security-baselines/overview-page.md‎
Lines changed: 87 additions & 0 deletions b/‎articles/governance/machine-configuration/how-to/assign-security-baselines/overview-page.md‎
Lines changed: 87 additions & 0 deletions
@@ -0,0 +1,117 @@
+---
+title: Discover And Assign Built In Machine Configuration Policies
+description: Learn how to discover, configure, and assign built-in Azure Machine Configuration policies to audit and enforce compliance across Windows and Linux machines in your environment.
+ms.date: 11/07/2025
+ms.topic: conceptual
+ms.custom: references_regions
+---
+
+# Discover and Assign Built-In Machine Configuration Policies
+
+Azure Policy provides a unified framework for defining and enforcing governance rules across your Azure resources.  
+Machine Configuration extends this capability to the guest OS level, allowing you to audit and enforce configurations *inside* Windows and Linux machines—helping ensure your workloads remain secure and compliant with internal and industry standards.
+
+This section explains how to discover built-in Machine Configuration policies, understand what they do, and assign them to your environment. We'll also walk through an example—using the Audit Windows Time Zone policy—to illustrate how parameters are used to tailor configurations to your organization's needs.
+
+## Discover Built-In Machine Configuration Policies
+
+Azure Policy definitions describe *what* is being evaluated and *how* compliance is determined. Built-in definitions are maintained by Microsoft and automatically updated to align with current security and compliance standards.
+
+To view and explore these built-in policies:
+
+1.  Navigate to **Azure Portal → Policy → Definitions**.
+
+2.  In the left-hand navigation, select **Definitions** under the *Authoring* section.
+
+3.  Open the **Category** filter and select **Guest Configuration** and **Built-in** on Policy Type to display all built-in policies related to OS auditing and compliance.
+
+[![Screenshot of Azure Policy Definitions page with Guest Configuration filter applied.](../media/discover-and-assign-built-in-machine-configuration-policies/azure-policy-definitions-guest-config-filter.png)](../media/discover-and-assign-built-in-machine-configuration-policies/azure-policy-definitions-guest-config-filter.png#lightbox)
+
+4.  Browse the list to review available definitions, such as:
+
+    - *Audit Linux machines that have the specified applications installed*
+
+    - *Audit Windows machines that are not set to the specified time zone*
+
+    - *Windows machines should meet requirements for the Azure compute security baseline*
+
+5.  Click any policy name to open its details page. You can inspect:
+
+    - The JSON definition
+
+    - Available parameters and versions
+
+    - Metadata such as category, mode, and required providers
+
+[![Screenshot of policy definition details page showing JSON definition and parameters.](../media/discover-and-assign-built-in-machine-configuration-policies/policy-definition-details-json-parameters.png)](../media/discover-and-assign-built-in-machine-configuration-policies/policy-definition-details-json-parameters.png#lightbox)
+
+## Assign a Built-In Machine Configuration Policy
+
+A **policy assignment** determines *where* and *how* a policy definition is applied—whether to a management group, subscription, or resource group.  
+When you assign a Machine Configuration policy, Azure evaluates all in-scope machines and reports compliance directly in the **Azure Policy → Compliance** blade.
+
+### Example: Assigning the "Audit Windows Time Zone" Policy
+
+Let’s use one of the built-in Machine Configuration policies—**Audit Windows machines that are not set to the specified time zone**—as an example.
+
+1.  From the **Policy Definitions** page, select  
+    **Audit Windows machines that are not set to the specified time zone**.
+
+2.  Click **Assign Policy** at the top of the page.
+
+3.  In the **Basics** tab:
+
+    1.  Choose the **Scope** (subscription or management group).
+
+    2.  Confirm that **Machine Configuration prerequisites** are deployed. (A link to deploy prerequisites appears automatically if not.)
+
+    3.  Optionally specify exclusions if certain resources shouldn't be evaluated.
+
+[![Screenshot of policy assignment Basics tab showing scope selection and prerequisites.](../media/discover-and-assign-built-in-machine-configuration-policies/policy-assignment-basics-scope-prerequisites.png)](../media/discover-and-assign-built-in-machine-configuration-policies/policy-assignment-basics-scope-prerequisites.png#lightbox)
+
+4.  In the **Parameters** tab:
+
+    1.  Set **Include Arc connected servers** to true if your environment includes Arc-enabled machines.
+
+    2.  Choose the desired **Time zone** (for example, "Pacific Time (US & Canada)").
