Built-in Policy Release 35e62e5d (#1338)

Co-authored-by: Azure Policy Bot <azgovpolicy@microsoft.com>

built-in-policies/policyDefinitions/Guest Configuration/ACAT_ InternetTimeDefaultNtpServer_AINE.json

@@ -1,12 +1,13 @@
 {
   "properties": {
-    "displayName": "Windows machines should use the default NTP server",
+    "displayName": "[Deprecated]: Windows machines should use the default NTP server",
     "policyType": "BuiltIn",
     "mode": "Indexed",
-    "description": "Setup the 'time.windows.com' as the default NTP Server for all Windows machines to ensure logs across all systems have system clocks that are all in sync. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol.",
+    "description": "This policy is deprecated because Microsoft 365 App Compliance Program no longer checks the default NTP server on Windows machines. Learn more details about the latest M365 APP Compliance requirements at aka.ms/acat-cert2-seg-ops. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.",
     "metadata": {
       "category": "Guest Configuration",
-      "version": "1.0.0",
+      "version": "1.1.0-deprecated",
+      "deprecated": true,
       "requiredProviders": [
         "Microsoft.GuestConfiguration"
       ],
@@ -15,7 +16,7 @@
         "version": "1.*"
       }
     },
-    "version": "1.0.0",
+    "version": "1.1.0",
     "parameters": {
       "IncludeArcMachines": {
         "type": "string",
@@ -39,7 +40,7 @@
           "AuditIfNotExists",
           "Disabled"
         ],
-        "defaultValue": "AuditIfNotExists"
+        "defaultValue": "Disabled"
       }
     },
     "policyRule": {
@@ -239,6 +240,7 @@
       }
     },
     "versions": [
+      "1.1.0",
       "1.0.0"
     ]
   },

built-in-policies/policyDefinitions/Guest Configuration/ACAT_ UpdateDefenderSignatureDaily_AINE.json

@@ -3,10 +3,10 @@
     "displayName": "Windows machines should configure Windows Defender to update protection signatures within one day",
     "policyType": "BuiltIn",
     "mode": "Indexed",
-    "description": "To provide adequate protection against newly released malware, Windows Defender protection signatures need to be updated regularly to account for newly released malware. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol.",
+    "description": "To provide adequate protection against newly released malware, Windows Defender protection signatures need to be updated regularly to account for newly released malware. This policy is not applied to Arc connected servers and it requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol.",
     "metadata": {
       "category": "Guest Configuration",
-      "version": "1.0.0",
+      "version": "1.0.1",
       "requiredProviders": [
         "Microsoft.GuestConfiguration"
       ],
@@ -15,7 +15,7 @@
         "version": "1.*"
       }
     },
-    "version": "1.0.0",
+    "version": "1.0.1",
     "parameters": {
       "IncludeArcMachines": {
         "type": "string",
@@ -239,6 +239,7 @@
       }
     },
     "versions": [
+      "1.0.1",
       "1.0.0"
     ]
   },

built-in-policies/policyDefinitions/Guest Configuration/ACAT_WindowsDefenderRealtimeProtection_AINE.json

@@ -3,10 +3,10 @@
     "displayName": "Windows machines should enable Windows Defender Real-time protection",
     "policyType": "BuiltIn",
     "mode": "Indexed",
-    "description": "Windows machines should enable the Real-time protection in the Windows Defender to provide adequate protection against newly released malware. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol.",
+    "description": "Windows machines should enable the Real-time protection in the Windows Defender to provide adequate protection against newly released malware. This policy is not applicable to arc connected servers and it requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol.",
     "metadata": {
       "category": "Guest Configuration",
-      "version": "1.0.0",
+      "version": "1.0.1",
       "requiredProviders": [
         "Microsoft.GuestConfiguration"
       ],
@@ -15,7 +15,7 @@
         "version": "1.*"
       }
     },
-    "version": "1.0.0",
+    "version": "1.0.1",
     "parameters": {
       "IncludeArcMachines": {
         "type": "string",
@@ -263,6 +263,7 @@
       }
     },
     "versions": [
+      "1.0.1",
       "1.0.0"
     ]
   },

built-in-policies/policyDefinitions/Guest Configuration/ACAT_WindowsDefenderScanScheduleDaily_AINE.json

