![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 39%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBV%3C/text%3E%3C/svg%3E)
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
VIshnu hi ))))
thanks for sharing the screenshots its super helpful to see what's going on ))
so u've got this policy 'configure periodic checking for missing system updates' set up specifically for linux vms, right? the parameters show osType is set to automaticByPlatform, which is correct for linux. but then windows vms are showing as compliant too... mm, that's not what we want %))
azure policy compliance works in two phases
evaluation phase (where it checks resources)
remediation phase (where it actually applies changes)
what's happening here is that windows vms are passing the evaluation because... wait for it... they technically meet the policy conditions! the policy is checking if update assessment is configured, and windows vms already have their own update mechanisms in place. so they're 'compliant' by default, even though u didn't target them ))
to fix this, we need to tweak the policy assignment.
go to your policy assignment in azure portal
look for the 'resource selectors' section (u can see it in your first screenshot)
add a new selector that explicitly filters for linux vms only
here's a quick powershell snippet to check the current assignment
Get-AzPolicyAssignment -Name 'your_policy_name' | Select-Object -ExpandProperty Properties
and if u want to get fancy with ARM templates, u can add this condition
"condition": "[equals(field('Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType'), 'Linux')]"
as well check this https://docs.microsoft.com/en-us/azure/governance/policy/concepts/assignment-structure#resource-selectors
btw, this isn't just an azure thing any cloud platform would have similar evaluation quirks. worth looking into tag-based filtering too, might help in other scenarios )
try updating the assignment with proper selectors and give it some time to re-evaluate. the windows vms should drop off the compliant list soon enough. if they don't... well then we've got ourselves a proper mystery to solve ))
keep me posted how it goes
Best regards,
Alex
and "yes" if you would follow me at Q&A - personaly thx.
P.S. If my answer help to you, please Accept my answer
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 56.00000000000001%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERJ%3C/text%3E%3C/svg%3E)