Azure Update Manager to support CIS hardened images among other images
What’s coming in by first week of August: Azure Update Manager will add support for 35 CIS hardened images. This is the first time that Update Management product in Azure is supporting CIS hardened images. Apart from CIS hardened images, Azure Update Manager will also add support for 59 other images to unblock Automation Update Management migrations to Azure Update Manager. What’s coming in September: After this release, another batch of 30 images will be added support for. Please refer to the article below to check the details of which images will be supported. Below 35 CIS images will be supported by Azure Update Manager by first week of August. Please note Publisher for all these images is center-for-internet-security-inc. Offer Plan cis-windows-server cis-windows-server2016-l1-gen1 cis-windows-server2019-l1-gen1 cis-windows-server2019-l1-gen2 cis-windows-server2019-l2-gen1 cis-windows-server2022-l1-gen2 cis-windows-server2022-l2-gen2 cis-windows-server2022-l1-gen1 cis-windows-server-2022-l1 cis-windows-server-2022-l1 cis-windows-server-2022-l1-gen2 cis-windows-server-2022-l2 cis-windows-server-2022-l2 cis-windows-server-2022-l2-gen2 cis-windows-server-2019-v1-0-0-l1 cis-ws2019-l1 cis-windows-server-2019-v1-0-0-l2 cis-ws2019-l2 cis-windows-server-2016-v1-0-0-l1 cis--l1 cis-windows-server-2016-v1-0-0-l2 cis-ws2016-l2 cis-windows-server-2012-r2-v2-2-1-l2 cis-ws2012-r2-l2 cis-rhel9-l1 cis-rhel9-l1 cis-rhel9-l1-gen2 cis-rhel-8-l1 cis-rhel-8-l2 cis-rhel8-l2 cis-rhel-7-l2 cis-rhel7-l2 cis-rhel cis-redhat7-l1-gen1 cis-redhat8-l1-gen1 cis-redhat8-l2-gen1 cis-redhat9-l1-gen1 cis-redhat9-l1-gen2 cis-ubuntu-linux-2204-l1 cis-ubuntu-linux-2204-l1 cis-ubuntu-linux-2204-l1-gen2 cis-ubuntu-linux-2004-l1 cis-ubuntu2004-l1 cis-ubuntu-linux-1804-l1 cis-ubuntu1804-l1 cis-ubuntu cis-ubuntu1804-l1 cis-ubuntulinux2004-l1-gen1 cis-ubuntulinux2204-l1-gen1 cis-ubuntulinux2204-l1-gen2 cis-oracle-linux-8-l1 cis-oracle8-l1 Apart from CIS hardened images, below are the other 59 images which will be supported by Azure Update Manager by first week of August: Publisher Offer Plan almalinux almalinux-x86_64 8_7-gen2 belindaczsro1588885355210 belvmsrv01 belvmsrv003 cloudera cloudera-centos-os 7_5 cloud-infrastructure-services rds-farm-2019 rds-farm-2019 cloud-infrastructure-services ad-dc-2019 ad-dc-2019 cloud-infrastructure-services sftp-2016 sftp-2016 cloud-infrastructure-services ad-dc-2016 ad-dc-2016 cloud-infrastructure-services hpc2019-windows-server-2019 hpc2019-windows-server-2019 cloud-infrastructure-services dns-ubuntu-2004 dns-ubuntu-2004 cloud-infrastructure-services servercore-2019 servercore-2019 cloud-infrastructure-services ad-dc-2022 ad-dc-2022 cloud-infrastructure-services squid-ubuntu-2004 squid-ubuntu-2004 cognosys sql-server-2016-sp2-std-win2016-debug-utilities sql-server-2016-sp2-std-win2016-debug-utilities esri arcgis-enterprise byol-108 byol-109 byol-111 byol-1081 byol-1091 esri arcgis-enterprise-106 byol-1061 esri arcgis-enterprise-107 byol-1071 esri pro-byol pro-byol-29 filemagellc filemage-gateway-vm-win filemage-gateway-vm-win-001 filemage-gateway-vm-win-002 github github-enterprise github-enterprise matillion matillion matillion-etl-for-snowflake microsoft-ads windows-data-science-vm windows2016 windows2016byol microsoft-dsvm ubuntu-1804 1804-gen2 netapp netapp-oncommand-cloud-manager occm-byol nginxinc nginx-plus-ent-v1 nginx-plus-ent-centos7 ntegralinc1586961136942 ntg_oracle_8_7 ntg_oracle_8_7 procomputers almalinux-8-7 almalinux-8-7 procomputers rhel-8-2 rhel-8-2 RedHat rhel 8_9 redhat rhel-byos rhel-lvm79 rhel-lvm79-gen2 rhel-lvm8 rhel-lvm82-gen2 rhel-lvm83 rhel-lvm84 rhel-lvm84-gen2 rhel-lvm85-gen2 rhel-lvm86 rhel-lvm86-gen2 rhel-lvm87-gen2 rhel-raw76 redhat rhel 8.1 redhat rhel-sap 7.4 redhat rhel-sap 7.7 redhat rhel 89-gen2 southrivertech1586314123192 tn-ent-payg Tnentpayg southrivertech1586314123192 tn-sftp-payg Tnsftppayg suse sles-sap-15-sp2-byos gen2 suse sles-15-sp5 gen2 talend talend_re_image tlnd_re thorntechnologiesllc sftpgateway Sftpgateway veeam office365backup veeamoffice365backup veeam veeam-backup-replication veeam-backup-replication-v11 zscaler zscaler-private-access zpa-con-azure Below images will be supported in September: Publisher Offer Plan aod win2019azpolicy win2019azpolicy belindaczsro1588885355210 belvmsrv03 belvmsrv001 center-for-internet-security-inc cis-rhel-7-v2-2-0-l1 cis-rhel7-l1 center-for-internet-security-inc cis-rhel-7-stig cis-rhel-7-stig center-for-internet-security-inc cis-win-2016-stig cis-win-2016-stig center-for-internet-security-inc cis-windows-server-2012-r2-v2-2-1-l1 cis-ws2012-r2-l1 cloudrichness rockey_linux_image rockylinux86 Credativ Debian 8 microsoftdynamicsnav dynamicsnav 2017 microsoftwindowsserver windowsserver-hub 2012-r2-datacenter-hub 2016-datacenter-hub MicrosoftWindowsServer WindowsServer-HUB 2016-Datacenter-HUB ntegralinc1586961136942 ntg_cbl_mariner_2 ntg_cbl_mariner_2_gen2 openvpn openvpnas access_server_byol rapid7 nexpose-scan-engine nexpose-scan-engine rapid7 rapid7-vm-console rapid7-vm-console suse sles 12-sp3 suse sles-15-sp1-basic gen1 suse sles-15-sp2-basic gen1 suse sles-15-sp3-basic gen1 gen2 suse sles-15-sp4-basic gen2 suse sles-sap 12-sp3 15 gen2-15 suse sles-sap-byos 15 suse SLES-SAP-BYOS 15 suse sles-sap-15-sp1-byos gen1 Tenable tenablecorenessus tenablecorenessusbyol[Public Preview] Introducing Customizable Security Baseline Policies in Machine Configuration
