Azure Guest Configuration Policy – Part 2 – Assigning the Policy

In part 1 of the Azure Guest Configuration Policy series I walked through the process of creating a custom guest policy using a DSC configuration. In this post, I’ll walk through the output of the guest policy publishing process and how to assign the new initiative to a target scope in an Azure subscription.

Continue reading

Azure Policy Guest Configuration – Part 1 – Creating a Custom Policy

I’ve been working quite a bit with custom Azure Policy Guest Configuration lately, and after encountering a few early bumps I’ve become a big fan. Guest Configuration policies are quite flexible, which in essence gives you the ability to bring almost anything we can do in PowerShell and/or DSC into Azure Policy. Very cool!

The first two use cases I’ve worked on were as follows:

  1. Audit base OS hardening compliance for Windows VMs in Azure.
  2. Audit antimalware compliance for Windows Vms in Azure.

Creating the Guest Configuration Package

For part 1 of this post, let’s focus on use case #1. To accomplish this use case, you’ll use the Microsoft Security Configuration Baseline as the base DSC template by converting the GPO provided in the “BaselineManagement” module to PowerShell DSC. This step is described in detail in Microsoft’s “Convert Group Policy into DSC” quickstart documentation.

Continue reading

“fatal: Authentication Failed” Error When Running Git Push From VSCode To Github with 2FA Enabled

While working on some custom guest policy in VSCode today (posts coming on that soon!) I came across an issue that I hadn’t encountered previously. While attempting to push my code to my Github repository, I encountered a “fatal: Authentication failed for <repo URL>” error. Of course I tried to retype my username and password multiple times, and even reset my password on Github, but to no avail. After a bit of research, I came across an article that saved me quite a bit of time in troubleshooting. In short, I had recently enabled 2FA on my Github account, which was causing my authentication via username and password to fail (which makes sense). The workaround for this issue is actually quite simple, and involves creating an access token in your Github settings and using that token as your password when prompted during a push from VSCode.

In the name of not reinventing the wheel and taking credit for others work, this article outlines the process step by step.

Hopefully this saves other some troubleshooting time, and remember to store your token somewhere secure!

Azure Monitor Guest OS Metrics and Alerting Explained

The proper way to alert on Azure hosted VM guest OS metrics in Azure Monitor is a topic that is repeatedly raised when our engineers and developers start to configure alerting for their applications. In most cases, Log Analytics is enabled for each subscription (DevOps model), in addition to the base metrics available at the resource level for each VM. There is of course the option to enable guest OS diagnostic logs for extended performance metrics as well, so without some background into how these capabilities work under the hood it can be quite confusing to figure out from which tool metrics are generated and which metrics to use when configuring alerts in Azure Monitor Alerts.

Let’s start with the basics:

Continue reading

Speeding up Azure PowerShell scripting with Azure Resource Graph

I was recently working with Azure Graph using the Az.ResourceGraph PowerShell module to query resources across our Azure tenant to test the speed compared to traditional Azure PowerShell scripts I’ve written in the past. Let’s just say I will never go back to traditional Azure PowerShell for scenarios where Azure Graph is an option moving forward!  My original Azure PowerShell script took several minutes to finish looping through all of the our subscriptions to finally output a full list of VMs in the tenant. Simply replacing this section of the script with an Azure Graph query reduced the run time to seconds! 

Continue reading

Schedule an Azure Automation Runbook Using Minutes

I was working with a customer recently and we realized that when using the “Schedule” functionality the most granular re-occurrence interval available is 1 hour.  In this particular case, we needed to check service status every 5 minutes and send the data to Log Analytics to alert and trigger a remediation runbook, so 1 hour would not suffice.  I had recently spoken with a member of the product group around a custom Log Analytics solution and specifically remembered him saying that his runbook was running every 5 minutes….so I was off to investigate.

Continue reading

Monitor and Recover Stopped Automatic Services with Log Analytics

Update: This can now be accomplished using the Change Tracking and Inventory solution as well (see here).

I was working with a customer recently and one of the asks was to configure Log Analytics to monitor for stopped automatic services on servers throughout the environment.  Since I first posted this blog updates have been made to the Change Tracking and Inventory solution which allow for 1 minute collection intervals, and therefore using Log Analytics becomes an option for a simpler configuration to accomplish this task. The following query can be used for a simple service stopped alert:

Continue reading

How to escape double quotes in ARM templates

This will be a very short post, but it’s something that drove me crazy while adding OMS deployment and configuration to my automated deployment and configuration of our internal application and underlying infrastructure using PowerShell, PowerShell DSC and ARM templates.  As a part of this deployment, I wanted to include saved queries which are required to create alerts, but I was unable to figure out how to escape the double quotes needed in OMS search for queries such as the following:


Continue reading