+
+[![Screenshot of policy assignment Parameters tab showing Arc servers option and time zone selection.](../media/discover-and-assign-built-in-machine-configuration-policies/policy-assignment-parameters-arc-timezone.png)](../media/discover-and-assign-built-in-machine-configuration-policies/policy-assignment-parameters-arc-timezone.png#lightbox)
+
+5.  Review your configuration under **Review + create**, then click **Create**.
+
+Once assigned, the policy will automatically begin evaluating machines within scope. Compliance results will surface in the **Policy → Compliance** view, where you can drill down to specific resources or export results.
+
+> [!NOTE]
+> The same process is applicable to other built-in Machine Configuration policies—such as those auditing Linux baselines, password settings, or required applications. Parameters vary by definition and allow you to customize the audit scope without creating new policies.
+
+## Programmatic Access and Automation
+
+While this guide focuses on portal-based workflows, you can also assign and manage Machine Configuration policies programmatically through CLI, PowerShell, or REST API.
+
+| **Interface** | **Command/Reference** | **Documentation** |
+|----|----|----|
+| **Azure CLI** | az policy definition list and az policy assignment create | [Assign policy via Azure CLI][01] |
+| **PowerShell** | Get-AzPolicyDefinition and New-AzPolicyAssignment | [Assign policy via PowerShell][02] |
+| **REST API** | Microsoft.Authorization/policyAssignments | [Azure Policy REST API Reference][03] |
+| **Guest Configuration** | az guestconfig assignment list | [Guest Configuration REST API Reference][04] |
+| **Azure Resource Graph** | Query guestconfigurationresources table for compliance results | [Query Guest Configuration with Azure Resource Graph][05] |
+
+## Next Steps
+
+After assigning your policy, you can:
+
+- [View Machine Configuration compliance reporting][06]
+- [Assign security baseline policies][07]
+- [Understand Azure Policy definitions and initiatives][08]
+- [Deploy Machine Configuration prerequisites][09]
+
+<!-- Link reference definitions -->
+[01]: ../../policy/assign-policy-azurecli.md
+[02]: /powershell/module/az.policyinsights
+[03]: /rest/api/policy
+[04]: /rest/api/guestconfiguration
+[05]: ../../policy/how-to/get-compliance-data.md
+[06]: ./view-compliance.md
+[07]: ./assign-security-baselines/overview-page.md
+[08]: ../../policy/concepts/definition-structure.md
+[09]: ../../policy/concepts/guest-configuration.md
@@ -0,0 +1,132 @@
+---
+title: Deploy A Baseline Policy Assignment
+description: Learn how to deploy a security baseline policy assignment for continuous security compliance tracking across Azure and Arc-enabled machines using Azure Policy and Machine Configuration.
+ms.date: 11/07/2025
+ms.topic: conceptual
+ms.custom: references_regions
+---
+
+# Deploy a Security Baseline Policy Assignment
+
+A security baseline policy assignment enables continuous compliance tracking, with results surfaced in the Azure portal to validate that your custom configurations are correctly applied across all target Windows and Linux machines. Policy assignments apply to Azure and non-Azure virtual machines (that are [Azure Arc-enabled servers][01]), extending security and compliance management across hybrid, multicloud, and edge environments. The following Policy definitions support customization:
+
+- *Linux machines should meet requirements for the Azure compute security baseline*
+
+- *Windows machines should meet requirements for the Azure compute security baseline*
+
+- *\[Preview\]* *Official CIS Security Benchmarks for Linux Workloads*
+
+Assignment of a security baseline policy is managed through [Machine Configuration][02], which enforces compliance by auditing machine settings against your chosen security baseline.
+
+You can assign baselines via the Azure portal, Azure CLI, or automate the process in CI/CD pipelines for consistent rollout.
+
+> [!IMPORTANT]
+> Before assigning any security baseline policy, make sure you deploy the Machine Configuration prerequisite initiative. This initiative installs the extension on virtual machines and enables secure communication with a managed identity.
+
+## Deploy via the Azure portal
+
+The portal provides the most direct path to create or test a baseline assignment.
+
+### Step 1—Open Machine Configuration Policies
+
+1.  Go to **Azure portal \> Policy \> Machine Configuration**.
