Azure Policies for Automating Azure Governance - Automating Policies
In the earlier post, I covered issues and concerns organizations may face and how many built in Azure policies can address these problems. Now we are going to take it a step further and discuss how to enforce policies and automate their creation
Camera and Mic Site Permissions
edge settings/privacy/sitePermissions/allPermissions/camera edge settings/privacy/sitePermissions/allPermissions/microphone I was looking to add some sites / urls to automatically permit access to both camera and mic to stop the age old i said no and now cant use service x type service calls from coming in. i added these 2 policies to the admin template Sites that can access audio capture devices without requesting permission Sites that can access video capture devices without requesting permission both succeed in delivery to the device but don't appear in the edge site permission list as expected have i got the wrong policy? is it broke?
[UPDATED]: Microsoft UEFI Signing Requirements
To strengthen the Secure Boot ecosystem and streamline signing turnaround, Microsoft is introducing enhanced UEFI signing requirements for all third-party submissions requesting signatures with Microsoft UEFI CAs (2011 and 2023) or the new Option ROM CA. These updates emphasize security assurance and interoperability across UEFI-enabled devices. Key changes include: Mandatory security audits: Annual independent reviews via the OCP SAFE program, with immediate audits for vulnerabilities or major code changes. Subsystem-based packaging: EFI Applications and Option ROMs must be submitted separately for proper certificate alignment; mixed packaging will be rejected. Stricter code eligibility: Only production-quality binaries, free of GPLv3 licensing, free of known vulnerabilities, and free of malware-prone components will be signed. Enhanced security posture: Requirements for NX compatibility, memory safety, and SBOM inclusion in PE sections are now enforced. Special handling for SHIM and iPXE: SHIM submissions require review board approval or SAFE audits; iPXE submissions must meet additional security criteria.
Portions of Threat Severity section missing in Intune policy
I was updating our Intune Antivirus policy today and noticed that the threat severity section is gone. When I saved the changes, I did another review of the Defender settings and they have been removed from the policy. Anyone else seeing this or know how to get them back?Cloud and AI Cost Efficiency: A Strategic Imperative for Long-Term Business Growth
In this blog, we’ll explore why cost efficiency is a top priority for organizations today, how Azure Essentials can help address this challenge, and provide an overview of Microsoft’s solutions, tools, programs, and resources designed to help organizations maximize the value of their cloud and AI investments.
Chrome extension managed storage policy
Hi there, I've developed a chrome extension and now we want to deploy it using Intune. Force install of extension works great but I can't pass managed data to the extension. Here is the scheme: { "type": "object", "properties": { "apiKey": { "title": "API Key", "description": "An API key to communicate with server.", "type": "string" } } } This is the policy that I created in Intune: OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~3rdparty~extensions~eagefwefpbjpewefliifpgfgoewfknnmk~policy Data type: String Value: {"apiKey":"mykey123"} But it doesn't appear in chrome://policy and when I get policies in my code with: const result = await chrome.storage.managed.get(null); The result is empty! What is the problem here? And how to fix it?
GA: Enhanced Audit in Azure Security Baseline for Linux
We’re thrilled to announce the General Availability (GA) of the Enhanced Azure Security Baseline for Linux—a major milestone in cloud-native security and compliance. This release brings powerful, audit-only capabilities to over 1.6 million Linux devices across all Azure regions, helping enterprise customers and IT administrators monitor and maintain secure configurations at scale. What Is the Azure Security Baseline for Linux? The Azure Security Baseline for Linux is a set of pre-configured security recommendations delivered through Azure Policy and Azure Machine Configuration. It enables organizations to continuously audit Linux virtual machines and Arc-enabled servers against industry-standard benchmarks—without enforcing changes or triggering auto-remediation. This GA release focuses on enhanced audit capabilities, giving teams deep visibility into configuration drift and compliance gaps across their Linux estate. For our remediation experience, there is a limited public preview available here: What is the Azure security baseline for Linux? | Microsoft Learn Why Enhanced Audit Matters In today’s hybrid environments, maintaining compliance across diverse Linux distributions is a challenge. The enhanced audit mode provides: Granular insights into each configuration check Industry aligned benchmark for standardized security posture Detailed rule-level reporting with evidence and context Scalable deployment across Azure and Arc-enabled machines Whether you're preparing for an audit, hardening your infrastructure, or simply tracking configuration drift, enhanced audit gives you the clarity and control you need—without enforcing changes. Key Features at GA ✅ Broad Linux Distribution Support 📘 Full distro list: Supported Client Types 🔍 Industry-Aligned Audit Checks The baseline audits over 200+ security controls per machine, aligned to industry benchmarks such as CIS. These checks cover: OS hardening Network and firewall configuration SSH and remote access settings Logging and auditing Kernel parameters and system services Each finding includes a description and the actual configuration state—making it easy to understand and act on. 🌐 Hybrid Cloud Coverage The baseline works across: Azure virtual machines Arc-enabled servers (on-premises or other clouds) This means you can apply a consistent compliance standard across your entire Linux estate—whether it’s in Azure, on-prem, or multi-cloud. 🧠 Powered by Azure OSConfig The audit engine is built on the open-source Azure OSConfig framework, which performs Linux-native checks with minimal performance impact. OSConfig is modular, transparent, and optimized for scale—giving you confidence in the accuracy of audit results. 📊 Enterprise-Scale Reporting Audit results are surfaced in: Azure Policy compliance dashboard Azure Resource Graph Explorer Microsoft Defender for Cloud (Recommendations view) You can query, export, and visualize compliance data across thousands of machines—making it easy to track progress and share insights with stakeholders. 💰 Cost There’s no premium SKU or license required to use the audit capabilities with charges only applying to the Azure Arc managed workloads hosted on-premises or other CSP environments—making it easy to adopt across your environment. How to Get Started Review the Quickstart Guide 📘 Quickstart: Audit Azure Security Baseline for Linux Assign the Built-In Policy Search for “Linux machines should meet requirements for the Azure compute security baseline” in Azure Policy and assign it to your desired scope. Monitor Compliance Use Azure Policy and Resource Graph to track audit results and identify non-compliant machines. Plan Remediation While this release does not include auto-remediation, the detailed audit findings make it easy to plan manual or scripted fixes. Final Thoughts This GA release marks a major step forward in securing Linux workloads at scale. With enhanced audit now available, enterprise teams can: Improve visibility into Linux security posture Align with industry benchmarks Streamline compliance reporting Reduce risk across cloud and hybrid environments
