Out of Band Cumulative Updates Question
I installed March 2026 Cumulative Update on a new server instead of April due to some RC4 changes to test something. I noticed that after the update installed in the event viewer it thinks the June 2026 update was installed. I don't see the June update under installed updates but shows up in update history. The build version of the server matches with the March 2026 update. Is this a weird side effect of installing a superceded update? I'm having trouble understanding what is going on.BLOG: Windows Insiders - State of vbscript deprecation June 2026
While I greatly appreciate the decision of vbscript / cscript / wscript removal, with security and hardening in mind – I would also appreciate if Microsoft could be actively using the vNext release channel, preparing for feature removal. With this blogpost, I am sharing my point of view on the state of dependencies I am seeing in this regard, focusing on a way forward towards the full removal of vbscript. My findings show, that there is a quite some action required, and this stands a bit contrary to the announcement, Microsoft intends removing the optional feature of vbscript by default with the upcoming release - anticipated by fall 2027. Given my lessons learned from Secure Boot CA2023 exchange initiative, Microsoft guidance, foremost PowerShell based scripts, tooling and dashboards have been released quite late, looking at the timeline, considering the impact and scale customers had to deal with, and consequences for their security posture if they are not ready and done, with first certificates to expire soon. Taking this learning into account and and projecting it to vbscript deprecration I come to the following conclusion: SMB customers, enterprises, Microsoft Products, see below, are required to be updated or replaced, in order of adopting this change. I believe there is quite some communication and learning curve required for users, admins, enterprises and OEMs in adopting the implicated change and including changed workflows and automation processes. Looking forward to the next Windows Insider and esp. Windows Server Insider vNext builds! Both Windows Insiders and Windows Server Insiders, also including ISV and OEMs may assist in reviewing and validating the new workflows required - assuming vbscript deprecation is in effect, as planned. Without further ado, I am sharing my observations in regard to VBScript deprecation. I will try to keep this blogpost updated as soon I am aware about public facing changes. Third-Party AMD Chipset drivers so far is one of the major non MSFT related blockers. Suggestions: Microsoft should initiate talks with AMD and other ISV and OEMs fixing their dependencies, also offering other solutions, see below. Currently AMD Chipset drivers silently using vbscript calls checking for OS and HW platform compatibility. The installer fails when vbscript optional feature is removed. OEM, ISV and Enterprise Potentially affected: expected dependencies for imaging, deployment and management workflows. Related or unrelated to Microsoft products. LOB apps custom Office Integration logon and logoff scripts setup and installers Recommendation: Please observe vbscript related events in Windows Event Viewer at scale using PowerShell, Remoting or Windows Event Subscriptions: VBScriptDeprecationAlert Event ID 4096 VBScript is scheduled for deprecation. Our telemetry indicates that your system is currently utilizing VBScript. We strongly recommend identifying and migrating away from any VBScript dependencies at the earliest. The following process has been detected as using VBScript. The associated process tree and call stack are provided below to assist in identifying the scenario in which VBScript was invoked. Microsoft Windows Server and Client OS affected: slmgr.vbs / printer management vbscripts / product activation logic and UX, setup.exe, slui.exe Office 2024 LTSC affected: slmgr.vbs / ospp.vbs / Office deployment toolkit / product activation logic Microsoft has placed a new PowerShell based script into the respective OSPP folder. This script however is rather offering on checking licensing and cannot activate the Office product at this time. Microsoft 365 Business, Enterprise, Home, Family Affected: ospp.vbs despite being subscription based will also trouble with activation once vbscript is removed Sconfig Related to product activation. no changes so far, relies on external changes. The script itself is safe to comply with the change, now it has been reworked and updated using PowerShell , starting Windows Server 2022. WinRM Affected: the whole WinRM configuration command, e.g. winrm qc Windows Server Roles and Features: KMS / ADBA Potentially