Proposed Pull Request Change

📄 Document Links

View on GitHub View on Microsoft Learn

--- title: List of built-in packages for guest configuration description: List of all built-in packages for guest configuration mapped to each policy definition and the PowerShell modules that are used by each package. ms.date: 08/04/2021 author: michaeltlombardi ms.author: mlombardi ms.topic: sample ms.custom: generated --- # Azure Policy built-in packages for guest configuration This page is an index of Azure Policy built-in packages for the guest configuration feature. ## How to use Guest configuration package details Each row represents a package used by a built-in policy definition. - **Definition**: Links to the policy definition in the Azure portal. - **Configuration**: Links to the `.mof` file in the [Azure Policy GitHub repo](https://github.com/Azure/azure-policy) containing the configuration that is used to audit and/or remediate machines. - **Required modules**: Links to the [PowerShell Desired State Configuration (DSC)](/powershell/dsc/overview?view=dsc-1.1&preserve-view=true) modules used by each configuration. The resource modules contain the script logic used to evaluate each setting in the configuration. To understand what settings are checked in Windows or Linux, and how, find the name of the policy definition in the left column and navigate to the DSC Resource in the right column to review the PowerShell scripts. The table doesn't include details of packages used to evaluate baseline configurations. Baselines are written in C++ rather than PowerShell Desired State Configuration. |Policy definition|Configuration|Required DSC modules| |-|-|-| |[Audit Windows machines that have extra accounts in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3d2a3320-2a72-4c67-ac5f-caa40fbee2b2)|[AdministratorsGroupMembers](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/AdministratorsGroupMembers/AdministratorsGroupMembers.mof)|[LocalGroup](https://github.com/Azure/azure-policy/tree/master/samples/GuestConfiguration/package-samples/resource-modules/LocalGroup)| |[Audit Windows machines that have the specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f)|[AdministratorsGroupMembersToExclude](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/AdministratorsGroupMembersToExclude/AdministratorsGroupMembersToExclude.mof)|[LocalGroup](https://github.com/Azure/azure-policy/tree/master/samples/GuestConfiguration/package-samples/resource-modules/LocalGroup)| |[Audit Windows machines missing any of specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7)|[AdministratorsGroupMembersToInclude](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/AdministratorsGroupMembersToInclude/AdministratorsGroupMembersToInclude.mof)|[LocalGroup](https://github.com/Azure/azure-policy/tree/master/samples/GuestConfiguration/package-samples/resource-modules/LocalGroup)| |[Windows machines should be configured to use secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112)|[AuditSecureProtocol](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/AuditSecureProtocol/AuditSecureProtocol.mof)|[SecureProtocolWebServer](https://github.com/Azure/azure-policy/tree/master/samples/GuestConfiguration/package-samples/resource-modules/SecureProtocolWebServer)| |[\[Preview\]: Linux machines should meet requirements for the Azure compute security baseline](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffc9b3da7-8347-4380-8e70-0a0361d8dedd)|[AzureLinuxBaseline](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/AzureLinuxBaseline/AzureLinuxBaseline.mof)|| |[\[Preview\]: Windows machines should meet requirements of the Azure compute security baseline](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F72650e9f-97bc-4b2a-ab5f-9781a9fcecbc)|[AzureWindowsBaseline](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/AzureWindowsBaseline/AzureWindowsBaseline.mof)|| |[Audit Windows machines that contain certificates expiring within the specified number of days](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1417908b-4bff-46ee-a2a6-4acc899320ab)|[CertificateExpiration](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/CertificateExpiration/CertificateExpiration.mof)|[CertificateManagement](https://github.com/Azure/azure-policy/tree/master/samples/GuestConfiguration/package-samples/resource-modules/CertificateManagement)| |[Audit Windows machines that allow re-use of the previous 24 passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b054a0d-39e2-4d53-bea3-9734cad2c69b)|[EnforcePasswordHistory](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/EnforcePasswordHistory/EnforcePasswordHistory.mof)|[SecurityPolicyDsc](https://www.powershellgallery.com/packages/SecurityPolicyDsc/)| |[Linux machines should only have local accounts that are