Azure Machine Configuration extension

2025-09-04

The Machine Configuration extension performs audit and configuration operations inside virtual machines (VMs).

To check policies inside VMs, such as Azure compute security baseline definitions for Linux and Windows, the Machine Configuration extension must be installed.

Prerequisites

To enable your VM to authenticate to the Machine Configuration service, your VM must have a system-assigned managed identity. You can satisfy the identity requirement for your VM by setting the "type": "SystemAssigned" property:

"identity": {
   "type": "SystemAssigned"
}

Operating systems

Operating system support for the Machine Configuration extension is the same as documented operating system support for the end-to-end solution.

Internet connectivity

The agent installed by the Machine Configuration extension must be able to reach content packages listed by guest configuration assignments, and report status to the Machine Configuration service. The VM can connect by using outbound HTTPS over TCP port 443, or a connection provided through private networking.

To learn more about private networking, see the following articles:

Install the extension

You can install and deploy the Azure Machine Configuration extension directly from the Azure portal, Azure CLI or PowerShell.

Open the Azure portal.
In the search box, enter Virtual machines and then select Virtual machines to display the list of available VMs.
Select the virtual machines you want to use.
In the search box of virtual machine page, enter Extensions+applications and then select it.
Click on Add in the extensions page.
In the search box of extension page, enter Azure Machine Configuration extension for Windows or Azure Machine Configuration extension for Linux based on the OS type and select it.
Click Next and then select Review + create to install the extension.
Once validation passes, select Create.
Once installation finishes, you can see AzurePolicyforWindows or AzurePolicyforLinux extension installed in the extension page.

To deploy the extension for Linux:

az vm extension set  --publisher Microsoft.GuestConfiguration --name ConfigurationForLinux --extension-instance-name AzurePolicyforLinux --resource-group <myResourceGroup> --vm-name <myVM> --enable-auto-upgrade true

To deploy the extension for Windows:

az vm extension set  --publisher Microsoft.GuestConfiguration --name ConfigurationforWindows --extension-instance-name AzurePolicyforWindows --resource-group <myResourceGroup> --vm-name <myVM> --enable-auto-upgrade true

To deploy the extension for Linux:

Set-AzVMExtension -Publisher 'Microsoft.GuestConfiguration' -ExtensionType 'ConfigurationForLinux' -Name 'AzurePolicyforLinux' -TypeHandlerVersion 1.0 -ResourceGroupName '<myResourceGroup>' -Location '<myLocation>' -VMName '<myVM>' -EnableAutomaticUpgrade $true

To deploy the extension for Windows:

Set-AzVMExtension -Publisher 'Microsoft.GuestConfiguration' -ExtensionType 'ConfigurationforWindows' -Name 'AzurePolicyforWindows' -TypeHandlerVersion 1.0 -ResourceGroupName '<myResourceGroup>' -Location '<myLocation>' -VMName '<myVM>' -EnableAutomaticUpgrade $true

Deployment templates

Deployment templates are also available for Azure Resource Manager (ARM), Bicep, and Terraform. For deployment template details, see Microsoft.GuestConfiguration guestConfigurationAssignments.

Note

In the following deployment examples, replace <placeholder> parameter values with specific values for your configuration.

Deployment considerations

Before you install and deploy the Machine Configuration extension, review the following considerations.

Instance name. When you install the Machine Configuration extension, the instance name of the extension must be set to AzurePolicyforWindows or AzurePolicyforLinux. The security baseline definition policies described earlier require these specific strings.
Versions. By default, all deployments update to the latest version. The value of the autoUpgradeMinorVersion property defaults to true unless otherwise specified. This feature helps to alleviate concerns about updating your code when new versions of the Machine Configuration extension are released.
Automatic upgrade. The Machine Configuration extension supports the enableAutomaticUpgrade property. When this property is set to true, Azure automatically upgrades to the latest version of the extension as future releases become available. For more information, see Automatic Extension Upgrade for VMs and Virtual Machine Scale Sets in Azure.
Azure Policy. To deploy the latest version of the Machine Configuration extension at scale including identity requirements, follow the steps in Create a policy assignment to identify noncompliant resources. Create the following assignment with Azure Policy:
- Deploy prerequisites to enable Guest Configuration policies on virtual machines
Other properties. You don't need to include any settings or protected-settings properties on the Machine Configuration extension. The agent retrieves this class of information from the Azure REST API Guest Configuration assignment resources. For example, the ConfigurationUri, Mode, and ConfigurationSetting properties are each managed per-configuration rather than on the VM extension.