affected as they rely on slmgr for adding and removing CSVLK keys. Windows Server Roles and Features: IIS legacy IIS extension management. Windows Server Roles and Features: WSUS related deployment and configuration scripts. System Center Products incl. ConfigMgr there might be depencendies for OS deployments in regard to OS imaging. ADK, esp. Windows Imaging Tools and VAMT 3 potentially affected. Need to adopt changes in regard to activation and other operations. Suggestions: Recommending all these scripts being converted using Claude or Copilot from vbscript to PowerShell. Providing a serviceable PS modules, especially for printer management, product activation, which enables enterprises to automate their activations and printers, even though Microsoft is going to remove vbscript. The modules should be improved for existing day two adminstration tasks and workflows. slmgr, in particular, had some nuances that were tedious such as identifying and removing (stale) activation keys. Existing tools like slmgr and other will not work well in remoting. They do something but their interactive parts and outputs are reserved for interactive user sessions. Example: you can use slmgr in a remote PowerShell session for installing and activating a key but therer is no result return to the shell. Combining slui.exe and slmgr.vbs into aforementioned improvements in functionality and syntax. Consider support for PowerShell 7 in WinRE and Offline Setup phase. Many thanks for your consideration! Directory: C:\Windows\System32\Printing_Admin_Scripts\en-US Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 4/16/2026 10:43 AM 98756 prncnfg.vbs -a--- 4/16/2026 10:43 AM 66172 prndrvr.vbs -a--- 4/16/2026 10:43 AM 62698 prnjobs.vbs -a--- 4/16/2026 10:43 AM 95908 prnmngr.vbs -a--- 4/16/2026 10:43 AM 71616 prnport.vbs -a--- 4/16/2026 10:43 AM 44278 prnqctl.vbs -a--- 4/16/2026 10:43 AM 22612 pubprn.vbs Directory: C:\Windows\System32 Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 4/16/2026 9:14 AM 4119 CallUxxProvider.vbs -a--- 4/16/2026 9:14 AM 145712 slmgr.vbs -a--- 4/16/2026 9:14 AM 1720 SyncAppvPublishingServer.vbs -a--- 4/16/2026 9:14 AM 204072 winrm.vbs Directory: C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 4/16/2026 10:43 AM 98756 prncnfg.vbs -a--- 4/16/2026 10:43 AM 66172 prndrvr.vbs -a--- 4/16/2026 10:43 AM 62698 prnjobs.vbs -a--- 4/16/2026 10:43 AM 95908 prnmngr.vbs -a--- 4/16/2026 10:43 AM 71616 prnport.vbs -a--- 4/16/2026 10:43 AM 44278 prnqctl.vbs -a--- 4/16/2026 10:43 AM 22612 pubprn.vbs Directory: C:\Windows\SysWOW64 Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 4/16/2026 9:14 AM 145712 slmgr.vbs -a--- 4/16/2026 9:14 AM 204072 winrm.vbs Directory: C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.29574.1000_none_0895f7c27f109b8a Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 4/16/2026 9:14 AM 1720 SyncAppvPublishingServer.vbs Directory: C:\Windows\WinSxS\amd64_microsoft-windows-iis-legacyscripts_31bf3856ad364e35_10.0.29574.1000_none_ba69ed912e209e30 Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 4/16/2026 9:14 AM 98133 adsutil.vbs -a--- 4/16/2026 9:14 AM 41401 IIsExt.vbs Directory: C:\Windows\WinSxS\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_10.0.29574.1000_en-us_ 4ad0e09e0339f1ef Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 4/16/2026 10:43 AM 98756 prncnfg.vbs -a--- 4/16/2026 10:43 AM 66172 prndrvr.vbs -a--- 4/16/2026 10:43 AM 62698 prnjobs.vbs -a--- 4/16/2026 10:43 AM 95908 prnmngr.vbs -a--- 4/16/2026 10:43 AM 71616 prnport.vbs -a--- 4/16/2026 10:43 AM 44278 prnqctl.vbs -a--- 4/16/2026 10:43 AM 22612 pubprn.vbs Directory: C:\Windows\WinSxS\amd64_microsoft-windows-s..r-core-mgmtprovider_31bf3856ad364e35_10.0.29574.1000_none_62cec50667f8da2a Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 4/16/2026 9:14 AM 4119 CallUxxProvider.vbs Directory: C:\Windows\WinSxS\amd64_microsoft-windows-security-spp-tools_31bf3856ad364e35_10.0.29574.1000_none_81bcc6c67609fdb9 Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 4/16/2026 9:14 AM 145712 slmgr.vbs Directory: C:\Windows\WinSxS\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.29574.1000_none_0688f60763f16bc8 Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 4/16/2026 9:14 AM 204072 winrm.vbs Directory: C:\Windows\WinSxS\amd64_updateservices-services_31bf3856ad364e35_10.0.29574.1000_none_bae89f3176313538 Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 4/16/2026 9:14 AM 8332 DynamicCompression.vbs -a--- 4/16/2026 9:14 AM 4289 SetAppPool.vbs -a--- 4/16/2026 9:14 AM 5813 SetMimeMap.vbs Directory: C:\Windows\WinSxS\wow64_microsoft-windows-iis-legacyscripts_31bf3856ad364e35_10.0.29574.1000_none_c4be97e36281602b Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 