Background: Azure Machine Configuration remains committed to enabling greater security and simplicity in at-scale server management for all Azure customers. Machine Configuration (previously known as Azure Policy Guest Configuration) enables both built-in and custom configuration as code allowing you to audit and configure OS, app, and workload level settings at scale, both for machines running in Azure and hybrid Azure Arc-enabled servers. We’re excited to announce Public Preview support for Customizable Security Baselines in Azure Policy and Machine Configuration. This feature empowers you to tailor industry security benchmarks—such as CIS benchmarks for Linux or Azure Security Baselines for Windows and Linux —to align with your organization’s unique compliance standards across both Azure and Arc-connected machines. This feature builds on top of our existing audit baseline capabilities for Windows and Linux. Now you can create, parameterize, and assign custom baselines at scale, enabling continuous compliance visibility across your entire environment. Learn more about how to get started here: Customize Security Baselines with Azure Policy and Machine Configuration. What's New? Customizable security baselines in Azure Policy and Machine Configuration bring a powerful new way to assess, monitor, and improve your security posture across both Windows and Linux servers. Built on industry benchmarks such as the Center for Internet Security (CIS) and Microsoft’s own Azure Compute Security Baselines, this capability enables you to adapt compliance frameworks to your organization’s specific needs — all while maintaining a consistent governance model across Azure and hybrid environments. By passing custom baseline parameters directly into Azure Policy, you can represent internal controls at scale, ensuring that compliance reflects your enterprise’s unique standards and regulatory requirements. This cloud-native approach embodies Microsoft’s Secure by Design and Secure by Default principles — ensuring your workloads stay compliant, wherever they run. Key Scenarios Baseline Customization Tailor your security standards through the Modify Settings wizard under Policy > Machine Configuration. You can: Enable, exclude, or adjust rules from existing benchmarks Apply organization-specific parameters Export your custom configuration as a downloadable JSON file Each baseline JSON file serves as a reusable, declarative artifact—ideal for policy-as-code workflows, version control, and CI/CD integration. Assign Audit Policies When you assign a baseline via Azure Policy, it automatically: Evaluates configurations against your defined standards Reports compliance in near real time Surfaces findings in Azure Policy, Azure Resource Graph, and the Guest Assignments view This integrated visibility helps IT administrators, security teams, and auditors track compliance status with minimal overhead. Integration and Automation Security baselines integrate seamlessly into your DevOps pipelines and configuration management workflows. Each baseline produces a declarative settings catalog (JSON) that can be versioned and deployed using: Azure CLI ARM templates Bicep CI/CD automation This ensures reproducible, traceable compliance configurations across environments. Supported Standards Standard Description CIS Linux Benchmarks Official CIS Benchmarks for Azure-endorsed Linux distributions, matching the latest CIS versions. Azure Compute Security Baseline for Windows Applies security controls for Windows Server 2022 and 2025, aligned with Azure Compute guidance. Azure Compute Security Baseline for Linux Enforces consistent controls aligned with Azure Compute recommendations. Availability Customizable security baselines are available in all public Azure regions. NOTE: Support for Azure Government and Sovereign Clouds will be added in a future release. These environments are not included in the current Public Preview. Getting Started Prerequisites Before you begin: Deploy the Azure Machine Configuration prerequisite policy initiative. (This installs the