 Hi, my name is Thomas Maurer and I'm here with Michael Green, and we are going to talk about Azure Policy Guest Configuration to govern your hybrid environment. Hi, Michael. How are you doing these days? Hey. I'm doing very well. How are you? Doing well. I haven't talked to you for a while. I think I remember we had like two years ago, we had a very good conversation and then time was just flying. Man, I really miss conferences, like all the PowerShell conferences and Ignite and seeing people and sharing ideas, like I really miss this stuff. Yeah, absolutely. It's same for me. I get always so much out of it, you learn so much, right? I'm just having all the way conversations. But I hope that this event or these videos especially can help obviously, the audience a little bit to get back on track and that we can share a little bit of deep technical content and make it bring a little bit back of the experience. Let's do it. That sounds great. I know many people watching this video already know you. You've been apart from Microsoft for a long time and you worked on some pretty cool stuff. But for those who don't know you, what are you working on? Yeah. I've been at Microsoft 16 and a half years and I've worked all over the company, but for the last five or six years, I've been working on desired state configuration. So we can think about that as whenever you deploy a server and we'll go on and on in the details about this, how do you guarantee the end state? How do you know what state it's in? I always think about IT operations as what do I have, what state is it in and what's going to happen when I change it. So for servers, this is a really big deal. How do I put a server somewhere and make sure it's in the right state? Across the evolution of DSC, we've seen of course DevOps and shifts to the Cloud and all these different scenarios. So the whole area has just been exploding. And by the way, the DSC community is just going great. Like it's self-sustaining. There's a website dedicated to the DSC community. All the DSC resources are now in a GitHub organization that's maintained by the community. If you don't know, there's a monthly call for the DSC community. There's always like 20 or 30 people on it talking about new ideas, how are things progressing? So that is really going well. And then our team is focusing on kind of the commercial side of that. Like what are the hardest problems we can tackle? How do we make life easier at scale? That kind of thing. So it's been exciting. Like I can't tell you how fast we've been moving and we're about to go even faster over the next couple of years. So I'm looking forward to it. Yeah, so that is actually a great stuff. Like especially I love the desired state configuration part. I remember that when this came out and we saw the first stuff happening with desired state and DSC and how that helped to get these desired state configuration pushed out or pulled. That was like, I was like, okay, this is gonna be awesome. By the way, I'm just gonna put a teaser in here. Go out to the PowerShell repo, github.com slash PowerShell slash PowerShell and look in the issues list. Maybe just search for DSC. There's some pretty good discussion going on there. And you yourself can very easily start to uncover what the near future of DSC is gonna look like just by doing some reading out there. There's some really good conversation and there's also a monthly call for PowerShell. So that's a good place to plug in. Yeah, PowerShell 7, there's some cool stuff coming. Yeah, I love what the team is doing. Like again, and that is also some great things about like the latest things and happening in Microsoft that we actually do that openly, right? Yes. Everyone can be part of it and can actually go out. You don't need even to be like necessarily writing code or anything, but you can also just provide your opinion on the things the teams and the community is doing. There's a lot of that going on in that repo and it applies directly to what we're gonna talk about today because you can go in and influence conversations and shape the direction of how this type of platform would be used for things like governance without saying like, well, I don't think, I think you should have a comma here, you know, that kind of thing. It's more like, well, no, here's how I anticipate using it. My requirements look like this and then we can go build things like we're gonna show today. So I'm pretty excited about the way that things work now. It's really fun. No, that's pretty cool. I remember the times when I started in IT and I was like, well, I saw a bug or saw something not working the way I wanted to work for me as a customer. I was like, how do Microsoft care about me, right? Like, why would I even tell them like, but actually, and since I'm like, for the last couple of years and especially also since I'm joined, I see like we are listening and it seems like it's so interesting to see like how impactful the customer feedback is. So that's true. You just made my next point for me already. And that's like, how do we know what to build first and how do we know what's most important? So our team also did a lot of work in the area of Arc and it's really, we've heard