4/16/2026 9:14 AM 41401 IIsExt.vbs Directory: C:\Windows\WinSxS\wow64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_10.0.29574.1000_en-us_ 55258af0379ab3ea Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 4/16/2026 10:43 AM 98756 prncnfg.vbs -a--- 4/16/2026 10:43 AM 66172 prndrvr.vbs -a--- 4/16/2026 10:43 AM 62698 prnjobs.vbs -a--- 4/16/2026 10:43 AM 95908 prnmngr.vbs -a--- 4/16/2026 10:43 AM 71616 prnport.vbs -a--- 4/16/2026 10:43 AM 44278 prnqctl.vbs -a--- 4/16/2026 10:43 AM 22612 pubprn.vbs Directory: C:\Windows\WinSxS\wow64_microsoft-windows-security-spp-tools_31bf3856ad364e35_10.0.29574.1000_none_8c117118aa6abfb4 Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 4/16/2026 9:14 AM 145712 slmgr.vbs Directory: C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.29574.1000_none_10dda05998522dc3 Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 4/16/2026 9:14 AM 204072 winrm.vbs related announcements: https://techcommunity.microsoft.com/blog/Windows-ITPro-blog/vbscript-deprecation-timelines-and-next-steps/4148301
SCCM- Upgrade from 2409 to 2509 WSUS timeout issue
Had a working task sequence on 2409 that performed software updates at the end of the task sequence. Upgraded to 2509 - I get a timeout issue when getting to that point on the task sequence. Ive performed maintenance on the WSUS Server, (obsolete, expired etc) I removed the Software Update Point - and re installed it selected the Products of Server 2016,2019, server operating system 21h2 , Windows 10 1903 or later and Windows 11. rebooted both the SCCM and SQL Server. after doing the above but the HRESULT 0x80244010 still persists. "Exceeded max server round trips" — client couldn't retrieve all updates in one cycle. Software centre updates in the OS seem to be unaffected or unknown if clients are affected, only in a task sequence this occurs. Blog posts refer to older items, what would cause this to fail after a upgrade from 2409 to 2509? AI help repeats about reducing metadata and updates but for weird reason i keep getting 700+ updates for the above categories!Protect Azure Cosmos DB with vaulted backups using Azure Backup (public preview)
As organizations increasingly rely on Azure Cosmos DB to power mission‑critical, globally distributed applications, protecting this data from accidental deletion, malicious activity, and ransomware has become more important than ever. At MS Build 2026, we’re excited to announce the preview of Azure Backup for Cosmos DB, which introduces vaulted backups—a secure, isolated, and fully managed backup solution designed to strengthen cyber‑resilience and support compliance requirements. Why vaulted backups for Azure Cosmos DB? Azure Cosmos DB already provides built‑in data protection capabilities such as replication and availability features to help ensure application uptime. However, these capabilities alone may not be sufficient to protect against scenarios such as: Accidental or malicious deletion of data or accounts Compromised credentials or insider threats Ransomware attacks targeting production environments Compliance requirements that mandate off‑site, immutable backups Vaulted backups add an independent protection layer by storing backup copies in an Azure Backup vault, isolated from the source Cosmos DB account and managed through Azure Backup. How vaulted backups protect your Cosmos DB data With this preview, Azure Backup enables you to protect Azure Cosmos DB using a policy‑driven, automated backup experience. Once configured, Azure Backup manages backup scheduling, retention, and lifecycle without manual intervention. Key protection capabilities include: Isolation from production data: Vaulted backups are stored in a separate, Microsoft‑managed backup vault, ensuring that backup data remains protected even if the source Cosmos DB account is deleted or compromised. Resilience against ransomware and malicious attacks: Because backups are isolated and protected by Azure Backup security controls, attackers cannot directly access or tamper with recovery points, helping ensure reliable recovery when it matters most. Policy‑based backups with long‑term retention: Define backup schedules and retention periods using Azure Backup policies to support long‑term compliance and audit requirements. Security‑first design: Azure Backup safeguards vaulted backups using encryption, soft delete, immutability, and role‑based access control, helping protect backup data against unauthorized deletion or modification. Designed for compliance and enterprise resilience Vaulted backups for Azure Cosmos DB help organizations align with industry and regulatory expectations that require: Off‑site and isolated backup copies Strong access controls and separation of duties Protection against premature deletion Long‑term retention of critical data By integrating Cosmos DB protection into Azure Backup, customers can manage backups centrally alongside other Azure workloads using a consistent governance and monitoring experience. Getting started with the preview Please refer to the product documentation for details on supported scenarios, limitations, and onboarding steps. For Cosmos DB vaulted backup (preview), you incur charges from, 1 July 2026. Refer to Azure Backup pricing page and pricing calculator for more details.Windows Server vNext cannot be activated