required Guest Configuration extension on supported VMs.) Ensure your Azure subscription or management group includes supported Windows or Linux VMs. Have sufficient permissions (Owner or Resource Policy Contributor) to create and assign custom policy definitions. Step-by-Step Guidance Select a baseline from the Machine Configuration tab in Azure Policy. Modify settings to enable, exclude, or parameterize rules to match your internal policies. Download JSON to export your customized baseline configuration file for programmatic and repeatable customization. Assign the policy which can be deployed through the Azure portal, CLI, or your CI/CD pipeline. Review compliance results to track outcomes in Azure Policy, Azure Resource Graph, or the Guest Assignments page. Learn More Azure Machine Configuration security baselines official documentation CIS Benchmark for Linux documentation Azure Windows Baseline and Azure Linux Baseline documentation Please note that the use of Azure Machine Configuration on Azure Arc-enabled servers will incur a charge.Empower Smarter AI Agent Investments
This curated series of modules is designed to equip technical and business decision-makers, including IT, developers, engineers, AI engineers, administrators, solution architects, business analysts, and technology managers, with the practical knowledge and guidance needed to make cost-conscious decisions at every stage of the AI agent journey. From identifying high-impact use cases and understanding cost drivers, to forecating ROI, adopting best practices, designing scalable and effective architectures, and optimizing ongoing investments, this learning path provides actionable guidance for building, deploying, and managing AI agents on Azure with confidence. Whether you’re just starting your AI journey or looking to scale enterprise adoption, these modules will help you align innovation with financial discipline, ensuring your AI agent initiatives deliver sustainable value and long-term success. Discover the full learning path here: aka.ms/Cost-Efficient-AI-Agents Explore the sections below for an overview of each module included in this learning path, highlighting the core concepts, practical strategies, and actionable insights designed to help you maximize the value of AI agent investments on Azure: Module 1: Identify and Prioritize High-Impact, Cost-Effective AI Agent Use Cases The journey begins with a strategic approach to selecting AI agent use cases that maximize business impact and cost efficiency. This module introduces a structured framework for researching proven use cases, collaborating across teams, and defining KPIs to evaluate feasibility and ROI. You’ll learn how to target “quick wins” while ensuring alignment with organizational goals and resource constraints. Explore this module Module 2: Understand the Key Cost Drivers of AI Agents Building on the foundation of use case selection, Module 2 dives into the core cost drivers of AI agent development and operations on Azure. It covers infrastructure, integration, data quality, team expertise, and ongoing operational expenses, offering actionable strategies to optimize spending at every stage. The module emphasizes right-sizing resources, efficient data preparation, and leveraging Microsoft tools to streamline development and ensure sustainable, scalable success. Explore this module Module 3: Forecast the Return on Investment (ROI) of AI agents With a clear understanding of costs, the next step is to quantify value. Module 3 empowers both business and technical leaders with practical frameworks for forecasting and communicating ROI, even without a finance background. Through step-by-step guides and real-world examples, you’ll learn to measure tangible and intangible outcomes, apply NPV calculations, and use sensitivity analysis to prioritize AI investments that align with broader organizational objectives. Explore this module Module 4: Implement Best Practices to Empower AI Agent Efficiency and Ensure Long-Term Success To drive efficiency and governance at scale, Module 4 introduces essential frameworks such as the AI Center of Excellence (CoE), FinOps, GenAI Ops, the Cloud Adoption Framework (CAF), and the Well-Architected Framework (WAF). These best practices help organizations accelerate adoption, optimize resources, and foster operational excellence, ensuring AI agents deliver measurable value, remain secure, and support sustainable enterprise growth. Explore this module Module 5: Maximize Cost Efficiency by Choosing the Right AI Agent Development Approach Selecting the right development approach is critical for balancing speed, customization, and cost. In Module 5, you’ll learn how to align business needs and technical skills with SaaS, PaaS, or IaaS options, empowering both