Automating Windows Server Licensing Benefits with Azure Arc Policy
Introduction: Managing Windows Server benefits licensing across hybrid environments can be challenging. Azure Arc combined with Azure Policy simplifies this by automatically enforcing licensing compliance. This blog explains how the provided policy works and how to deploy it. Why implement this policy? Automating Windows Server Licensing Benefits with Azure Arc Policy ensures that all eligible machines are seamlessly enabled for essential management services, including Azure Update Manager, Best Practice Assessment, Change Tracking, Inventory, and Windows Admin Center integration. For organizations managing hundreds or thousands of servers, manual enablement can be time-consuming and error prone. This policy continuously monitors your environment, automatically identifying newly added machines and highlighting those missing the required benefits, so you can maintain compliance and streamline operations at scale This learn document detail the benefits available when Windows Server is connected via Azure Arc, especially for machines with Software Assurance or subscription licenses: https://learn.microsoft.com/en-us/azure/azure-arc/servers/windows-server-management-overview?tabs=portal Note – Ensure that your organization has the proper Software Assurance Benefits to cover the machines that are being assigned. Please reference this link for billing information Windows Server Management enabled by Azure Arc - Azure Arc | Microsoft Learn "Customers need to explicitly attest for their Azure Arc-enabled servers or enroll in Windows Server pay-as-you-go to be exempt from billing for these services. Eligibility isn't inferred directly from the enablement to Azure Arc. Eligibility is not inferred from licensing status for the Azure Arc-enabled SQL Server instances that may be connected to an Azure Arc-enabled." Policy Purpose and Logic The policy ensures Arc-enabled Windows Servers are licensed correctly. It evaluates machines based on OS type, license status, and conditions for Software Assurance or Pay-As-You-Go. If compliance is missing, a remediation policy deploys the appropriate license profile. Key Conditions Applies to resources of type Microsoft.HybridCompute/machines with osType = windows. Checks if licenseProfile.licenseStatus equals Licensed. Uses existenceCondition to determine if the machine should have SA or PAYG licensing based on osSku and licenseChannel. Deployment Details The policy uses DeployIfNotExists effect. It deploys licenseProfiles under the Arc machine resource. Two scenarios are handled: Pay-As-You-Go: If licenseChannel contains 'PGS', productProfile.subscriptionStatus is set to Enabled. Software Assurance: If licenseChannel does not contain 'PGS', softwareAssuranceCustomer is set to true. The Policy The policy is located in GitHub (Link) and AzPolicyAdvertiser (Link). Download the policy files to be used in the following steps. Policy Description For 2025 server, if license type is Pay-as-you-go, then this will check the Pay-as-you-go box in license menu. If 2025 and not Pay-as-you-go license or not 2025 server then check Software Assurance box. This policy only checks Windows Server resources and will NOT check unlicensed servers How to Deploy the Policy After downloading the policy file, use Az PowerShell to create and assign the policy: #Create policy definition New-AzPolicyDefinition ` -Name "activate-azure-benefits-for-windows-arc-machines" ` -DisplayName "Activate Azure Benefits for Windows Arc Machines" ` -Policy 'azurepolicy.json' ` -ManagementGroupName "<MyManagementGroup>" ` -Mode Indexed #Assign policy definition $Policy = Get-AzPolicyDefinition -Name 'activate-azure-benefits-for-windows-arc-machines' -ManagementGroupName "<ScopeOfDefinitionCreation>" New-AzPolicyAssignment ` -Name "activate-arc-benefits" ` -DisplayName "Activate Azure Benefits for Windows Arc Machines" ` -PolicyDefinition $Policy ` -Scope "/providers/Microsoft.Management/managementGroups/<MyManagementGroup>" ` -Location 'eastus' ` -IdentityType 'SystemAssigned' # Optional use subscriptions instead of management groups. # or "/subscriptions/<SubscriptionId>" You can also copy and paste the contents of the policy into the portal or use a policy-as-code solution of your choice. Compliance The compliance blade of the Azure Policy will show the machines that do not abide by the policy definition. In this example many of the machines are not enabled for the Windows Server Benefits. The next step will be to use remediation tasks to enable these machines. On the Policy Remediation blade, you can initiate a remediation task to add the machines to enable the Azure Arc Benefits. Choose between the two radio button options for remediating all the selected locations, a single location, or select specific resources to remediate. When the Remediate button is pressed, a task is summitted and a notification will be displaced when the task is completed. The process may take some time and a status of In Progress will be displayed until the status changes to Complete. After this is completed