Error Code 0xC004F012 when trying to activate WS vNext Datacenter with Key 2KNJJ-33Y9H-2GXGX-KMQWH-G6H67. vbscript is removed, implying the future removal of this component from the OS. It appear that Windows Activation still relying on vbscript. Is this something that is on the roadmap? Would wish for native PowerShell support / module instead of vbscript.[Now Generally Available] Customizable Security Baseline Policies in Machine Configuration!
Background: Azure Machine Configuration remains committed to enabling greater security and simplicity in at-scale server management for all Azure customers. Machine Configuration (previously known as Azure Policy Guest Configuration) enables both built-in and custom configuration as code allowing you to audit and configure OS, app, and workload level settings at scale, both for machines running in Azure and hybrid Azure Arc-enabled servers. We're excited to announce the General Availability of Customizable Security Baselines in Azure Policy and Machine Configuration. What began as a Public Preview is now a mature, production-grade capability that empowers you to tailor industry security benchmarks to your organization's unique compliance standards across both Azure and Arc-connected machines, at scale. This release moves the experience from "useful" to "everyday default." Standards coverage has expanded, the customization and assignment flow is faster, full lifecycle management is now possible directly from the Azure Portal, and a new Overview page gives you a single pane of glass into which parts of your estate are unprotected. What is Baseline Customization? The core experience remains: tailor security standards through the Modify Settings wizard under Policy > Machine Configuration. You can enable, exclude, or adjust rules from existing benchmarks, apply organization-specific parameters, and export your custom configuration as a downloadable JSON file. Each baseline JSON file serves as a reusable, declarative artifact, ideal for policy-as-code workflows, version control, and CI/CD integration. What's New? GA brings four substantive shifts to the customizable baselines experience: broader standards coverage, a faster path from customization to deployment, lifecycle management directly in the portal, and a new Overview page that surfaces compliance gaps at the subscription level. Together, these changes reflect what we heard from early customers during Preview: that custom baselines need to live alongside the rest of their governance workflows, not in a one-time wizard. This cloud-native approach continues to embody Microsoft's Secure by Design and Secure by Default principles, with a sharper focus on the operational reality of running compliance at scale. Built-in Policy Standards Coverage GA expands what you can customize and where it's supported. Standard Status Notes CIS Benchmarks for Linux Generally Available Expanded distribution coverage since Public Preview. See the full list of supported distros in the official documentation. [NEW!] CIS Benchmarks for Windows Public Preview Initial release covers L1 settings for WS2025 Domain Controller and Member Server roles. Azure Compute Security Baseline for Windows Generally Available Now supports customization for Windows Server 2016 and 2019, in addition to 2022 and 2025. Azure Compute Security Baseline for Linux Generally Available Aligned with Azure Compute recommendations across supported Linux distributions. Key Scenarios Faster Time to Deployment The customization-to-assignment path is now a single continuous flow. You can: Skip the JSON download step entirely. Baseline settings are auto-populated into the Azure Policy assignment flow, so you no longer have to download a JSON file, browse for it, and upload it back. The settings ride with you from Modify Settings straight into Assign Policy. Use the improved settings editor. Role-specific values (Domain Controller, Member Server) and formatted inputs render cleanly in the UX, with validation that prevents malformed parameters from reaching the policy assignment. Still