very clearly from customers that it's not all in the cloud. It's hybrid, right? And we have to have solutions that span, you know, both things that are happening in Azure and things that are outside of Azure. So in doing that, we did a lot of research into like, what do people really care about? What are the problems they need us to solve? We did a ton of surveys, talked about it to people. And, you know, one of the things that we found is that this whole area of governance is overwhelming. Like, and when I say governance, I mean, whether you've got to prove to auditors that like you meet these certain requirements and your servers, but it could be like you're part of a government agency. It could be that's part of healthcare or you're processing credit card transactions or I find more and more like these large enterprises, even if they don't have to legally like meet some compliance standard, they're still finding it's like the path of least resistance or the easiest way to reach server security is to go find a good industry baseline and just use that as a reference for what their server platform should look like. So we're on a quest to like, we really want it to be when you are using Azure, when you're using Arc, that should not be where you like getting your servers to meet those requirements or at least understanding what state they're in. This should not be 80% of your work week, right? This should be something that is just part of your flow. It's just part of how you deploy applications and we really want that to be true. That's the journey that we're on. Now that's like amazing, especially I was just thinking like when you talked about this and companies getting like doing the compliance stuff, I remember like a lot of companies who were just working on prem, like they basically just lose like like something like group policy, right? And you were sitting out there building all these group policies for their environment. And it was just like a ton of work and it was pretty complex as well. It is obviously, if you build it in, it's obviously a good part, like it works now, right? One, you build it once, but now with that whole cloud and especially in a hybrid cloud world, things are really, really changing fast and you obviously need to tackle these challenges. Doesn't matter if it's in Azure or on premises or anywhere else, you will face these challenges and you need to have tools to manage that. This whole area, it's just turning into a scenario where we're finding that after machines are deployed into cloud environments, it's actually easier than the battles we were facing on premises because everything's addressable, right? It's all in Azure Resource Manager. So whether it's in Azure or outside of Azure, it's addressable via Azure Resource Manager. So now you can have Azure policy actually go, just sweep the estate and say, what's going on? How do I prove to auditors that everything is the way it should be? Well, if I just put the arc agent on the machine or if I'm deploying it into Azure, I can just use Azure policy for all of that. So if you want, we can take a look at this and kind of see what this looks like. Absolutely, I would love to see more about that. Yeah, so let me do a screen share. Yep, it's here. Awesome. Yeah, so I'm in Azure policy. Now, if you want to do this on your own, you can just go to the portal and you can go to all resources and search for policy. You can see I've already marked that as one of my favorites. So it's right here on my table of contents. And I've already assigned this policy. So I'm looking at, we actually have one that's the Azure baseline for Windows. So Microsoft has a policy in Azure that includes 29 different definitions. And we're actually using a lot of customer feedback on this as well. We're about to introduce some improvements in this area. But it just has something like 300 settings where it's saying, this is what Microsoft recommends as security best practices for your Windows environments. We also have the same policy for Linux. And this is, by the way, like such a, this is where we're at in time type of thing to say that Microsoft is using Linux extensively. We use it for our own platforms. We've got lots going on in the world of Linux. We've got big investments in this area too. And so we actually have the Microsoft recommended best practices for Linux. Because we're working with lots of different Linux organizations and we're able to produce things like that. So for this one for Windows, I've actually used the policy interface. I've drilled in a little bit and I can see I'm looking specifically at things around user account control. And you can see I've got two machines, one's compliant, one's not compliant. And so I'm 50-50 on my compliance rating. If I click details, I can go in and view from the portal exactly what's going on. But one of the things that I wanted to show because not a lot of people know about it yet is if we think about this, this Windows machine should meet requirements for security options for user account control. There's more than one setting that's being evaluated here. You can view that in the portal and that's all documented. But one of the latest things we've got available, if