go back and look at the Azure Arc Benefits – Windows Server Blade and you will see the machines activated. Note on Pay-as-you-go enablement When a Windows machine is deployed using Pay-as-you-go, as an example a new Windows Server 2025 machine, the status of the license after creation will be “Unlicensed” as shown below. The policy is not evaluating Unlicensed machines. The machine will need to have the Pay-as-you-go with Azure check box checked at least one time to “License” the machine. After the machine is Licensed the License details will show: Now if the machine would have the benefits removed in the future by unchecking the box, the machine will be audited with the policy. As an example, the Arc machine would show that the License type is Pay-as-you-go, Licensed, Disabled (for the Azure Benefits). Summary This policy automates Windows Server licensing for Arc-enabled machines. It ensures compliance by deploying license profiles for Software Assurance or Pay-As-You-Go scenarios. Deploying this policy reduces manual effort and enforces consistent licensing across your hybrid environment.[Public Preview] Introducing Customizable Security Baseline Policies in Machine Configuration
Background: Azure Machine Configuration remains committed to enabling greater security and simplicity in at-scale server management for all Azure customers. Machine Configuration (previously known as Azure Policy Guest Configuration) enables both built-in and custom configuration as code allowing you to audit and configure OS, app, and workload level settings at scale, both for machines running in Azure and hybrid Azure Arc-enabled servers. We’re excited to announce Public Preview support for Customizable Security Baselines in Azure Policy and Machine Configuration. This feature empowers you to tailor industry security benchmarks—such as CIS benchmarks for Linux or Azure Security Baselines for Windows and Linux —to align with your organization’s unique compliance standards across both Azure and Arc-connected machines. This feature builds on top of our existing audit baseline capabilities for Windows and Linux. Now you can create, parameterize, and assign custom baselines at scale, enabling continuous compliance visibility across your entire environment. Learn more about how to get started here: Customize Security Baselines with Azure Policy and Machine Configuration. What's New? Customizable security baselines in Azure Policy and Machine Configuration bring a powerful new way to assess, monitor, and improve your security posture across both Windows and Linux servers. Built on industry benchmarks such as the Center for Internet Security (CIS) and Microsoft’s own Azure Compute Security Baselines, this capability enables you to adapt compliance frameworks to your organization’s specific needs — all while maintaining a consistent governance model across Azure and hybrid environments. By passing custom baseline parameters directly into Azure Policy, you can represent internal controls at scale, ensuring that compliance reflects your enterprise’s unique standards and regulatory requirements. This cloud-native approach embodies Microsoft’s Secure by Design and Secure by Default principles — ensuring your workloads stay compliant, wherever they run. Key Scenarios Baseline Customization Tailor your security standards through the Modify Settings wizard under Policy > Machine Configuration. You can: Enable, exclude, or adjust rules from existing benchmarks Apply organization-specific parameters Export your custom configuration as a downloadable JSON file Each baseline JSON file serves as a reusable, declarative artifact—ideal for policy-as-code workflows, version control, and CI/CD integration. Assign Audit Policies When you assign a baseline via Azure Policy, it automatically: Evaluates configurations against your defined standards Reports compliance in near real time Surfaces findings in Azure Policy, Azure Resource Graph, and the Guest Assignments view This integrated visibility helps IT administrators, security teams, and auditors track compliance status with minimal overhead. Integration and Automation Security baselines integrate seamlessly into your DevOps pipelines and configuration management workflows. Each baseline produces a declarative settings catalog (JSON) that can be versioned and deployed using: Azure CLI ARM templates Bicep CI/CD automation This ensures reproducible, traceable compliance configurations across environments. Supported Standards Standard Description CIS Linux Benchmarks Official CIS Benchmarks for Azure-endorsed Linux distributions, matching the latest CIS versions. Azure Compute Security Baseline for Windows Applies security controls for Windows Server 2022 and 2025, aligned with Azure Compute guidance. Azure Compute Security Baseline for Linux Enforces consistent controls aligned with Azure Compute recommendations. Availability Customizable security baselines are available in all public Azure regions. NOTE: Support for Azure Government and Sovereign Clouds will be added in a future release. These environments are not included in the