Skip to content

Add TSG: AzStackHci_Security_AsrRuleGPConflict (ASR rule Group Policy conflict)#321

Open
1008covingtonlane wants to merge 2 commits into
Azure:mainfrom
1008covingtonlane:tsg-security-asr-gpconflict
Open

Add TSG: AzStackHci_Security_AsrRuleGPConflict (ASR rule Group Policy conflict)#321
1008covingtonlane wants to merge 2 commits into
Azure:mainfrom
1008covingtonlane:tsg-security-asr-gpconflict

Conversation

@1008covingtonlane

Copy link
Copy Markdown
Collaborator

What

Adds an Environment Validator TSG for the Security check AzStackHci_Security_AsrRuleGPConflict (validator function Test-AsrRuleGPConflict).

The check reports when Windows Defender Attack Surface Reduction (ASR) rules are also managed by Group Policy. On Azure Local the Defender configuration is meant to be governed by the platform OSConfig security baseline; an ASR rule set through Group Policy overrides it, and that conflict can cause a Solution Update to fail.

Key points the TSG documents

  • Read the Detail and Severity, not the Status. This validator is informational and always reports a SUCCESS status; the actionable state is a WARNING severity with a Detail that reads Group Policy-managed ASR settings were found ... Configured entries: <RuleName> (<guid>) Scope(s)=[<scope>].
  • Where it appears: the HealthCheckResult JSON (AdditionalData.Detail), Event ID 17205 on AzStackHciEnvironmentChecker, and the Azure portal Updates/readiness view. Plus a direct read of the exact surface the check uses (RSoP: root\rsop\computer / RSOP_RegistryPolicySetting under the ASR \Rules key).
  • Identify the affected nodes and scopes across the cluster, and resolve a reported domain scope to the owning GPO (gpresult /h).
  • Remediation: remove the ASR configuration from every reported Group Policy scope (domain GPO via GPMC, or the local group policy via gpedit.msc), gpupdate /force, and let the OSConfig security baseline manage Defender ASR again. A "start here" most-common-fix lead is included; it is a config change only and does not restart nodes or bounce running VMs.
  • Verification: the RSoP query returns no ASR rows and Invoke-SolutionUpdatePrecheck -SystemHealth re-evaluates cluster-wide.
  • Cross-links the Azure Local secure-baseline (OSConfig) and security-features docs. Note: the aka.ms link the check itself prints does not currently resolve, so the TSG documents the remediation directly.

Includes a README index entry and a bottom Glossary (ASR, OSConfig baseline, RSoP, scope/SOM).

… conflict)

Environment Validator security check that reports when Windows Defender Attack
Surface Reduction (ASR) rules are also managed by Group Policy, which overrides the
OSConfig-managed Defender baseline and can cause a Solution Update to fail. Status is
always SUCCESS; the actionable signal is a WARNING severity + the Detail. Documents
detection (read the Detail/Severity + the RSoP surface), how to identify the affected
nodes and the owning GPO, remediation (remove the ASR config from every reported Group
Policy scope so the OSConfig baseline applies), and verification. Adds a README index entry.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a new Environment Validator troubleshooting guide (TSG) documenting the Security check AzStackHci_Security_AsrRuleGPConflict (validator Test-AsrRuleGPConflict). The check flags when Windows Defender Attack Surface Reduction (ASR) rules are managed by Group Policy on Azure Local, which conflicts with the platform's OSConfig security baseline and can cause a Solution Update to fail. The TSG explains detection (reading AdditionalData.Detail/Severity rather than the always-SUCCESS Status), RSoP-based identification of affected nodes/scopes, remediation (removing ASR from the reported GPO/local policy), and verification. It fits the existing TSG/EnvironmentValidator collection and is indexed from that folder's README.

Against the codebase this is consistent with established patterns: the HealthCheckResult.EnvironmentChecker.*.json path, Event ID 17205, leading-wildcard name filtering, and the Invoke-SolutionUpdatePrecheck -SystemHealth verification flow all match existing TSGs. The PowerShell (RSoP CIM queries, $using: scoping in Invoke-Command, ASR rule GUIDs, and OSConfig setting names) is technically sound, and links are Microsoft docs without version references.

Changes:

  • New TSG Troubleshoot-AzStackHci_Security_AsrRuleGPConflict.md covering detection, node/scope identification, remediation, verification, and a glossary.
  • README index entry linking to the new TSG.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
TSG/EnvironmentValidator/Troubleshoot-AzStackHci_Security_AsrRuleGPConflict.md New Security validator TSG for ASR/Group Policy conflicts; content and PowerShell verified against existing TSG conventions.
TSG/EnvironmentValidator/README.md Adds the index entry; link target matches the new filename.

…eGPConflict)

Address the Copilot review: name the validator function in a metadata table right after the
H1 (Name / Validator-test / Component / Severity), matching the sibling
Troubleshooting-Software-IsNotPartofDomain.md and TSG/Templates/Troubleshoot-Template.md, so
readers can correlate the check with how to run it (Invoke-AzStackHciSecurityValidation).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants