cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

FYI: Azure CIS 1.1.0 (New) Approved VM Extensions Type is NOT the Type Shown on VM Extensions Pane

%3CLINGO-SUB%20id%3D%22lingo-sub-1155810%22%20slang%3D%22en-US%22%3EFYI%3A%20Azure%20CIS%201.1.0%20(New)%20Approved%20VM%20Extensions%20Type%20is%20NOT%20the%20Type%20Shown%20on%20VM%20Extensions%20Pane%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1155810%22%20slang%3D%22en-US%22%3E%3CP%3EMaybe%20this%20will%20save%20someone%20else%20a%20few%20hours%20of%20their%20life.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20recently%20enabled%20the%20%3CSTRONG%3EAzure%20CIS%201.1.0%20(New)%3C%2FSTRONG%3E%20Policy%20which%20includes%20an%20%3CSTRONG%3EOnly%20approved%20VM%20extensions%20should%20be%20installed%3C%2FSTRONG%3E%20recommendation.%20This%20recommendation%20relies%20on%20a%20parameter%20set%20when%20adding%20the%20policy%20called%20%3CSTRONG%3EList%20of%20virtual%20machine%20extensions%20that%20are%20approved%20for%20use%3C%2FSTRONG%3E.%20It%20is%20a%20semicolon%20separated%20list%20of%20approved%20extensions.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EAttempt%20%231%20-%20Use%20VM%20Extension%20Name%20(Incorrect)%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EWe%20use%20several%20extensions%20not%20in%20the%20default%20list%2C%20and%20I%20thought%20this%20list%20showed%20extension%20names%2C%20so%20I%20added%20this%20to%20the%20default%20values%3A%3C%2FP%3E%3CUL%3E%3CLI%3Ejoindomain%3BMicrosoft.PowerShell.DSC%3BWindowsAgent.AzureSecurityCenter%3C%2FLI%3E%3C%2FUL%3E%3CP%3EHowever%2C%20only%20WindowsAgent.AzureSecurityCenter%20was%20being%20reported%20as%20Healthy%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EAttempt%20%232%20-%20Use%20VM%20Extension%20Type%20from%20VM%20Extensions%20Pane%20(Incorrect)%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3ELooking%20at%20the%20VM%20Extensions%20pane%2C%20there%20is%20a%20type%20column%2C%20so%20I%20tried%20replacing%20the%20names%20from%20before%20with%20these%20type%20values.%3C%2FP%3E%3CUL%3E%3CLI%3EMicrosoft.Compute.JsonADDomainExtension%3BMicrosoft.PowerShell.DSC%3BQualys.WindowsAgent.AzureSecurityCenter%3C%2FLI%3E%3C%2FUL%3E%3CP%3ENone%20of%20these%20were%20reported%20as%20Healthy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EAttempt%20%233%20-%20Use%20last%20segment%20of%20Type%20from%20VM%20Extensions%20Pane%20(incorrect)%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3ETaking%20a%20closer%20look%20at%20the%20default%20values%20that%20worked%2C%20I%20noticed%20that%20only%20the%20last%20segment%20from%20the%20Type%20column%20on%20the%20VM%20Extensions%20pane%20was%20in%20the%20default%20value%20list.%20So%20I%20replace%20the%20previous%20values%20with%3A%3C%2FP%3E%3CUL%3E%3CLI%3EJsonADDomainExtension%3BDSC%3BAzureSecurityCenter%3C%2FLI%3E%3C%2FUL%3E%3CP%3EThis%20time%2C%20the%20first%20two%20showed%20Healthy%2C%20but%20WindowsAgent.AzureSecurityCenter%20was%20showing%20Unhealthy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EAttempt%20%234%20-%20Use%20Get-AzVMExtensionImage%20(RTFM%3F)%20-%20Correct%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EI%20finally%20saw%20the%20tooltip%20when%20adding%20the%20policy%20that%20said%20%22To%20see%20a%20complete%20list%20of%20virtual%20machine%20extensions%2C%20use%20Get-AzVMExtensionImage%22.%26nbsp%3B%20I%20may%20not%20be%20looking%20the%20right%20place%2C%20but%20I%20am%20not%20aware%20of%20this%20crucial%20documentation%20being%20written%20anywhere%20else.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20turns%20out%20that%20the%20Type%20column%20on%20the%20VM%20Extensions%20pane%20appears%20to%20be%20a%20combination%20of%20Publisher%20%2B%20Type%2C%20but%20that%20Type%20can%20be%20more%20than%20just%20the%20last%20segment.%20The%20Publisher%20for%20WindowsAgent.AzureSecurityCenter%20is%20actually%20just%20Qualys%20and%20the%20Type%20is%20WindowsAgent.AzureSecurityCenter%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20replacing%20the%20above%20with%3A%3C%2FP%3E%3CUL%3E%3CLI%3EJsonADDomainExtension%3BDSC%3BWindowsAgent.AzureSecurityCenter%3C%2FLI%3E%3C%2FUL%3E%3CP%3EAll%20are%20showing%20as%20Healthy%20finally.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1962931%22%20slang%3D%22en-US%22%3ERe%3A%20FYI%3A%20Azure%20CIS%201.1.0%20(New)%20Approved%20VM%20Extensions%20Type%20is%20NOT%20the%20Type%20Shown%20on%20VM%20Extensions%20Pa%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1962931%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20also%20use%20this%20command%20to%20get%20the%20ExtensionType%20from%20the%20actual%20extensions%20installed%20on%20your%20VM.%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EGet-AzVMExtension%20-ResourceGroupName%20%5BResourceGroupName%5D%20-VMName%20%5BVMName%5D%20%7C%20Format-List%20ExtensionType%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Michael Carrabine
New Contributor

‎Feb 06 2020 07:15 AM - edited ‎Feb 07 2020 02:09 PM

‎Feb 06 2020 07:15 AM - edited ‎Feb 07 2020 02:09 PM

FYI: Azure CIS 1.1.0 (New) Approved VM Extensions Type is NOT the Type Shown on VM Extensions Pane

Maybe this will save someone else a few hours of their life. 

 

We recently enabled the Azure CIS 1.1.0 (New) Policy which includes an Only approved VM extensions should be installed recommendation. This recommendation relies on a parameter set when adding the policy called List of virtual machine extensions that are approved for use. It is a semicolon separated list of approved extensions. 

 

Attempt #1 - Use VM Extension Name (Incorrect)

We use several extensions not in the default list, and I thought this list showed extension names, so I added this to the default values:

  • joindomain;Microsoft.PowerShell.DSC;WindowsAgent.AzureSecurityCenter

However, only WindowsAgent.AzureSecurityCenter was being reported as Healthy

 

Attempt #2 - Use VM Extension Type from VM Extensions Pane (Incorrect)

Looking at the VM Extensions pane, there is a type column, so I tried replacing the names from before with these type values.

  • Microsoft.Compute.JsonADDomainExtension;Microsoft.PowerShell.DSC;Qualys.WindowsAgent.AzureSecurityCenter

None of these were reported as Healthy.

 

Attempt #3 - Use last segment of Type from VM Extensions Pane (incorrect)

Taking a closer look at the default values that worked, I noticed that only the last segment from the Type column on the VM Extensions pane was in the default value list. So I replace the previous values with:

  • JsonADDomainExtension;DSC;AzureSecurityCenter

This time, the first two showed Healthy, but WindowsAgent.AzureSecurityCenter was showing Unhealthy.

 

Attempt #4 - Use Get-AzVMExtensionImage (RTFM?) - Correct

I finally saw the tooltip when adding the policy that said "To see a complete list of virtual machine extensions, use Get-AzVMExtensionImage".  I may not be looking the right place, but I am not aware of this crucial documentation being written anywhere else.

 

It turns out that the Type column on the VM Extensions pane appears to be a combination of Publisher + Type, but that Type can be more than just the last segment. The Publisher for WindowsAgent.AzureSecurityCenter is actually just Qualys and the Type is WindowsAgent.AzureSecurityCenter

 

So replacing the above with:

  • JsonADDomainExtension;DSC;WindowsAgent.AzureSecurityCenter

All are showing as Healthy finally.

 

1,811 Views
1 Like
1 Reply
Reply
1 Reply
Michael Carrabine

‎Dec 07 2020 07:01 AM

‎Dec 07 2020 07:01 AM

Re: FYI: Azure CIS 1.1.0 (New) Approved VM Extensions Type is NOT the Type Shown on VM Extensions Pa

You can also use this command to get the ExtensionType from the actual extensions installed on your VM.

Get-AzVMExtension -ResourceGroupName [ResourceGroupName] -VMName [VMName] | Format-List ExtensionType

 

0 Likes
Reply