Azure Policy to deploy VM application is success when run on our Resource group, but app is not installed

rajesh.john 0

We are attempting to install software agents on our VM's in Azure (looking for something similar to aws systems manager and state manager)

Azure Policy that has VM application defined on it runs fine and also completes with success, but application is not installed on it...

Where can i find the logs for this azure policy remediations ?

1 answer

Pavan Minukuri 205 Reputation points Microsoft Vendor

2024-11-08T19:37:05.25+00:00

Hi rajesh.john,
Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

To troubleshoot the installation of software agents on your Azure VMs using Azure Policy, you can find logs related to policy remediations in several places within the Azure portal. Here’s where to look for logs and troubleshoot your Azure Policy remediation tasks:
Azure Portal - Policy Compliance:

Navigate to the Azure Portal.
Go to Policy and select Assignments.
Locate the specific policy assignment related to your VM applications.
Click on the assignment to view its compliance state. This will show which resources are compliant or non-compliant.

Activity Log:
In the Azure Portal, go to Monitor > Activity Log.
Filter the logs by resource type (e.g., Virtual Machines) and the specific time frame during which you executed the policy.
Look for events related to policy evaluations and remediation actions.

Guest Configuration Logs (for Guest Configuration Policies):

If using Guest Configuration policies, check the logs on the VM itself. The Guest Configuration extension logs are typically located at: C:\Windows\Logs\Azure\GuestConfiguration

These logs provide insights into whether the Guest Configuration agent was able to apply the desired settings or install applications.
Azure Automation Runbook Logs:
If you are using Azure Automation runbooks to handle installations based on policy compliance, check the output of those runbooks in the Azure Automation account.

Go to Automation Accounts, select your account, then navigate to Jobs under Process Automation to see details of each runbook execution.

For better understanding please refer attached link: https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/software-installation-using-machine-configuration-and-azure-policy/3695636

If you have any further queries, do let us know. If the Answer is helpful, please click "Accept Answer".
Please sign in to rate this answer.
Pavan Minukuri 205 Reputation points Microsoft Vendor

2024-11-11T16:19:04.5966667+00:00

Hi rajesh.john,
We haven't heard back from you. Please reply if you have any questions in this matter and we will gladly continue the discussion.
Thank You.!

rajesh.john 0 Reputation points

2024-11-12T14:23:48.4066667+00:00

Thanks for details on finding logs for these various resources used in this Azure policy..

I am still not getting this application installed on VM via Azure policy, does it help if i share my azure policy here?

My goal is to install this application via azure policy on VMs when this appllication is not found on our VMs

Regards

Rajesh

Pavan Minukuri 205 Reputation points Microsoft Vendor

2024-11-12T17:55:19.7466667+00:00

Hi rajesh.john,
Thanks for replying back,
To install an application on Azure Virtual Machines (VMs) when it is not found, you can utilize Azure Policy, specifically the DeployIfNotExists policy effect. This approach automates the installation process and ensures compliance across your VMs. Here’s a structured guide on how to achieve this:

Steps to Install Applications via Azure Policy

1.Create an Azure Policy Definition

You need to define a policy that checks for the existence of the application on your VMs. The policy should specify the application you want to ensure is installed.

Policy Type: Use DeployIfNotExists, which deploys the application if it is not already present.

Target Resource Type: Specify Microsoft.Compute/virtualMachines as the resource type.

Here’s an example of what your policy definition might look like in JSON format:

json

{

"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",

"contentVersion": "1.0.0.0",

"parameters": {

"vmName": { "type": "string" }

},

"resources": [

{ "type": "Microsoft.Compute/virtualMachines/VMapplications", "name": "[concat(parameters('vmName'), '/YourApplicationName')]", "properties": { // Application properties here } }

],

"effect": "DeployIfNotExists"

}

Assign the Policy

Once your policy is defined, you need to assign it to the appropriate scope, such as a resource group or subscription. During assignment, ensure that the managed identity used has sufficient permissions to deploy applications.

Use Guest Configuration

To audit compliance and trigger installations, leverage Azure’s Guest Configuration feature. This allows you to check if specific software is installed on your VMs:

Create a Guest Configuration policy that audits for the application.

Set up an Event Grid subscription to listen for state change events related to compliance.

Automation with Azure Automation Runbooks

To automate the installation process when a VM is found non-compliant:

Create an Azure Automation runbook that will execute a script to install the application.

Use PowerShell commands within the runbook to perform the installation.

For instance, you can use:

powershell

Invoke-AzVMRunCommand -ResourceGroupName 'YourResourceGroup' -VMName 'YourVM' -CommandId 'RunPowerShellScript' -ScriptPath 'path/to/your/install-script.ps1'

Remediation Task

For existing VMs that may not have the application installed, create a remediation task:

Navigate to your policy assignment in Azure Policy.

Select Create Remediation Task and choose the relevant policy.

This task will evaluate existing VMs and trigger the installation of the application where necessary.

Monitoring Compliance

After implementing these steps, monitor compliance through the Azure portal. The Guest Configuration service will report back on whether each VM is compliant with the policy.

For better understand please go through attached referral link: https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/software-installation-using-azure-policy-state-change-events/2420515

If you required anything, please let us know. Thank you.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure Policy to deploy VM application is success when run on our Resource group, but app is not installed

1 answer

Your answer