I go look at the docs for Azure resource graph, I guess I could zoom in a little bit and maybe make this easier for you. So Azure resource graph is like a big data platform where you can view all your information about Azure and we've got examples both in the starter and advanced queries. You can see we've got three here that are specific to guest configuration. So if I do find all reasons a machine is non-compliant, I'm just copying and pasting that. It's addressable actually from the policy page. If I close this, and you can see here's that full list of policies that were in that baseline. It's right here under resource graph. That'll take me to this page. And I just copied and pasted that example. And here I made some small changes so it fits better on my screen share. But this is really awesome. Like for all of these settings, and you'll recognize a lot of this stuff from group policy, here's what I'm saying is for this machine, go find everything that was returned that included Azure baseline. And I've got like, what's the guest account status? Who's allowed to log on locally? All these different things that as you mentioned, you came from group policy. In the phrase column, I can see whether or not it was applicable. Then I can see like, what was the value it was expected to find? Cause this is ultimately some of these things, most of these things really are registry keys. What did it find? What was the comparison operator that it used? So if it's like, who can log on locally? I expected just administrators, but I found administrators, users, and probably backup operators. So compliance status returned false. And the challenge that I gave this team whenever we started looking at this is, hey, I've got two scenarios that we need to make easy here. One is I've got a problem. I think there's a zero day flaw and I need to go configure something that in the past was like group policy I used to manage it. And I just need to know across my entire estate in Azure, on premises, in Hyper-V, in VMware, in AWS, in Google Cloud, like no matter where the server lives, I need to know where have I gotta go fix this so that we're not vulnerable to this attack pattern. So you can use this and we'll take a look at like what that looks like, but you can use Azure policy across all these things. And you would just go in here. I mean, this results took 0.244 seconds to return to go find this information. It's just amazing. This is, to be honest, this what you just showed in the last couple of minutes, this to me looks really like group policies on steroids, right? Right, yeah. It's like centrally managed. I can use it for Windows. I can use it for Linux. I can use it wherever my machine is running. Doesn't matter if it's in Azure, if it's on premises, if it's like another cloud provider, it doesn't really matter and I can use it. What the great thing is I still, I just wanna make clear if I understood that correctly. So the rules you're just showing me, like this policy and all these settings, those are something we provide to our customers. Like if I'm a customer, I just get this, like, yes. Okay. Yes, so this one is, we think about this as built-in versus custom. And I'm gonna give you details how to create custom. And I'm also gonna give you details on zooming in on that group policy area. But this one, you didn't have to do anything. So you just go in, it's considered built-in. You're just gonna pick, you know, best practices for Windows. You assign the definition, easy peasy. That second scenario, so one is go find all the problems, go find one problem across all my machines. The second scenario is find all the problems with one machine. So, you know, here you can see all the results. I can filter this. I can go to just where compliance status is false. I can export this. And now even as an operations person, I can go to the application team who hosts the server and say, let's have a conversation about here are the settings that need to be corrected and we'll come up with a way for how. And that, by the way, is where our team is exploring for the next six months is the how. And I'm gonna take a look at that as well. So you might have seen back on this page when I was looking at my results that I've got, like we looked at earlier, one machine that's compliant, one machine that's not compliant. And it's compliant with every single policy. So like I said, 300 settings or so are being evaluated, split across 29 definitions. For every one of these, you see one machine's not compliant, but a total of two machines. That second machine that's showing compliant, that has been enrolled in our auto-managed preview. So if you're taking a look, if you go back to the last Ignite session and take a look at the Azure Machine best practices, things like that, and we'll get some links available. So you can make the machine compliant with this. And by the way, this is just applying a DSC configuration under the hood, but it's using the guest configuration platform. So it doesn't interfere with anything you might have going on in Windows PowerShell DSC. This is using PowerShell Core side-loaded. So it doesn't interfere with anything that you're doing with DSC otherwise. And you can