allowed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F73db37c4-f180-4b0f-ab2c-8ee96467686b)|[LocalUsers_Linux](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/LocalUsers_Linux/LocalUsers_Linux.mof)|[LocalUser](https://github.com/Azure/azure-policy/tree/master/samples/GuestConfiguration/package-samples/resource-modules/LocalUser)| |[Windows machines should only have local accounts that are allowed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff79fef0d-0050-4c18-a303-5babb9c14ac7)|[LocalUsers_Windows](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/LocalUsers_Windows/LocalUsers_Windows.mof)|[LocalUser](https://github.com/Azure/azure-policy/tree/master/samples/GuestConfiguration/package-samples/resource-modules/LocalUser)| |[Audit Windows machines that have not restarted within the specified number of days](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbeb6ccee-b6b8-4e91-9801-a5fa4260a104)|[MachineLastBootUpTime](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/MachineLastBootUpTime/MachineLastBootUpTime.mof)|[MachineUpTime](https://github.com/Azure/azure-policy/tree/master/samples/GuestConfiguration/package-samples/resource-modules/MachineUpTime)| |[Audit Windows machines that do not have a maximum password age of 70 days](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4ceb8dc2-559c-478b-a15b-733fbf1e3738)|[MaximumPasswordAge](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/MaximumPasswordAge/MaximumPasswordAge.mof)|[SecurityPolicyDsc](https://www.powershellgallery.com/packages/SecurityPolicyDsc/)| |[Audit Windows machines that do not have a minimum password age of 1 day](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F237b38db-ca4d-4259-9e47-7882441ca2c0)|[MinimumPasswordAge](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/MinimumPasswordAge/MinimumPasswordAge.mof)|[SecurityPolicyDsc](https://www.powershellgallery.com/packages/SecurityPolicyDsc/)| |[Audit Windows machines that do not restrict the minimum password length to 14 characters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa2d0e922-65d0-40c4-8f87-ea6da2d307a2)|[MinimumPasswordLength](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/MinimumPasswordLength/MinimumPasswordLength.mof)|[SecurityPolicyDsc](https://www.powershellgallery.com/packages/SecurityPolicyDsc/)| |[Audit Windows machines that do not have the password complexity setting enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbf16e0bb-31e1-4646-8202-60a235cc7e74)|[PasswordMustMeetComplexityRequirements](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/PasswordMustMeetComplexityRequirements/PasswordMustMeetComplexityRequirements.mof)|[SecurityPolicyDsc](https://www.powershellgallery.com/packages/SecurityPolicyDsc/)| |[Configure time zone on Windows machines.](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6141c932-9384-44c6-a395-59e4c057d7c9)|[SetWindowsTimeZone](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/SetWindowsTimeZone/SetWindowsTimeZone.mof)|[WindowsTimeZone](https://github.com/Azure/azure-policy/tree/master/samples/GuestConfiguration/package-samples/resource-modules/WindowsTimeZone)| |[Audit Windows machines that do not store passwords using reversible encryption](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fda0f98fe-a24b-4ad5-af69-bd0400233661)|[StorePasswordsUsingReversibleEncryption](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/StorePasswordsUsingReversibleEncryption/StorePasswordsUsingReversibleEncryption.mof)|[SecurityPolicyDsc](https://www.powershellgallery.com/packages/SecurityPolicyDsc/)| |[Audit Windows machines that don't have the specified applications installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Febb67efd-3c46-49b0-adfe-5599eb944998)|[WhitelistedApplication](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/WhitelistedApplication/WhitelistedApplication.mof)|[UserApplication](https://github.com/Azure/azure-policy/tree/master/samples/GuestConfiguration/package-samples/resource-modules/UserApplication)| |[Audit Windows machines that do not contain the specified certificates in Trusted Root](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F934345e1-4dfb-4c70-90d7-41990dc9608b)|[WindowsCertificateInTrustedRoot](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/WindowsCertificateInTrustedRoot/WindowsCertificateInTrustedRoot.mof)|[CertificateManagement](https://github.com/Azure/azure-policy/tree/master/samples/GuestConfiguration/package-samples/resource-modules/CertificateManagement)| |[Windows Defender Exploit Guard should be enabled on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbed48b13-6647-468e-aa2f-1af1d3f4dd40)|[WindowsDefenderExploitGuard](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/WindowsDefenderExploitGuard/WindowsDefenderExploitGuard.mof)|[WindowsDefender](https://github.com/Azure/azure-policy/tree/master/samples/GuestConfiguration/package-samples/resource-modules/WindowsDefender)| |[Audit