current Public Preview. Getting Started Prerequisites Before you begin: Deploy the Azure Machine Configuration prerequisite policy initiative. (This installs the required Guest Configuration extension on supported VMs.) Ensure your Azure subscription or management group includes supported Windows or Linux VMs. Have sufficient permissions (Owner or Resource Policy Contributor) to create and assign custom policy definitions. Step-by-Step Guidance Select a baseline from the Machine Configuration tab in Azure Policy. Modify settings to enable, exclude, or parameterize rules to match your internal policies. Download JSON to export your customized baseline configuration file for programmatic and repeatable customization. Assign the policy which can be deployed through the Azure portal, CLI, or your CI/CD pipeline. Review compliance results to track outcomes in Azure Policy, Azure Resource Graph, or the Guest Assignments page. Learn More Azure Machine Configuration security baselines official documentation CIS Benchmark for Linux documentation Azure Windows Baseline and Azure Linux Baseline documentation Please note that the use of Azure Machine Configuration on Azure Arc-enabled servers will incur a charge.Empower Smarter AI Agent Investments
This curated series of modules is designed to equip technical and business decision-makers, including IT, developers, engineers, AI engineers, administrators, solution architects, business analysts, and technology managers, with the practical knowledge and guidance needed to make cost-conscious decisions at every stage of the AI agent journey. From identifying high-impact use cases and understanding cost drivers, to forecating ROI, adopting best practices, designing scalable and effective architectures, and optimizing ongoing investments, this learning path provides actionable guidance for building, deploying, and managing AI agents on Azure with confidence. Whether you’re just starting your AI journey or looking to scale enterprise adoption, these modules will help you align innovation with financial discipline, ensuring your AI agent initiatives deliver sustainable value and long-term success. Discover the full learning path here: aka.ms/Cost-Efficient-AI-Agents Explore the sections below for an overview of each module included in this learning path, highlighting the core concepts, practical strategies, and actionable insights designed to help you maximize the value of AI agent investments on Azure: Module 1: Identify and Prioritize High-Impact, Cost-Effective AI Agent Use Cases The journey begins with a strategic approach to selecting AI agent use cases that maximize business impact and cost efficiency. This module introduces a structured framework for researching proven use cases, collaborating across teams, and defining KPIs to evaluate feasibility and ROI. You’ll learn how to target “quick wins” while ensuring alignment with organizational goals and resource constraints. Explore this module Module 2: Understand the Key Cost Drivers of AI Agents Building on the foundation of use case selection, Module 2 dives into the core cost drivers of AI agent development and operations on Azure. It covers infrastructure, integration, data quality, team expertise, and ongoing operational expenses, offering actionable strategies to optimize spending at every stage. The module emphasizes right-sizing resources, efficient data preparation, and leveraging Microsoft tools to streamline development and ensure sustainable, scalable success. Explore this module Module 3: Forecast the Return on Investment (ROI) of AI agents With a clear understanding of costs, the next step is to quantify value. Module 3 empowers both business and technical leaders with practical frameworks for forecasting and communicating ROI, even without a finance background. Through step-by-step guides and real-world examples, you’ll learn to measure tangible and intangible outcomes, apply NPV calculations, and use sensitivity analysis to prioritize AI investments that align with broader organizational objectives. Explore this module Module 4: Implement Best Practices to Empower AI Agent Efficiency and Ensure Long-Term Success To drive efficiency and governance at scale, Module 4 introduces essential frameworks such as the AI Center of Excellence (CoE), FinOps, GenAI Ops, the Cloud Adoption Framework (CAF), and the Well-Architected Framework (WAF). These best practices help organizations accelerate adoption, optimize resources, and foster operational excellence, ensuring AI agents deliver measurable value, remain secure, and support sustainable enterprise growth. Explore this module Module 5: Maximize Cost Efficiency by Choosing the Right AI Agent Development Approach Selecting the right development approach is critical for balancing speed, customization, and cost. In Module 5, you’ll learn how to align business needs and technical skills with SaaS, PaaS, or IaaS options, empowering both business users and developers to efficiently build, deploy, and manage AI agents. The module also highlights how Microsoft Copilot Studio, Visual Studio, and Azure AI