FYI: Azure CIS 1.1.0 (New) Approved VM Extensions Type is NOT the Type Shown on VM Extensions Pane

%3CLINGO-SUB%20id%3D%22lingo-sub-1155810%22%20slang%3D%22en-US%22%3EFYI%3A%20Azure%20CIS%201.1.0%20(New)%20Approved%20VM%20Extensions%20Type%20is%20NOT%20the%20Type%20Shown%20on%20VM%20Extensions%20Pane%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1155810%22%20slang%3D%22en-US%22%3E%3CP%3EMaybe%20this%20will%20save%20someone%20else%20a%20few%20hours%20of%20their%20life.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20recently%20enabled%20the%20%3CSTRONG%3EAzure%20CIS%201.1.0%20(New)%3C%2FSTRONG%3E%20Policy%20which%20includes%20an%20%3CSTRONG%3EOnly%20approved%20VM%20extensions%20should%20be%20installed%3C%2FSTRONG%3E%20recommendation.%20This%20recommendation%20relies%20on%20a%20parameter%20set%20when%20adding%20the%20policy%20called%20%3CSTRONG%3EList%20of%20virtual%20machine%20extensions%20that%20are%20approved%20for%20use%3C%2FSTRONG%3E.%20It%20is%20a%20semicolon%20separated%20list%20of%20approved%20extensions.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EAttempt%20%231%20-%20Use%20VM%20Extension%20Name%20(Incorrect)%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EWe%20use%20several%20extensions%20not%20in%20the%20default%20list%2C%20and%20I%20thought%20this%20list%20showed%20extension%20names%2C%20so%20I%20added%20this%20to%20the%20default%20values%3A%3C%2FP%3E%3CUL%3E%3CLI%3Ejoindomain%3BMicrosoft.PowerShell.DSC%3BWindowsAgent.AzureSecurityCenter%3C%2FLI%3E%3C%2FUL%3E%3CP%3EHowever%2C%20only%20WindowsAgent.AzureSecurityCenter%20was%20being%20reported%20as%20Healthy%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EAttempt%20%232%20-%20Use%20VM%20Extension%20Type%20from%20VM%20Extensions%20Pane%20(Incorrect)%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3ELooking%20at%20the%20VM%20Extensions%20pane%2C%20there%20is%20a%20type%20column%2C%20so%20I%20tried%20replacing%20the%20names%20from%20before%20with%20these%20type%20values.%3C%2FP%3E%3CUL%3E%3CLI%3EMicrosoft.Compute.JsonADDomainExtension%3BMicrosoft.PowerShell.DSC%3BQualys.WindowsAgent.AzureSecurityCenter%3C%2FLI%3E%3C%2FUL%3E%3CP%3ENone%20of%20these%20were%20reported%20as%20Healthy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EAttempt%20%233%20-%20Use%20last%20segment%20of%20Type%20from%20VM%20Extensions%20Pane%20(incorrect)%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3ETaking%20a%20closer%20look%20at%20the%20default%20values%20that%20worked%2C%20I%20noticed%20that%20only%20the%20last%20segment%20from%20the%20Type%20column%20on%20the%20VM%20Extensions%20pane%20was%20in%20the%20default%20value%20list.%20So%20I%20replace%20the%20previous%20values%20with%3A%3C%2FP%3E%3CUL%3E%3CLI%3EJsonADDomainExtension%3BDSC%3BAzureSecurityCenter%3C%2FLI%3E%3C%2FUL%3E%3CP%3EThis%20time%2C%20the%20first%20two%20showed%20Healthy%2C%20but%20WindowsAgent.AzureSecurityCenter%20was%20showing%20Unhealthy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EAttempt%20%234%20-%20Use%20Get-AzVMExtensionImage%20(RTFM%3F)%20-%20Correct%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EI%20finally%20saw%20the%20tooltip%20when%20adding%20the%20policy%20that%20said%20%22To%20see%20a%20complete%20list%20of%20virtual%20machine%20extensions%2C%20use%20Get-AzVMExtensionImage%22.%26nbsp%3B%20I%20may%20not%20be%20looking%20the%20right%20place%2C%20but%20I%20am%20not%20aware%20of%20this%20crucial%20documentation%20being%20written%20anywhere%20else.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20turns%20out%20that%20the%20Type%20column%20on%20the%20VM%20Extensions%20pane%20appears%20to%20be%20a%20combination%20of%20Publisher%20%2B%20Type%2C%20but%20that%20Type%20can%20be%20more%20than%20just%20the%20last%20segment.%20The%20Publisher%20for%20WindowsAgent.AzureSecurityCenter%20is%20actually%20just%20Qualys%20and%20the%20Type%20is%20WindowsAgent.AzureSecurityCenter%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20replacing%20the%20above%20with%3A%3C%2FP%3E%3CUL%3E%3CLI%3EJsonADDomainExtension%3BDSC%3BWindowsAgent.AzureSecurityCenter%3C%2FLI%3E%3C%2FUL%3E%3CP%3EAll%20are%20showing%20as%20Healthy%20finally.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Maybe this will save someone else a few hours of their life. 

 

We recently enabled the Azure CIS 1.1.0 (New) Policy which includes an Only approved VM extensions should be installed recommendation. This recommendation relies on a parameter set when adding the policy called List of virtual machine extensions that are approved for use. It is a semicolon separated list of approved extensions. 

 

Attempt #1 - Use VM Extension Name (Incorrect)

We use several extensions not in the default list, and I thought this list showed extension names, so I added this to the default values:

  • joindomain;Microsoft.PowerShell.DSC;WindowsAgent.AzureSecurityCenter

However, only WindowsAgent.AzureSecurityCenter was being reported as Healthy

 

Attempt #2 - Use VM Extension Type from VM Extensions Pane (Incorrect)

Looking at the VM Extensions pane, there is a type column, so I tried replacing the names from before with these type values.

  • Microsoft.Compute.JsonADDomainExtension;Microsoft.PowerShell.DSC;Qualys.WindowsAgent.AzureSecurityCenter

None of these were reported as Healthy.

 

Attempt #3 - Use last segment of Type from VM Extensions Pane (incorrect)

Taking a closer look at the default values that worked, I noticed that only the last segment from the Type column on the VM Extensions pane was in the default value list. So I replace the previous values with:

  • JsonADDomainExtension;DSC;AzureSecurityCenter

This time, the first two showed Healthy, but WindowsAgent.AzureSecurityCenter was showing Unhealthy.

 

Attempt #4 - Use Get-AzVMExtensionImage (RTFM?) - Correct

I finally saw the tooltip when adding the policy that said "To see a complete list of virtual machine extensions, use Get-AzVMExtensionImage".  I may not be looking the right place, but I am not aware of this crucial documentation being written anywhere else.

 

It turns out that the Type column on the VM Extensions pane appears to be a combination of Publisher + Type, but that Type can be more than just the last segment. The Publisher for WindowsAgent.AzureSecurityCenter is actually just Qualys and the Type is WindowsAgent.AzureSecurityCenter

 

So replacing the above with:

  • JsonADDomainExtension;DSC;WindowsAgent.AzureSecurityCenter

All are showing as Healthy finally.

 

0 Replies