Windows machines that are not joined to the specified domain](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F84662df4-0e37-44a6-9ce1-c9d2150db18c)|[WindowsDomainMembership](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/WindowsDomainMembership/WindowsDomainMembership.mof)|[DomainMembership](https://github.com/Azure/azure-policy/tree/master/samples/GuestConfiguration/package-samples/resource-modules/DomainMembership)| |[Audit Windows machines on which the DSC configuration is not compliant](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08a2f2d2-94b2-4a7b-aa3b-bb3f523ee6fd)|[WindowsDscConfiguration](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/WindowsDscConfiguration/WindowsDscConfiguration.mof)|[WindowsDscConfiguration](https://github.com/Azure/azure-policy/tree/master/samples/GuestConfiguration/package-samples/resource-modules/WindowsDscConfiguration)| |[Audit Windows machines on which the Log Analytics agent is not connected as expected](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6265018c-d7e2-432f-a75d-094d5f6f4465)|[WindowsLogAnalyticsAgentConnection](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/WindowsLogAnalyticsAgentConnection/WindowsLogAnalyticsAgentConnection.mof)|[LogAnalyticsAgent](https://github.com/Azure/azure-policy/tree/master/samples/GuestConfiguration/package-samples/resource-modules/LogAnalyticsAgent)| |[Audit Windows VMs with a pending reboot](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4221adbc-5c0f-474f-88b7-037a99e6114c)|[WindowsPendingReboot](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/WindowsPendingReboot/WindowsPendingReboot.mof)|[WindowsPendingReboot](https://github.com/Azure/azure-policy/tree/master/samples/GuestConfiguration/package-samples/resource-modules/WindowsPendingReboot)| |[Audit Windows machines that do not have the specified Windows PowerShell execution policy](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc648fbbb-591c-4acd-b465-ce9b176ca173)|[WindowsPowerShellExecutionPolicy](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/WindowsPowerShellExecutionPolicy/WindowsPowerShellExecutionPolicy.mof)|[PowerShellExecutionPolicy](https://github.com/Azure/azure-policy/tree/master/samples/GuestConfiguration/package-samples/resource-modules/PowerShellExecutionPolicy)| |[Audit Windows machines that do not have the specified Windows PowerShell modules installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3e4e2bd5-15a2-4628-b3e1-58977e9793f3)|[WindowsPowerShellModules](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/WindowsPowerShellModules/WindowsPowerShellModules.mof)|[PowerShellModules](https://github.com/Azure/azure-policy/tree/master/samples/GuestConfiguration/package-samples/resource-modules/PowerShellModules)| |[Audit Windows machines network connectivity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F630ac30f-a234-4533-ac2d-e0df77acda51)|[WindowsRemoteConnection](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/WindowsRemoteConnection/WindowsRemoteConnection.mof)|[WindowsRemoteConnection](https://github.com/Azure/azure-policy/tree/master/samples/GuestConfiguration/package-samples/resource-modules/WindowsRemoteConnection)| |[Audit Windows machines on which Windows Serial Console is not enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58c460e9-7573-4bb2-9676-339c2f2486bb)|[WindowsSerialConsole](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/WindowsSerialConsole/WindowsSerialConsole.mof)|[WindowsSerialConsole](https://github.com/Azure/azure-policy/tree/master/samples/GuestConfiguration/package-samples/resource-modules/WindowsSerialConsole)| |[Audit Windows machines on which the specified services are not installed and 'Running'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe6ebf138-3d71-4935-a13b-9c7fdddd94df)|[WindowsServiceStatus](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/WindowsServiceStatus/WindowsServiceStatus.mof)|[WindowsServiceStatus](https://github.com/Azure/azure-policy/tree/master/samples/GuestConfiguration/package-samples/resource-modules/WindowsServiceStatus)| |[Audit Windows machines that are not set to the specified time zone](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc633f6a2-7f8b-4d9e-9456-02f0f04f5505)|[WindowsTimeZone](https://github.com/Azure/azure-policy/blob/master/samples/GuestConfiguration/package-samples/configurations/WindowsTimeZone/WindowsTimeZone.mof)|[WindowsTimeZone](https://github.com/Azure/azure-policy/tree/master/samples/GuestConfiguration/package-samples/resource-modules/WindowsTimeZone)| ## Next steps - See the built-ins on the [Azure Policy GitHub repo](https://github.com/Azure/azure-policy). - Review the [Azure Policy definition structure](../concepts/definition-structure.md). - Review [Understanding policy effects](../concepts/effects.md).