Foundry can help your organization achieve its goals. Explore this module Module 6: Architect Scalable and Cost-Efficient AI Agent Solutions on Azure As your AI initiatives grow, architectural choices become paramount. Module 6 explores how to leverage Azure Landing Zones and reference architectures for secure, well-governed, and cost-optimized deployments. It compares single-agent and multi-agent systems, highlights strategies for cost-aware model selection, and details best practices for governance, tagging, and pricing, ensuring your AI solutions remain flexible, resilient, and financially sustainable. Explore this module Module 7: Manage and Optimize AI Agent Investments on Azure The learn path concludes with a focus on operational excellence. Module 7 provides guidance on monitoring agent performance and spending using Azure AI Foundry Observability, Azure Monitor Application Insights, and Microsoft Cost Management. Learn how to track key metrics, set budgets, receive real-time alerts, and optimize resource allocation, empowering your organization to maximize ROI, stay within budget, and deliver ongoing business value. Explore this module Ready to accelerate your AI agent journey with financial confidence? Start exploring the new learning path and unlock proven strategies to maximize the cost efficiency of your AI agents on Azure, transforming innovation into measurable, sustainable business success. Get started todayAzure Policies for Automating Azure Governance - Automating Policies
In the earlier post, I covered issues and concerns organizations may face and how many built in Azure policies can address these problems. Now we are going to take it a step further and discuss how to enforce policies and automate their creation
Camera and Mic Site Permissions
edge settings/privacy/sitePermissions/allPermissions/camera edge settings/privacy/sitePermissions/allPermissions/microphone I was looking to add some sites / urls to automatically permit access to both camera and mic to stop the age old i said no and now cant use service x type service calls from coming in. i added these 2 policies to the admin template Sites that can access audio capture devices without requesting permission Sites that can access video capture devices without requesting permission both succeed in delivery to the device but don't appear in the edge site permission list as expected have i got the wrong policy? is it broke?
[UPDATED]: Microsoft UEFI Signing Requirements
To strengthen the Secure Boot ecosystem and streamline signing turnaround, Microsoft is introducing enhanced UEFI signing requirements for all third-party submissions requesting signatures with Microsoft UEFI CAs (2011 and 2023) or the new Option ROM CA. These updates emphasize security assurance and interoperability across UEFI-enabled devices. Key changes include: Mandatory security audits: Annual independent reviews via the OCP SAFE program, with immediate audits for vulnerabilities or major code changes. Subsystem-based packaging: EFI Applications and Option ROMs must be submitted separately for proper certificate alignment; mixed packaging will be rejected. Stricter code eligibility: Only production-quality binaries, free of GPLv3 licensing, free of known vulnerabilities, and free of malware-prone components will be signed. Enhanced security posture: Requirements for NX compatibility, memory safety, and SBOM inclusion in PE sections are now enforced. Special handling for SHIM and iPXE: SHIM submissions require review board approval or SAFE audits; iPXE submissions must meet additional security criteria.
Portions of Threat Severity section missing in Intune policy
I was updating our Intune Antivirus policy today and noticed that the threat severity section is gone. When I saved the changes, I did another review of the Defender settings and they have been removed from the policy. Anyone else seeing this or know how to get them back?Cloud and AI Cost Efficiency: A Strategic Imperative for Long-Term Business Growth
In this blog, we’ll explore why cost efficiency is a top priority for organizations today, how Azure Essentials can help address this challenge, and provide an overview of Microsoft’s solutions, tools, programs, and resources designed to help organizations maximize the value of their cloud and AI investments.
Chrome extension managed storage policy
Hi there, I've developed a chrome extension and now we want to deploy it using Intune. Force install of extension works great but I can't pass managed data to the extension. Here is the scheme: { "type": "object", "properties": { "apiKey": { "title": "API Key", "description": "An API key to communicate with server.", "type": "string" } } } This is the policy that I created in Intune: OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~3rdparty~extensions~eagefwefpbjpewefliifpgfgoewfknnmk~policy Data type: String Value: {"apiKey":"mykey123"} But it doesn't appear in chrome://policy and when I get policies in my code with: const result = await chrome.storage.managed.get(null); The result is empty! What is the problem here? And how to fix it?