ARM template

To deploy the extension for Linux:

{
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "name": "[concat(parameters('VMName'), '/AzurePolicyforLinux')]",
  "apiVersion": "2020-12-01",
  "location": "[parameters('location')]",
  "dependsOn": [
    "[concat('Microsoft.Compute/virtualMachines/', parameters('VMName'))]"
  ],
  "properties": {
    "publisher": "Microsoft.GuestConfiguration",
    "type": "ConfigurationForLinux",
    "typeHandlerVersion": "1.0",
    "autoUpgradeMinorVersion": true,
    "enableAutomaticUpgrade": true, 
    "settings": {},
    "protectedSettings": {}
  }
}

To deploy the extension for Windows:

{
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "name": "[concat(parameters('VMName'), '/AzurePolicyforWindows')]",
  "apiVersion": "2020-12-01",
  "location": "[parameters('location')]",
  "dependsOn": [
    "[concat('Microsoft.Compute/virtualMachines/', parameters('VMName'))]"
  ],
  "properties": {
    "publisher": "Microsoft.GuestConfiguration",
    "type": "ConfigurationforWindows",
    "typeHandlerVersion": "1.0",
    "autoUpgradeMinorVersion": true,
    "enableAutomaticUpgrade": true, 
    "settings": {},
    "protectedSettings": {}
  }
}

Bicep template

To deploy the extension for Linux:

resource virtualMachine 'Microsoft.Compute/virtualMachines@2021-03-01' existing = {
  name: 'VMName'
}
resource windowsVMGuestConfigExtension 'Microsoft.Compute/virtualMachines/extensions@2020-12-01' = {
  parent: virtualMachine
  name: 'AzurePolicyforLinux'
  location: resourceGroup().location
  properties: {
    publisher: 'Microsoft.GuestConfiguration'
    type: 'ConfigurationForLinux'
    typeHandlerVersion: '1.0'
    autoUpgradeMinorVersion: true
    enableAutomaticUpgrade: true
    settings: {}
    protectedSettings: {}
  }
}

To deploy the extension for Windows:

resource virtualMachine 'Microsoft.Compute/virtualMachines@2021-03-01' existing = {
  name: 'VMName'
}
resource windowsVMGuestConfigExtension 'Microsoft.Compute/virtualMachines/extensions@2020-12-01' = {
  parent: virtualMachine
  name: 'AzurePolicyforWindows'
  location: resourceGroup().location
  properties: {
    publisher: 'Microsoft.GuestConfiguration'
    type: 'ConfigurationforWindows'
    typeHandlerVersion: '1.0'
    autoUpgradeMinorVersion: true
    enableAutomaticUpgrade: true
    settings: {}
    protectedSettings: {}
  }
}

Terraform template

To deploy the extension for Linux:

resource "azurerm_virtual_machine_extension" "gc" {
  name                       = "AzurePolicyforLinux"
  virtual_machine_id         = "<myVMID>"
  publisher                  = "Microsoft.GuestConfiguration"
  type                       = "ConfigurationForLinux"
  type_handler_version       = "1.0"
  auto_upgrade_minor_version = "true"
}

To deploy the extension for Windows:

resource "azurerm_virtual_machine_extension" "gc" {
  name                       = "AzurePolicyforWindows"
  virtual_machine_id         = "<myVMID>"
  publisher                  = "Microsoft.GuestConfiguration"
  type                       = "ConfigurationforWindows"
  type_handler_version       = "1.0"
  auto_upgrade_minor_version = "true"
}

Error messages

The following table lists possible error messages related to enabling the Guest Configuration extension.

Error code	Description
NoComplianceReport	The VM hasn't reported the compliance data.
GCExtensionMissing	The Machine Configuration (guest configuration) extension is missing.
ManagedIdentityMissing	The managed identity is missing.
UserIdentityMissing	The user-assigned identity is missing.
GCExtensionManagedIdentityMissing	The Machine Configuration (guest configuration) extension and managed identity are missing.
GCExtensionUserIdentityMissing	The Machine Configuration (guest configuration) extension and user-assigned identity are missing.
GCExtensionIdentityMissing	The Machine Configuration (guest configuration) extension, managed identity, and user-assigned identity are missing.

Next steps

For more information about the Machine Configuration extension, see Understand Azure Machine Configuration.
For more information about how the Linux Agent and extensions work, see Virtual machine extensions and features for Linux.
For more information about how the Windows Guest Agent and extensions work, see Virtual machine extensions and features for Windows.
To install the Windows Guest Agent, see Azure Virtual Machine Agent overview.
To install the Linux Agent, see Understanding and using the Azure Linux Agent.

Feedback

Was this page helpful?

Share via

Azure Machine Configuration extension

Prerequisites

Operating systems

Internet connectivity

Install the extension

Feedback

Additional resources