export when you need to. The JSON download remains available for teams that want to commit baselines to source control, share with reviewers, or pipe through CI/CD. The net result: what used to take a multi-step download-and-reupload sequence is now a few clicks inside one blade. Lifecycle Management in the Portal Compliance baselines are not write-once artifacts. They evolve as benchmarks update, as your controls tighten, and as your estate changes. GA introduces two capabilities that treat baselines as living configuration: Import and Modify. From the Definitions tab under Machine Configuration, you can now import an existing baseline JSON and iterate on it directly in the portal. This closes the loop between policy-as-code workflows and ad-hoc edits, so you no longer have to choose between version-controlled artifacts and in-portal convenience. Edit Settings on existing Assignments. The Assignments tab now supports updating an active baseline assignment in place. You can refine rules, adjust role-specific values, or exclude controls without tearing down and re-creating the assignment. All you have to do is select the policy assignment and the "Edit Settings" button should be enabled. Together, these turn baselines into something you maintain, not something you set and forget. New Overview Page: See Where You're Unprotected A new Overview page on Policy > Machine Configuration gives you subscription-level visibility into where Machine Configuration is enabled and where it isn't. For each subscription it surfaces status (At Risk, Not Enabled, Enabled), machines missing prerequisites, machines with prerequisites in place, and total eligible machines. From the same view you can enable Machine Configuration on selected subscriptions to onboard eligible VMs and activate baseline auditing in a single action. This shifts the first question from "is this one machine compliant?" to "which corners of my estate aren't even being assessed yet?", which is usually the more consequential gap. Integration and Automation Security baselines continue to integrate into your DevOps pipelines and configuration management workflows. Each baseline produces a declarative settings catalog (JSON) that can be versioned and deployed using Azure CLI, ARM templates, Bicep, and CI/CD automation, ensuring reproducible, traceable compliance configurations across environments. Availability Customizable security baselines are now generally available in all public Azure regions, Azure Government, and Sovereign Clouds. Getting Started Prerequisites Before you begin: Deploy the Azure Machine Configuration prerequisite policy initiative. (This installs the required Guest Configuration extension on supported VMs.) You can also do this in a single action from the new Overview page. Ensure your Azure subscription or management group includes supported Windows or Linux VMs. Have sufficient permissions (Owner or Resource Policy Contributor) to create and assign custom policy definitions. Step-by-Step Guidance Check your coverage on the Overview page to see which subscriptions are unprotected and onboard them with one click. Select a baseline from the Definitions tab in Machine Configuration or use Import and Modify to iterate on an existing baseline JSON. Modify settings to enable, exclude, or parameterize rules to match your internal policies. Assign the policy directly from the wizard. Settings are auto populated into the assignment flow, no JSON upload required. Iterate when needed. Use Edit Settings on the Assignments tab to refine active baselines in place. Review compliance results to track outcomes in Azure Policy, Azure Resource Graph, or the Guest Assignments page. Learn More Azure Machine Configuration security baselines official documentation CIS Benchmark for Windows Server (Preview) documentation CIS Benchmark for Linux documentation Azure Windows Baseline and Azure Linux Baseline documentation Please note that the use of Azure Machine Configuration on Azure Arc-enabled servers will incur a charge.[Public Preview] Introducing Customizable Security Baseline Policies in Machine Configuration