business users and developers to efficiently build, deploy, and manage AI agents. The module also highlights how Microsoft Copilot Studio, Visual Studio, and Azure AI Foundry can help your organization achieve its goals. Explore this module Module 6: Architect Scalable and Cost-Efficient AI Agent Solutions on Azure As your AI initiatives grow, architectural choices become paramount. Module 6 explores how to leverage Azure Landing Zones and reference architectures for secure, well-governed, and cost-optimized deployments. It compares single-agent and multi-agent systems, highlights strategies for cost-aware model selection, and details best practices for governance, tagging, and pricing, ensuring your AI solutions remain flexible, resilient, and financially sustainable. Explore this module Module 7: Manage and Optimize AI Agent Investments on Azure The learn path concludes with a focus on operational excellence. Module 7 provides guidance on monitoring agent performance and spending using Azure AI Foundry Observability, Azure Monitor Application Insights, and Microsoft Cost Management. Learn how to track key metrics, set budgets, receive real-time alerts, and optimize resource allocation, empowering your organization to maximize ROI, stay within budget, and deliver ongoing business value. Explore this module Ready to accelerate your AI agent journey with financial confidence? Start exploring the new learning path and unlock proven strategies to maximize the cost efficiency of your AI agents on Azure, transforming innovation into measurable, sustainable business success. Get started todayCloud and AI Cost Efficiency: A Strategic Imperative for Long-Term Business Growth
In this blog, we’ll explore why cost efficiency is a top priority for organizations today, how Azure Essentials can help address this challenge, and provide an overview of Microsoft’s solutions, tools, programs, and resources designed to help organizations maximize the value of their cloud and AI investments.
GA: Enhanced Audit in Azure Security Baseline for Linux
We’re thrilled to announce the General Availability (GA) of the Enhanced Azure Security Baseline for Linux—a major milestone in cloud-native security and compliance. This release brings powerful, audit-only capabilities to over 1.6 million Linux devices across all Azure regions, helping enterprise customers and IT administrators monitor and maintain secure configurations at scale. What Is the Azure Security Baseline for Linux? The Azure Security Baseline for Linux is a set of pre-configured security recommendations delivered through Azure Policy and Azure Machine Configuration. It enables organizations to continuously audit Linux virtual machines and Arc-enabled servers against industry-standard benchmarks—without enforcing changes or triggering auto-remediation. This GA release focuses on enhanced audit capabilities, giving teams deep visibility into configuration drift and compliance gaps across their Linux estate. For our remediation experience, there is a limited public preview available here: What is the Azure security baseline for Linux? | Microsoft Learn Why Enhanced Audit Matters In today’s hybrid environments, maintaining compliance across diverse Linux distributions is a challenge. The enhanced audit mode provides: Granular insights into each configuration check Industry aligned benchmark for standardized security posture Detailed rule-level reporting with evidence and context Scalable deployment across Azure and Arc-enabled machines Whether you're preparing for an audit, hardening your infrastructure, or simply tracking configuration drift, enhanced audit gives you the clarity and control you need—without enforcing changes. Key Features at GA ✅ Broad Linux Distribution Support 📘 Full distro list: Supported Client Types 🔍 Industry-Aligned Audit Checks The baseline audits over 200+ security controls per machine, aligned to industry benchmarks such as CIS. These checks cover: OS hardening Network and firewall configuration SSH and remote access settings Logging and auditing Kernel parameters and system services Each finding includes a description and the actual configuration state—making it easy to understand and act on. 🌐 Hybrid Cloud Coverage The baseline works across: Azure virtual machines Arc-enabled servers (on-premises or other clouds) This means you can apply a consistent compliance standard across your entire Linux estate—whether it’s in Azure, on-prem, or multi-cloud. 🧠 Powered by Azure OSConfig The audit engine is built on the open-source Azure OSConfig framework, which performs Linux-native checks with minimal performance impact. OSConfig is modular, transparent, and optimized for scale—giving you confidence in the accuracy of audit results. 