How to publish custom guest configuration package artifacts

Before you begin, it's a good idea to read the overview page for guest configuration.

Guest configuration custom .zip packages must be stored in a location that is accessible via HTTPS by the managed machines. Examples include GitHub repositories, an Azure Repo, Azure storage, or a web server within your private datacenter.

Configuration packages that support Audit and AuditandSet are published the same way. There isn't a need to do anything special during publishing based on the package mode.

Publish a configuration package

The preferred location to store a configuration package is Azure Blob Storage. There are no special requirements for the storage account, but it's a good idea to host the file in a region near your machines. If you prefer to not make the package public, you can include a SAS token in the URL or implement a service endpoint for machines in a private network.

If you don't have a storage account, use the following example to create one.

# Creates a new resource group, storage account, and container
New-AzResourceGroup -name myResourceGroupName -Location ChinaNorth
New-AzStorageAccount -ResourceGroupName myResourceGroupName -Name mystorageaccount -SkuName 'Standard_LRS' -Location 'chinanorth' | New-AzStorageContainer -Name guestconfiguration -Permission Blob

To publish your configuration package to Azure blob storage, you can follow the below steps which leverages the Az.Storage module.

First, obtain the context of the storage account in which the package will be stored. This example creates a context by specifying a connection string and saves the context in the variable $Context.

$Context = New-AzStorageContext -ConnectionString "DefaultEndpointsProtocol=https;AccountName=ContosoGeneral;AccountKey=< Storage Key for ContosoGeneral ends with == >;"

Next, add the configuration package to the storage account. This example uploads the zip file ./MyConfig.zip to the blob "guestconfiguration".

Set-AzStorageBlobContent -Container "guestconfiguration" -File ./MyConfig.zip -Blob "guestconfiguration" -Context $Context

Optionally, you can add a SAS token in the URL, this ensures that the content package will be accessed securely. The below example generates a blob SAS token with full blob permission and returns the full blob URI with the shared access signature token.

$contenturi = New-AzStorageBlobSASToken -Context $Context -FullUri -Container guestconfiguration -Blob "guestconfiguration" -Permission rwd 

Next steps

• Test the package artifact from your development environment.
• Use the GuestConfiguration module to create an Azure Policy definition for at-scale management of your environment.
• Assign your custom policy definition using Azure portal.
• Learn how to view compliance details for guest configuration policy assignments.