Background: Azure Machine Configuration remains committed to enabling greater security and simplicity in at-scale server management for all Azure customers. Machine Configuration (previously known as Azure Policy Guest Configuration) enables both built-in and custom configuration as code allowing you to audit and configure OS, app, and workload level settings at scale, both for machines running in Azure and hybrid Azure Arc-enabled servers. We’re excited to announce Public Preview support for Customizable Security Baselines in Azure Policy and Machine Configuration. This feature empowers you to tailor industry security benchmarks—such as CIS benchmarks for Linux or Azure Security Baselines for Windows and Linux —to align with your organization’s unique compliance standards across both Azure and Arc-connected machines. This feature builds on top of our existing audit baseline capabilities for Windows and Linux. Now you can create, parameterize, and assign custom baselines at scale, enabling continuous compliance visibility across your entire environment. Learn more about how to get started here: Customize Security Baselines with Azure Policy and Machine Configuration. What's New? Customizable security baselines in Azure Policy and Machine Configuration bring a powerful new way to assess, monitor, and improve your security posture across both Windows and Linux servers. Built on industry benchmarks such as the Center for Internet Security (CIS) and Microsoft’s own Azure Compute Security Baselines, this capability enables you to adapt compliance frameworks to your organization’s specific needs — all while maintaining a consistent governance model across Azure and hybrid environments. By passing custom baseline parameters directly into Azure Policy, you can represent internal controls at scale, ensuring that compliance reflects your enterprise’s unique standards and regulatory requirements. This cloud-native approach embodies Microsoft’s Secure by Design and Secure by Default principles — ensuring your workloads stay compliant, wherever they run. Key Scenarios Baseline Customization Tailor your security standards through the Modify Settings wizard under Policy > Machine Configuration. You can: Enable, exclude, or adjust rules from existing benchmarks Apply organization-specific parameters Export your custom configuration as a downloadable JSON file Each baseline JSON file serves as a reusable, declarative artifact—ideal for policy-as-code workflows, version control, and CI/CD integration. Assign Audit Policies When you assign a baseline via Azure Policy, it automatically: Evaluates configurations against your defined standards Reports compliance in near real time Surfaces findings in Azure Policy, Azure Resource Graph, and the Guest Assignments view This integrated visibility helps IT administrators, security teams, and auditors track compliance status with minimal overhead. Integration and Automation Security baselines integrate seamlessly into your DevOps pipelines and configuration management workflows. Each baseline produces a declarative settings catalog (JSON) that can be versioned and deployed using: Azure CLI ARM templates Bicep CI/CD automation This ensures reproducible, traceable compliance configurations across environments. Supported Standards Standard Description CIS Linux Benchmarks Official CIS Benchmarks for Azure-endorsed Linux distributions, matching the latest CIS versions. Azure Compute Security Baseline for Windows Applies security controls for Windows Server 2022 and 2025, aligned with Azure Compute guidance. Azure Compute Security Baseline for Linux Enforces consistent controls aligned with Azure Compute recommendations. Availability Customizable security baselines are available in all public Azure regions. NOTE: Support for Azure Government and Sovereign Clouds will be added in a future release. These environments are not included in the current Public Preview. Getting Started Prerequisites Before you begin: Deploy the Azure Machine Configuration prerequisite policy initiative. (This installs the required Guest Configuration extension on supported VMs.) Ensure your Azure subscription or management group includes supported Windows or Linux VMs. Have sufficient permissions (Owner or Resource Policy Contributor) to create and assign custom policy definitions. Step-by-Step Guidance Select a baseline from the Machine Configuration tab in Azure Policy. Modify settings to enable, exclude, or parameterize rules to match your internal policies. Download JSON to export your customized baseline configuration file for programmatic and repeatable customization. Assign the policy which can be deployed through the Azure portal, CLI, or your CI/CD pipeline. Review compliance results to track outcomes in Azure Policy, Azure Resource Graph, or the Guest Assignments page. Coming Soon Leverage baseline customization to gradually remediate server security non-compliance using Azure Policy! Join the waitlist here: https://aka.ms/BaselineRemediationWaitlist Learn More Azure Machine Configuration security baselines official documentation CIS Benchmark for Linux documentation Azure Windows Baseline and Azure Linux Baseline documentation Please note that the use of Azure Machine Configuration on Azure Arc-enabled servers will incur a charge.