📊 Enterprise-Scale Reporting Audit results are surfaced in: Azure Policy compliance dashboard Azure Resource Graph Explorer Microsoft Defender for Cloud (Recommendations view) You can query, export, and visualize compliance data across thousands of machines—making it easy to track progress and share insights with stakeholders. 💰 Cost There’s no premium SKU or license required to use the audit capabilities with charges only applying to the Azure Arc managed workloads hosted on-premises or other CSP environments—making it easy to adopt across your environment. How to Get Started Review the Quickstart Guide 📘 Quickstart: Audit Azure Security Baseline for Linux Assign the Built-In Policy Search for “Linux machines should meet requirements for the Azure compute security baseline” in Azure Policy and assign it to your desired scope. Monitor Compliance Use Azure Policy and Resource Graph to track audit results and identify non-compliant machines. Plan Remediation While this release does not include auto-remediation, the detailed audit findings make it easy to plan manual or scripted fixes. Final Thoughts This GA release marks a major step forward in securing Linux workloads at scale. With enhanced audit now available, enterprise teams can: Improve visibility into Linux security posture Align with industry benchmarks Streamline compliance reporting Reduce risk across cloud and hybrid environments🚨 Azure Service Health Built-In Policy (Preview) – Now Available!
Resiliency is a key focus for Microsoft in making sure our customers experience minimal impact due to planned or unexpected outages that may occur. Up until now there has been no native scalable solution to provide consistent notifications across Azure subscriptions for Service Health events. Building on the success of Azure Monitor Baseline Alerts (AMBA) where this functionality is currently available, the AMBA team has combined with the Service Health Product team to include this capability into the Azure native experience. We’re excited to announce the release of Azure Service Health Built-In Policy (Preview), a new built-in Azure Policy designed to simplify and scale the deployment of Service Health alerts across your Azure environment. This policy enables customers to automatically deploy Service Health alerts across subscriptions, ensuring consistent visibility into platform-level issues that may impact workloads. Existing subscriptions can be remediated in bulk and new Azure subscriptions, created once the Policy has been assigned, will automatically be configured for receiving Service Health alerts. 🔍 What's the purpose of this announcement? It addresses situations where customers only permit the use of built-in policies. It automates the setup of Service Health alerts across all subscriptions when deployed at the management group level. It ensures consistent alert coverage for platform events. It helps reduce manual setup and ongoing maintenance. 🛠️ What options are available with the Policy? All the learnings from AMBA have been taken into consideration in designing and creating this policy. There are now a wide range of options available to provide flexibility based on your needs. These options are surfaced as parameters within the policy: It audits the existing environment for compliance. It ensures the ability to provide custom alert rules that align with the naming standards. It gives the ability to choose the types of Service Health events to monitor. It supports Bring-your-own Action Group, or the ability to create a new Action Group as part of the Policy assignment. For ARM role notification, it ensures the ability to choose from a pre-set list of built-in roles for notifications. It provides the ability to choose from email, Logic App, Event Hubs, webhook, and Azure Functions within the Action Group. It enables naming Resource groups, and location flexibility. It gives the ability to add Resource tags. 🧩 What about Azure Monitor Baseline Alerts? The AMBA team have been working to incorporate the newly built-in policy into a future release. The team plans to roll this out in the next few weeks along with details for existing customers on replacing the existing AMBA custom policy. These changes will then be consumed into Azure Landing Zones. AMBA continues to offer a wide range of alerts for both platform and workload services in addition to Service Health alerts. This announcement does not serve as a replacement for AMBA but simply compliments the AMBA solution. 📣 What’s Next? Check out the guidance on leveraging this policy in your environment Deploy Service Health alert rules at scale using Azure Policy - Azure Service Health Should you require support for this policy please raise a support ticket via the portal as comments raised below may not be addressed in a timely manner
