Hi.
I have a policy for deployment antimalware extension on VM. VMs are filtered by tags
{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "[variables('policyName')]",
"apiVersion": "2019-09-01",
"properties": {
"displayName": "[variables('policyDisplayName')]",
"policyType": "Custom",
"mode": "Indexed",
"description": "[variables('policyDescription')]",
"metadata": {
"version": "1.0.0",
"category": "Compute"
},
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagValue": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Value of the tag, such as 'production'"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "[[concat('tags[', parameters('tagName'), ']')]",
"Equals": "[[parameters('tagValue')]"
},
{
"field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
"equals": "Windows"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Compute/virtualMachines/extensions",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "IaaSAntimalware"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/publisher",
"equals": "Microsoft.Azure.Security"
}
]
},
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vmName": {
"type": "string"
},
"location": {
"type": "string"
},
"ExclusionsPaths": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "Semicolon delimited list of file paths or locations to exclude from scanning"
}
},
"ExclusionsExtensions": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "Semicolon delimited list of file extensions to exclude from scanning"
}
},
"ExclusionsProcesses": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "Semicolon delimited list of process names to exclude from scanning"
}
},
"RealtimeProtectionEnabled": {
"type": "string",
"defaultValue": "true",
"metadata": {
"description": "Indicates whether or not real time protection is enabled (default is true)"
}
},
"ScheduledScanSettingsIsEnabled": {
"type": "string",
"defaultValue": "false",
"metadata": {
"description": "Indicates whether or not custom scheduled scan settings are enabled (default is false)"
}
},
"ScheduledScanSettingsScanType": {
"type": "string",
"defaultValue": "Quick",
"metadata": {
"description": "Indicates whether scheduled scan setting type is set to Quick or Full (default is Quick)"
}
},
"ScheduledScanSettingsDay": {
"type": "string",
"defaultValue": "7",
"metadata": {
"description": "Day of the week for scheduled scan (1-Sunday, 2-Monday, ..., 7-Saturday)"
}
},
"ScheduledScanSettingsTime": {
"type": "string",
"defaultValue": "120",
"metadata": {
"description": "When to perform the scheduled scan, measured in minutes from midnight (0-1440). For example: 0 = 12AM, 60 = 1AM, 120 = 2AM."
}
}
},
"resources": [
{
"name": "[[concat(parameters('vmName'),'/IaaSAntimalware')]",
"type": "Microsoft.Compute/virtualMachines/extensions",
"location": "[[parameters('location')]",
"apiVersion": "2017-12-01",
"properties": {
"publisher": "Microsoft.Azure.Security",
"type": "IaaSAntimalware",
"typeHandlerVersion": "1.3",
"autoUpgradeMinorVersion": true,
"settings": {
"AntimalwareEnabled": true,
"RealtimeProtectionEnabled": "[[parameters('RealtimeProtectionEnabled')]",
"ScheduledScanSettings": {
"isEnabled": "[[parameters('ScheduledScanSettingsIsEnabled')]",
"day": "[[parameters('ScheduledScanSettingsDay')]",
"time": "[[parameters('ScheduledScanSettingsTime')]",
"scanType": "[[parameters('ScheduledScanSettingsScanType')]"
},
"Exclusions": {
"Extensions": "[[parameters('ExclusionsExtensions')]",
"Paths": "[[parameters('ExclusionsPaths')]",
"Processes": "[[parameters('ExclusionsProcesses')]"
}
}
}
}
]
},
"parameters": {
"vmName": {
"value": "[[field('name')]"
},
"location": {
"value": "[[field('location')]"
},
"RealtimeProtectionEnabled": {
"value": "true"
},
"ScheduledScanSettingsIsEnabled": {
"value": "true"
}
}
}
}
}
}
}
}
}
If someone remove this extension it would be redeployed via remediation. But if someone made changes in Extension settings (disable RealtimeProtectionEnabled for example) this policy didn't start a remediation.
Is there a way to modify extension settings via azure policy if they don't match our pattern ?