Blog Post

Azure Governance and Management Blog
3 MIN READ

Troubleshooting missing prerequisites for Azure Machine Configuration - in 3 easy steps!

mutemwamasheke's avatar
mutemwamasheke
Icon for Microsoft rankMicrosoft
Jun 10, 2025

A 3-step guide on how to ensure your Azure Virtual Machines have the Machine Configuration prerequisites correctly enabled.

Overview

Machine configuration provides a platform to extend Azure Policy into the VM operating system, to audit and configure OS settings at scale. Many machine configuration policies are assigned through Microsoft Defender for Cloud and are key components of other regulatory compliance initiatives.

These policies govern key scenarios including Microsoft security baselines, managing your TLS and SSH settings at scale, managing installed software, and more. To leverage Machine configuration, the Guest Configuration extension must be installed across all targeted VMs. 

If the extension isn’t installed, Azure policy will return a non-compliant state, and you could see unexpected behavior and miss important security signals. 

Please note

This guide is intended for Machine Configuration use on Azure Compute Virtual Machines as the agent is installed by default on Azure Arc machines.

 

There are a couple of different ways to identify if your subscription is a state where you have Machine Configuration policies assigned, but no extension installed. The first is, to navigate to a policy under the category "Guest Configuration" and see if your non-compliance message indicates that an extension is missing. The error codes in the non-compliance reason will be:

  • "GCExtensionIdentityMissing" - Default code when no extension or identity is configured
  • "GCExtensionManagedIdentityMissing" - When GCExtension is not installed and Managed Identity is not enabled
  • "GCExtensionMissing" - When GCExtension is not installed
  • "ManagedIdentityMissing" - When Managed Identity is not enabled
  • "GCExtensionUserIdentityMissing" - When Guest Configuration Extension is not installed and User Assigned Identity is not enabled
  • "UserIdentityMissing" - When User Assigned Identity is not enabled

 

Azure Policy assignment returning a non-compliant state for a Machine Configuration policy due to missing extension

If you are in this state, here's good news for you! It only takes 3 steps to ensure your Azure Virtual Machines have the Machine Configuration prerequisites correctly enabled.

Step 1: Identify subscriptions missing prerequisites

To examine the state of your VMs at scale, we recommend leveraging the Azure Resource Graph to run an at-scale query to identify any missing extension or missing managed identity. The example query below can be run at any relevant scope to see if you have a subscription that is in an error state.

policyresources 
| where type =~ 'microsoft.policyinsights/policystates' 
| where properties.complianceState == 'NonCompliant' 
| extend complianceReasonCode = properties.complianceReasonCode 
| where complianceReasonCode == 'GCExtensionMissing' 
or complianceReasonCode == 'GCExtensionManagedIdentityMissing' 
or complianceReasonCode == 'GCExtensionIdentityMissing' 
or complianceReasonCode == 'UserIdentityMissing' 
or complianceReasonCode == 'GCExtensionUserIdentityMissing' 
| distinct subscriptionId

The query results will likely appear as follows:

ARG Explorer in Azure Portal returning query results that indicate that 2 subscriptions currently are missing the Machine Configuration extension

Step 2: Assign the Machine Configuration prerequisite initiative on identified subscriptions 

Now that you've identified the scope of the non-compliance, you can simply deploy our Azure Policy pre-requisite initiative named: "Deploy prerequisites to enable Guest Configuration policies on virtual machines". This initiative will deploy both the required extension, as well as identity, and make sure that as new VMs are created within the subscription, the extension will be installed by default.  

The Azure Policy prerequisite initiative contains four policies that altogether deploy the Machine Configuration extension and a Managed Identity that authenticates communication between the agent and Azure.

IMPORTANT: By default, this DeployIfNotExists assignment will only take effect on newly created resources. Existing resources need to be updated via a remediation task either during assignment deployment or after the policy initiative is assigned.

In Azure Portal, a remediation task can be triggered on one policy in the initiative during assignment time. 

A remediation task can be created at assignment time in the Azure Portal

Step 3: Trigger a remediation task on the remaining policies

After the policy initiative has been assigned, you can trigger a remediation task on the initiative policies in order to ensure that all existing VMs within the subscription will be brought into compliance. Remediation tasks can be triggered and managed in the remediation's tab in the Azure Policy Portal experience by searching "Guest Configuration" under "Policies to remediate".

The remediation tab in Azure Policy lists out all existing policy assignments in need of remediation.

You will then be taken to the "Create remediation task" experience to complete this step! Remediation tasks are only needed once to trigger continuous enforcement on existing resources. Thereafter, Azure Policy and Machine Configuration continuously audit and enforce your desired server states.

With these 3 easy steps complete, you are well on your way to a hardened virtual machine fleet, enabled by Azure Machine Configuration!

Updated Jun 10, 2025
Version 6.0
azure arc
governance
guest configuration
management
operational excellence
policy
support team
well-architected

2 Comments

Sort By
  • GregorySuvalian's avatar
    GregorySuvalian
    Iron Contributor
    Jul 26, 2025

    Azure Policy only allows `string` as parameter, it's super common to pass arrays (think list of application to be installed, or list of services to make sure are running). Is it on roadmap to extend to support those or we somehow moved backwards from DSC?

  • jonsmith123's avatar
    jonsmith123
    Copper Contributor
    Jun 10, 2025

    Thanks for this clear and detailed guide! Troubleshooting Azure Machine Configuration can be overwhelming, especially when dealing with compliance state issues and missing guest extensions. Your step-by-step walkthrough on identifying and resolving the “GCExtensionMissing” error is super helpful—especially the Azure Resource Graph query for scaling visibility across subscriptions.

    Deploying the prerequisite initiative through Azure Policy is a solid recommendation. It’s great to see automation being emphasized to ensure compliance by default on new VMs.

    Also, for anyone looking for a quick mental refresh after dealing with Azure configs, try the nostalgic https://doodlecricket.org/doodle-baseball/ game—it’s a fun and stress-relieving way to take a short break. ⚾

    Thanks again for this insightful post!