+
+2.  Under **Definitions**, choose your desired baseline—for example:
+
+    - *\[Preview\]* Official CIS Security Benchmarks for Linux Workloads
+
+    - *Azure Security Baseline for Windows*
+
+    - *Azure Security Baseline for Linux*
+
+### Step 2—Select and Customize
+
+1.  Choose **Modify settings** to tailor which benchmarks and versions you want to include.
+
+2.  Review and optionally edit parameters for individual rules.
+
+3.  When satisfied, click **Review + download** to generate your customized settings JSON.
+
+4.  Press **Download All Baselines** to save the file.
+
+Each JSON file encapsulates all selected parameters and metadata.  
+Use this file later when creating the assignment.
+
+### Step 3—Create the Assignment
+
+1.  Select **Create audit Policy Assignment**.
+
+2.  In the page, define:
+
+    - **Scope** (subscription or management group)
+
+    - **Assignment name** and optional description
+
+3.  Under the **Parameters** tab, locate **Baseline Settings**. You may need to uncheck *"Only show parameters that need input or review"*
+
+[![Screenshot of Baseline Settings parameter configuration.](../../media/deploy-a-baseline-policy-assignment/baseline-settings-parameter-configuration.png)](../../media/deploy-a-baseline-policy-assignment/baseline-settings-parameter-configuration.png#lightbox)
+
+4.  Click **Browse** → Upload the JSON file you downloaded earlier.
+
+5.  Confirm **Effect** = AuditIfNotExists for compliance tracking.
+
+6.  Review and create.
+
+This upload step passes your custom configuration to the BaselineSettings parameter within the relevant built-in policies.
+
+For full assignment options (scope, remediation, noncompliance messages, managed identities), refer to [Assign a policy definition in the Azure portal][03].
+
+## Deploy via Azure CLI or CI/CD Pipeline
+
+For automated policy deployment, you can create the same assignment programmatically using the [Policy-as-code][07] SDK.
+
+### Step 1—Prepare your JSON file
+
+Ensure you download the baseline settings JSON generated from the portal. Example path:
+
+```bash
+baselineFile="./CustomizedBaselineSettings.json"
+```
+
+### Step 2—Assign the Policy
+
+Use the Azure CLI to deploy the assignment:
+
+```azurecli
+az policy assignment create \
+--name "CIS-Linux-Baseline-Custom" \
+--display-name "CIS Linux Baseline (Customized)" \
+--policy "/providers/Microsoft.Authorization/policyDefinitions/cis-linux-baseline" \
+--params @"$baselineFile" \
+--scope "/subscriptions/<subscription-id>" \
+--identity
+```
+
+You can find other examples in [Assign policy with Azure CLI][04].
+
+### View Existing Security Baseline Assignments
+
+After deploying your customized baseline, you can verify its status and scope in the **Assignments** tab under **Policy → Machine Configuration** in the Azure portal.
+
+[![Screenshot of policy assignments view showing deployed baseline policies.](../../media/deploy-a-baseline-policy-assignment/policy-assignments-view-deployed-baselines.png)](../../media/deploy-a-baseline-policy-assignment/policy-assignments-view-deployed-baselines.png#lightbox)
+
+This view lists all baseline policy assignments, including their policy definition, management group or subscription, and resource group. You can use filters (for example, by policy name, subscription, or scope) to quickly locate your assignment. Selecting a specific assignment opens its details, where you can review parameter input (such as your imported JSON file), scope, and compliance status once evaluations complete.
+
+> [!NOTE]
+> The compliance results in this view correspond to the same audit configuration surfaced in Azure Policy Compliance, ARG, and Guest Assignments—helping you validate that your custom baselines are applied correctly across all target machines.
+
+
+## Next steps
+
+- [View Machine Configuration compliance reporting][05]
+- [Discover and assign built-in Machine Configuration policies][06]
+- [Policy as Code with Azure Policy][07]
+
+<!-- Link reference definitions -->
+[01]: /azure/azure-arc/servers/overview
+[02]: ../../overview.md
+[03]: ../../../policy/assign-policy-portal.md
+[04]: ../../../policy/assign-policy-azurecli.md
+[05]: ../view-compliance.md
+[06]: ../assign-built-in-policies.md
+[07]: ../../../policy/concepts/policy-as-code.md
@@ -0,0 +1,87 @@
+---
+title: Overview Page
+description: Learn how to configure and deploy customizable security baselines for continuous compliance monitoring across Azure and Arc-enabled machines using Azure Policy and Machine Configuration.
