Add TSG: AzStackHci_Security_AsrRuleGPConflict (ASR rule Group Policy conflict)#321
Add TSG: AzStackHci_Security_AsrRuleGPConflict (ASR rule Group Policy conflict)#3211008covingtonlane wants to merge 2 commits into
Conversation
… conflict) Environment Validator security check that reports when Windows Defender Attack Surface Reduction (ASR) rules are also managed by Group Policy, which overrides the OSConfig-managed Defender baseline and can cause a Solution Update to fail. Status is always SUCCESS; the actionable signal is a WARNING severity + the Detail. Documents detection (read the Detail/Severity + the RSoP surface), how to identify the affected nodes and the owning GPO, remediation (remove the ASR config from every reported Group Policy scope so the OSConfig baseline applies), and verification. Adds a README index entry.
There was a problem hiding this comment.
Pull request overview
This PR adds a new Environment Validator troubleshooting guide (TSG) documenting the Security check AzStackHci_Security_AsrRuleGPConflict (validator Test-AsrRuleGPConflict). The check flags when Windows Defender Attack Surface Reduction (ASR) rules are managed by Group Policy on Azure Local, which conflicts with the platform's OSConfig security baseline and can cause a Solution Update to fail. The TSG explains detection (reading AdditionalData.Detail/Severity rather than the always-SUCCESS Status), RSoP-based identification of affected nodes/scopes, remediation (removing ASR from the reported GPO/local policy), and verification. It fits the existing TSG/EnvironmentValidator collection and is indexed from that folder's README.
Against the codebase this is consistent with established patterns: the HealthCheckResult.EnvironmentChecker.*.json path, Event ID 17205, leading-wildcard name filtering, and the Invoke-SolutionUpdatePrecheck -SystemHealth verification flow all match existing TSGs. The PowerShell (RSoP CIM queries, $using: scoping in Invoke-Command, ASR rule GUIDs, and OSConfig setting names) is technically sound, and links are Microsoft docs without version references.
Changes:
- New TSG
Troubleshoot-AzStackHci_Security_AsrRuleGPConflict.mdcovering detection, node/scope identification, remediation, verification, and a glossary. - README index entry linking to the new TSG.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| TSG/EnvironmentValidator/Troubleshoot-AzStackHci_Security_AsrRuleGPConflict.md | New Security validator TSG for ASR/Group Policy conflicts; content and PowerShell verified against existing TSG conventions. |
| TSG/EnvironmentValidator/README.md | Adds the index entry; link target matches the new filename. |
…eGPConflict) Address the Copilot review: name the validator function in a metadata table right after the H1 (Name / Validator-test / Component / Severity), matching the sibling Troubleshooting-Software-IsNotPartofDomain.md and TSG/Templates/Troubleshoot-Template.md, so readers can correlate the check with how to run it (Invoke-AzStackHciSecurityValidation).
What
Adds an Environment Validator TSG for the Security check
AzStackHci_Security_AsrRuleGPConflict(validator functionTest-AsrRuleGPConflict).The check reports when Windows Defender Attack Surface Reduction (ASR) rules are also managed by Group Policy. On Azure Local the Defender configuration is meant to be governed by the platform OSConfig security baseline; an ASR rule set through Group Policy overrides it, and that conflict can cause a Solution Update to fail.
Key points the TSG documents
Group Policy-managed ASR settings were found ... Configured entries: <RuleName> (<guid>) Scope(s)=[<scope>].AdditionalData.Detail), Event ID 17205 onAzStackHciEnvironmentChecker, and the Azure portal Updates/readiness view. Plus a direct read of the exact surface the check uses (RSoP:root\rsop\computer/RSOP_RegistryPolicySettingunder the ASR\Ruleskey).gpresult /h).gpedit.msc),gpupdate /force, and let the OSConfig security baseline manage Defender ASR again. A "start here" most-common-fix lead is included; it is a config change only and does not restart nodes or bounce running VMs.Invoke-SolutionUpdatePrecheck -SystemHealthre-evaluates cluster-wide.aka.mslink the check itself prints does not currently resolve, so the TSG documents the remediation directly.Includes a README index entry and a bottom Glossary (ASR, OSConfig baseline, RSoP, scope/SOM).