Azure Machine Configuration is empowering organizations to align server compliance with trusted standards in Azure Policy — and tailor them to fit their unique security requirements.
Background: Azure Machine Configuration remains committed to enabling greater security and simplicity in at-scale server management for all Azure customers. Machine Configuration (previously known as Azure Policy Guest Configuration) enables both built-in and custom configuration as code allowing you to audit and configure OS, app, and workload level settings at scale, both for machines running in Azure and hybrid Azure Arc-enabled servers.
We’re excited to announce Public Preview support for Customizable Security Baselines in Azure Policy and Machine Configuration. This feature empowers you to tailor industry security benchmarks—such as CIS benchmarks for Linux or Azure Security Baselines for Windows and Linux —to align with your organization’s unique compliance standards across both Azure and Arc-connected machines. This feature builds on top of our existing audit baseline capabilities for Windows and Linux.
Now you can create, parameterize, and assign custom baselines at scale, enabling continuous compliance visibility across your entire environment. Learn more about how to get started here: Customize Security Baselines with Azure Policy and Machine Configuration.
What's New?
Customizable security baselines in Azure Policy and Machine Configuration bring a powerful new way to assess, monitor, and improve your security posture across both Windows and Linux servers. Built on industry benchmarks such as the Center for Internet Security (CIS) and Microsoft’s own Azure Compute Security Baselines, this capability enables you to adapt compliance frameworks to your organization’s specific needs — all while maintaining a consistent governance model across Azure and hybrid environments. By passing custom baseline parameters directly into Azure Policy, you can represent internal controls at scale, ensuring that compliance reflects your enterprise’s unique standards and regulatory requirements.
This cloud-native approach embodies Microsoft’s Secure by Design and Secure by Default principles — ensuring your workloads stay compliant, wherever they run.
Baselines Customization Experience in Azure Policy
Key Scenarios
Baseline Customization
Tailor your security standards through the Modify Settings wizard under Policy > Machine Configuration.
You can:
- Enable, exclude, or adjust rules from existing benchmarks
- Apply organization-specific parameters
- Export your custom configuration as a downloadable JSON file
Each baseline JSON file serves as a reusable, declarative artifact—ideal for policy-as-code workflows, version control, and CI/CD integration.
Assign Audit Policies
When you assign a baseline via Azure Policy, it automatically:
- Evaluates configurations against your defined standards
- Reports compliance in near real time
- Surfaces findings in Azure Policy, Azure Resource Graph, and the Guest Assignments view
This integrated visibility helps IT administrators, security teams, and auditors track compliance status with minimal overhead.
Integration and Automation
Security baselines integrate seamlessly into your DevOps pipelines and configuration management workflows.
Each baseline produces a declarative settings catalog (JSON) that can be versioned and deployed using:
- Azure CLI
- ARM templates
- Bicep
- CI/CD automation
This ensures reproducible, traceable compliance configurations across environments.
Supported Standards
| Standard | Description |
|---|---|
| CIS Linux Benchmarks | Official CIS Benchmarks for Azure-endorsed Linux distributions, matching the latest CIS versions. |
| Azure Compute Security Baseline for Windows | Applies security controls for Windows Server 2022 and 2025, aligned with Azure Compute guidance. |
| Azure Compute Security Baseline for Linux | Enforces consistent controls aligned with Azure Compute recommendations. |
Availability
Customizable security baselines are available in all public Azure regions.
NOTE:
Support for Azure Government and Sovereign Clouds will be added in a future release. These environments are not included in the current Public Preview.
Getting Started
Prerequisites
Before you begin:
- Deploy the Azure Machine Configuration prerequisite policy initiative.
(This installs the required Guest Configuration extension on supported VMs.) - Ensure your Azure subscription or management group includes supported Windows or Linux VMs.
- Have sufficient permissions (Owner or Resource Policy Contributor) to create and assign custom policy definitions.
Step-by-Step Guidance
- Select a baseline from the Machine Configuration tab in Azure Policy.
- Modify settings to enable, exclude, or parameterize rules to match your internal policies.
- Download JSON to export your customized baseline configuration file for programmatic and repeatable customization.
- Assign the policy which can be deployed through the Azure portal, CLI, or your CI/CD pipeline.
- Review compliance results to track outcomes in Azure Policy, Azure Resource Graph, or the Guest Assignments page.
Learn More
- Azure Machine Configuration security baselines official documentation
- CIS Benchmark for Linux documentation
- Azure Windows Baseline and Azure Linux Baseline documentation
Please note that the use of Azure Machine Configuration on Azure Arc-enabled servers will incur a charge.
Microsoft