+ms.date: 11/07/2025
+ms.topic: conceptual
+---
+
+# Security Baselines Overview
+
+Customizable security baselines built on Azure Policy and Machine Configuration enable organizations to assess, monitor, and continuously improve server compliance against trusted industry benchmarks.
+
+This capability introduces *audit* baselines for both Windows and Linux, empowering customers to align security posture with internal compliance frameworks and regulatory standards. By passing custom baseline parameter input directly into Azure Policy, you can now represent organization-specific controls at scale.
+
+These baselines deliver a cloud-native governance experience for both Azure machines and non-Azure machines connected through [Azure Arc][01]. This includes machines that run on-premises, in other public clouds, or at the edge. Together, Policy and Machine Configuration establish a unified control plane for compliance visibility. This approach enables you to assess, monitor, and enforce consistent security standards across your entire estate, regardless of location or platform. This approach reflects Microsoft's Secure by Design and Secure by Default principles. It helps ensure robust security and compliance everywhere your workloads run.
+
+## Key Scenarios
+
+### Baseline Customization
+Create tailored baselines using the *Modify Settings* wizard under **Policy \> Machine Configuration**. Administrators can enable, exclude, or adjust rules from industry benchmarks (such as CIS Benchmarks or Microsoft baselines) to match internal standards. Each customization builds a downloadable JSON file that captures configuration intent—a reusable artifact compatible for policy-as-code workflows.
+
+### Assign Audit Policies
+
+Azure Policy deploys your customized baseline parameters across Azure and Arc-connected machines. When you assign an audit policy, Azure Policy:
+- Evaluates configuration states against selected benchmarks
+- Reports compliance in real time
+- Surfaces findings across Azure Policy, Azure Resource Graph (ARG), and the Guest Assignments view
+
+### Integration and Automation  
+Integrate baselines into CI/CD pipelines or configuration management workflows. Each baseline produces a declarative settings catalog (JSON) that can be version-controlled and deployed using CLI, ARM, or Bicep templates—ensuring reproducible compliance configurations across environments.
+
+## Supported Standards
+
+| **Standard** | **Description** |
+|----|----|
+| **Center for Internet Security (CIS) Linux Benchmarks** | Official CIS Benchmarks for all [Azure endorsed Linux distributions][02] in parity with what is published on the [CIS website][03]. |
+| **Azure Compute Security Baseline for Windows** | Applies customized values for Windows Server 2022 and Windows Server 2025. |
+| **Azure Compute Security Baseline for Linux** | Enforces consistent security controls aligned with Azure Compute guidance. |
+
+
+## Availability
+
+All public Azure regions are supported.
+
+> [!NOTE]
+> Support for Azure Government and Sovereign Clouds is not supported for Public Preview.
+
+## Getting Started
+
+### Process Overview
+
+The end-to-end experience for configuring Customizable Security Baselines follows these high-level steps:
+
+1.  **Select a baseline** from the *Machine Configuration* blade under Azure Policy.
+
+2.  **Modify settings**—enable, exclude, or parameterize rules to match your internal requirements.
+
+3.  **Download the JSON file** representing your configured baseline.
+
+4.  **Assign the baseline policy** using the Azure portal, CLI, or CI/CD integration.
+
+5.  **Review compliance results** through Azure Policy, Azure Resource Graph, or the Guest Assignments page.
+
+### Prerequisites
+
+- Azure Machine Configuration prerequisite policy initiative must be deployed. The capability enables Guest Configuration policies and installs the required extension on virtual machines (VMs).
+
+- An Azure subscription or management group containing supported Windows and Linux VMs.
+
+- Sufficient permissions to create and assign custom policy definitions (Owner or Resource Policy Contributor roles).
+
+## Next Steps
+
+- [Deploy a baseline policy assignment][04]
+- [Specify custom parameters for baseline policy][05]
+- [Understand the baseline JSON format][06]
+- [View Machine Configuration compliance reporting][07]
+- [Discover and assign built-in Machine Configuration policies][08]
+
+<!-- Link reference definitions -->
+[01]: /azure/azure-arc/servers/overview
+[02]: /azure/virtual-machines/linux/endorsed-distros
+[03]: https://www.cisecurity.org/
+[04]: ./deploy-a-baseline-policy-assignment.md
+[05]: ./specify-custom-parameters-for-baseline-policy.md
+[06]: ./understand-baseline-settings-parameter.md
+[07]: ../view-compliance.md
+[08]: ../assign-built-in-policies.md