Azure-VirtualMachines-Managed-VM-Machine-Image

Severity : High

Description: This control ensures that Virtual Machines are created with a managed image which is created from a generalized VM. Managed images are helpful where need for a consistent baseline VM. A managed image resource can be created from a generalized virtual machine that can stored as managed disk in a storage account. Managed VM image enforces application security best practices, provides fast and stable deployment and scaling, secure application stack.

Remediation Steps:

Perform following to create a managed VPM images :

Generalize the VM to create a managed image :

1. Connect to the Virtual Machine.

2. Run command on the VM

   1. For linux VM, run command “sudo waagent -deprovision+user".

   2. For Windows VM, Open a command prompt windows, Delete the panther directory (C:\Windows\Panther). Then change the directory to %windir%\system32\sysprep, and then run sysprep.exe. In the System Preparation Tool dialog box, select Enter System Out-of-Box Experience (OOBE) and select the Generalize check box.

   3. Shutdown the VMs

Create Managed Image from the VM :

1. Login to Azure Portal using https://portal.azure.com.

2. Navigate to Virtual Machines.

3. Select the VM from the list.

4. On the Virtual Machine page, Select Capture. This open Create an Image page.

5. For Share image to Azure compute gallery, select No, capture only a managed image.

6. Select the resource group.

7. Enter a Name for the managed image.

8. To allow image in any availability zone, Select On for Zone resiliency.

9. Select Create to create the image.

Important:

Reference:

• https://docs.microsoft.com/en-us/azure/virtual-machines/generalize

• https://docs.microsoft.com/en-us/azure/virtual-machines/windows/capture-image-resource