actually make your machine compliant with this environment. So we welcome taking part in that machine best practices preview and getting some feedback there. And then you mentioned group policy. So one of the things that really, we haven't had any Ignite events and things like that where we could talk about this. The last Ignite session that I did, I talked about, we wanted to start working on this area of helping people who, and they've been using group policy for like 20 years, literally just group policy has been around for 22 years in one month. And I know that because Server 2000 came out in December, 1999. And so people have all this trust, right? And they've got these complex environments around group policy. And they're wondering, if I start deploying machines in the cloud and they're not joined to a domain, how do I have that same level of trust as what I had whenever it was part of that environment? And so we have a page out here. If I scroll down under the how to guides under guest configuration, create guest configuration policy from group policy. And there's actually was already a community tool called baseline management. And I'm about to make a bunch of enhancements of this page. So maybe even by the time this goes live, some of these will have changed, but it tells you how to download and install the tool, how to do a conversion from group policy to guest configuration. And if you want to take the things that you're doing in your on-premises environment and make them part of this experience where you can see them in the Azure policy experience, you've got your data and resource graph, you can do that with the content that's coming from your own group policy environment as well. So there's a lot to see here. Oh, wow. Okay, so I'm just a meaty bone way because I think a lot of people that haven't heard about this, I mean, this is like, so we get these policies, but obviously a lot of companies have invested into group policies already. So we gave them an option to actually convert these group policies to Azure policy guest configurations, so they can apply it and use that new tool. So when I would be responsible to manage a compliant in enterprise, this would be like, okay, so where can I get this? And I'm sure there's a kicker. I mean, the things you show me, they look like really good. And now the kicker usually is like, when I need to set this up, it probably takes me days. Yes, like five days, a couple of thousand lines of scripts you've got to go over. You have to extend your schema. No, no, no, that's all gone now. If you want, you can share your screen and we can take a look at it. This is really, really easy. Okay, we definitely can do that. So let me share my screen here. So we're gonna basically set up Azure guest integration policy in my environment with, let's say, in my case, my Azure VMs are pretty secure. We have obviously some baselines, but I wanna do that for, I have a couple of on-premise machines here, which are also secure, and I wanna see how that works. Let's make it like the most complicated, imaginable scenario, right? Like let's do Linux machines, they're on Arc, they're not even running in Azure. We wanna see what state they're in. Let's see if we can do that, so. I have all of that. So no worries. Okay, well, this sounds fun. Let's start by just clicking on policy. Okay. And I find there's a really good user experience here if you click on assignments. Okay, so this is like the usual Azure policy part. I know it from, we know it from Azure, right? And so I'm just gonna manage my assignments here. And let's do assign policy. Okay, perfect. And then, yep, for your policy definition, there's a nice search box that really makes life easy. And see that filter by name. Let's just type in Linux, maybe Linux machine. And it's funny, you know, since Arc, since we really started working with Arc, we can't say, we used to just say like Linux virtual machine, it used to roll off the tongue. And I could train myself to stop saying virtual because Arc, it might not be virtual, it might be physical. You can see we've got a bunch of definitions in here for audits. And if you keep scrolling down, you'll find Linux machines should meet requirements for the Azure security baseline. So let's just assign that. Okay, so that's equivalent to what I was looking at in Windows. Okay, okay, got it. So these are our recommended security baselines for the Linux machines. And this isn't making any changes inside the machine. This is just performing an audit. So there's no special identity you have to set up or anything like that. You should probably look at the scope. Like you can assign this, if you have hundreds of subscriptions, you can assign it to a management group and look across everything. If you want to go to a specific subscription or you can go down to a resource group. And you can even exclude specific machines if that's something that you need to do. Yeah, so I think for me, it makes sense to like, as I mentioned, we have, I have a resource group where I have all my Arc servers. Perfect. Yeah. I select that one. Okay. And what's next? Oh. Yeah, there you go. So by default, we don't include Arc machines. So we give you a dropdown list. So it's under your control. If you want to also include the Arc machines that you've projected into Azure, you just change this to true and that's it. Okay. So if I want to join my servers which, so this would, by default, it would only work for my Azure VMs, doesn't matter if it's Linux or Windows. But we're setting this to true now. It really goes out and does the Arc machines I just joined. Yes. Okay. So, and then I would just go and create this. Yep. Perfect. That's it. That is so stupid. That's the end of the demo. Right. Okay. I'm like, okay. So, but one interesting point, by the way, I mean, for me, obviously, worked a lot with Arc before. Can you explain a little bit for like, for people who haven't worked with Arc enabled servers yet? What they are and how we connect them. Like, how do they show up in the Azure Resource Manager? You bet. So, Arc is this really cool way of saying, what's going on outside of Azure? The whole idea, and this problem has existed for a long time. I mean, even across all the time that we've been working with System Center, people have been giving us the feedback. Isn't there some way that I could get the Operations Manager and Configuration Manager and Virtual Machine Manager and like all these different things to be managed just in a single way? Like, I have these individual installations. And so, we kind of took that to heart as we were looking at, how should we think about doing hybrid? And we also looked at, how did the existing hybrid services work? So, if you're looking across Azure Automation, Azure Monitor, they all had their own way of handling hybrid. It was like, if it's a Windows machine, okay, well, go get this URL and this key and here's a PowerShell script. However you wanna do that across 10,000 machines is up to you, right? You go figure that out. It's gotta be a better way to do this. Well, what if, because it's not so hard to do these things in Azure. Like once you've moved the machine into Azure, like you just go to the VM page and you say, I want to add this into monitoring or I go to the Azure Automation page and say, I want to add this to my configuration plan. So, my plan for how I'm gonna configure machines. So, how could we do that if it's outside of Azure? Well, the answer was it's so easy to do when it's in Azure because it's addressable through the API, Azure Resource Manager. I can just make a call and say, onboard this machine to Azure Automation or onboard this machine to monitoring. And so, what if we could do that outside of Azure, what that looked like? Well, we'd have to have some way to communicate with that machine. Okay, well, let's go back to our first problem. Let's solve that. Let's put one agent on the machine and it's just gonna be responsible for orchestrating everything. Whether you wanna do monitoring, patch management, configuration management, it's just gonna make sure that that's taken care of. And then part two, let's now project that as a resource into Azure. And that's how we'll actually solve part one because now we can use virtual machine extensions. Now we can just, we've got a path like literally an address path in rest to say, this is how you get through this machine. And I was working with a very large customer and somebody actually gave me what I thought was really insightful feedback. They're like, you know, when we were doing this on-prem all of these years, I had to think about, well, okay, how am I gonna run a script in VMware? How am I gonna run a script in Hyper-E? How am I gonna run a script if it's a physical machine? Like, what are all the different ways that I communicate with a machine? And then of course, you move to the cloud and it gets a little easier. What if you're multi-cloud? What if you're hybrid? How do you still do it? Well, this solves that problem. You don't have to move the machine, but you have a direct line of communication no matter what platform it's on. And if you use things like Azure policy, like what we were just looking at, you can just make it dynamic. You deploy a new machine, it just gets added in the scope and you're doing it automatically. It's pretty cool. This is really, really cool. I mean, I like that it's like, as you mentioned, I think that is a very important point was, it shows up as Azure resource, right? It's not just something we connected somehow in there like you would think of, right? It's so funny the first time you stand it up because it's a machine running on your laptop usually for the first time, right? And you put an agent on it, like you're doing a little proof of concept and like, does this really work the way I thought? And then you see it show up and it's in a resource group and it's got tags and there's an owner, right? And as a location and you're like, how is this even possible? Like the machine's not in the cloud and it's just magic. Like I really love it. I think it's great. Yeah. Now I love that. Like, again, the example you just brought up with like, I actually joined systems which are not in Azure to a resource group, right? And then I can all the magic with the policies, for example, like I just, like Dewey just did assigning these policies to a resource group and suddenly I get these applied to my servers and like running here underneath my desk or in my data center or wherever they are. There's been so much stuff going on the past couple of years like all of this new innovation in the area of hybrid management and it's really great to have a chance to go through it. And then, you know, hopefully there'll be upcoming conferences in person and at some point in the future we'll all get to do this face to face again. But yeah, this stuff is super, super exciting and it's amazing how fast it's changing. So absolutely. So this is now, this is now, I know you're probably not gonna answer my question now but since we are talking a little bit about the future. So, I mean, again, this is great. You showed me how I now can take Azure as a control plane. I can actually go out and audit and govern and see like my whole environment, like all my servers from a single control plane in Azure using Azure guest configuration policies. What is next for that? What is coming? I wanna know. Yeah, no, I get it. So I mentioned earlier, like we want this to be easy, right? So we want people to be able to say, if I'm managing the machines across my hybrid environment using Azure, it was easy to meet these governance requirements and knowing that that's like the highest priority to go solve because I'll tell you, we've been looking at this configuration management space for a long time. And as you get into these deeper and deeper specialized scenarios, like the work, even on the part of like building specialized things in every single environment just gets bigger and bigger and bigger. But together we can tackle this biggest problem, which is how do I make it easy to just meet these regulatory standards or to pass an audit and stuff like that? So we wanna seek out that problem first and then we'll continue to expand in the configuration space. So when I say make it easy in the past, I've said make it easy to know what's going on across my environment. And now I'm saying I wanna make it easy to pass that audits. I wanna make it easy to get all of my machines no matter where they're at into a state where they're meeting the requirements for governance. So over the next six months, one year, things like that, then we'll start to pull back the covers a little bit on what that's gonna look like, but I'm pretty excited. Like this is gonna be a really fun time. Yeah, I can imagine. I really really like these features. Again, there's still a lot of customers who haven't really seen the stuff we just showed, right? That's right. And all the time I'm talking to someone who is responsible, especially for the people who are responsible for compliance. As you just said, like when you need to pass an audit, there's so many people like you have servers out there, systems which no one really knows about suddenly and they're not managed. No one knows if they're, like for what they're used and no one can know if they're not on the patch. Everyone has this horror story that they've dealt with in the past about this server that showed up out of nowhere. You know, it's been in a closet running for 20 years and nobody knew, like that kind of, it's so funny. But yes, you're absolutely right. Like we're still solving a lot of the same problems that we've been chasing for a long time and now it's finally getting easier. Yeah, no, that's awesome. I'm really looking forward to what the team is doing there and what you're coming up with. So obviously you showed us a couple of different cool stuff where people can go. So if I wanna learn more about this, where do I go? What page do you recommend? So I've got another one of those AKAMS short codes that we're also fond of. It's aka.ms slash GC, like guest config, P-O-L, like policy. So GC-P-O-L. And that will take you to the starting of our docs page. And people, it's funny, like even at Microsoft all the time, they'll say, hey, where's your internal spec on this? I'm like, uh-uh. I put everything I can into that. If somebody asked me a question and it wasn't in the docs, step two was I go put it in the docs because it needs to be as transparent as possible. And we've got pages out there also on how to write a DSC script and create custom audits from that, how to do the same thing for Linux using Chef InSpec, how to convert from group policy. And as you can imagine, we've got a whole bunch of doc updates that we've gotta do this next six months or so around things that are happening in PowerShell, around DSC, things that are evolving in guest config. So check back to that GCPOL page over the next three, four, five, six months and you'll be seeing some new stuff. So it's pretty exciting. Awesome, awesome. So thank you very much, Michael. It was a pleasure to talk to you. Again, I learned a lot during that session. For everyone here who wants to join more, learn more, obviously check out the link again, aka.ms, G-C-P-O-L, I hope I pronounced it correctly. And if you wanna watch more sessions of our event for our ITOps talk, All Things Hybrid Event, check out aka.ms slash ITOps talks where you can find more sessions and more videos and all the good stuff. Thank you very much again for being here in the show. Hopefully see you in the future. Thank you for having me.