@@ -1,12 +1,13 @@
 {
   "properties": {
-    "displayName": "Windows machines should schedule Windows Defender to perform a scheduled scan every day",
+    "displayName": "[Deprecated]: Windows machines should schedule Windows Defender to perform a scheduled scan every day",
     "policyType": "BuiltIn",
     "mode": "Indexed",
-    "description": "To ensure prompt detection of malware and minimize its impact on your system, it is recommended that Windows machines with Windows Defender schedule a daily scan. Please make sure Windows Defender is supported, preinstalled on the device, and Guest Configuration prerequisites are deployed. Failure to meet these requirements may lead to inaccurate evaluation results. Learn more about Guest Configuration at https://aka.ms/gcpol.",
+    "description": "This policy is deprecated because Microsoft 365 App Compliance Program no longer checks schedule frequency on Windows machines. Learn more details about the latest M365 APP Compliance requirements at aka.ms/acat-cert2-seg-ops. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.",
     "metadata": {
       "category": "Guest Configuration",
-      "version": "1.2.0",
+      "version": "1.3.0-deprecated",
+      "deprecated": true,
       "requiredProviders": [
         "Microsoft.GuestConfiguration"
       ],
@@ -15,7 +16,7 @@
         "version": "1.11.*"
       }
     },
-    "version": "1.2.0",
+    "version": "1.3.0",
     "parameters": {
       "IncludeArcMachines": {
         "type": "string",
@@ -39,7 +40,7 @@
           "AuditIfNotExists",
           "Disabled"
         ],
-        "defaultValue": "AuditIfNotExists"
+        "defaultValue": "Disabled"
       }
     },
     "policyRule": {
@@ -261,6 +262,7 @@
       }
     },
     "versions": [
+      "1.3.0",
       "1.2.0"
     ]
   },

built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EmptyIDPSBypassList_Audit.json

@@ -1,14 +1,15 @@
 {
   "properties": {
-    "displayName": "Bypass list of Intrusion Detection and Prevention System (IDPS) should be empty in Firewall Policy Premium",
+    "displayName": "[Deprecated]: Bypass list of Intrusion Detection and Prevention System (IDPS) should be empty in Firewall Policy Premium",
     "policyType": "BuiltIn",
-    "description": "Intrusion Detection and Prevention System (IDPS) Bypass List allows you to not filter traffic to any of the IP addresses, ranges, and subnets specified in the bypass list. However, enabling IDPS is recommanded for all traffic flows to better identify known threats. To learn more about the Intrusion Detection and Prevention System (IDPS) signatures with Azure Firewall Premium, visit https://aka.ms/fw-idps-signature",
+    "description": "This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.",
     "mode": "Indexed",
     "metadata": {
-      "version": "1.0.0",
-      "category": "Network"
+      "version": "1.1.0-deprecated",
+      "category": "Network",
+      "deprecated": true
     },
-    "version": "1.0.0",
+    "version": "1.1.0",
     "parameters": {
       "effect": {
         "type": "String",
@@ -21,7 +22,7 @@
           "Deny",
           "Disabled"
         ],
-        "defaultValue": "Audit"
+        "defaultValue": "Disabled"
       }
     },
     "policyRule": {
@@ -52,6 +53,7 @@
       }
     },
     "versions": [
+      "1.1.0",
       "1.0.0"
     ]
   },

built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EnableAllIDPSSignatureRules_Audit.json

@@ -1,14 +1,15 @@
 {
   "properties": {
-    "displayName": "Firewall Policy Premium should enable all IDPS signature rules to monitor all inbound and outbound traffic flows",
+    "displayName": "[Deprecated]: Firewall Policy Premium should enable all IDPS signature rules to monitor all inbound and outbound traffic flows",
     "policyType": "BuiltIn",
-    "description": "Enabling all Intrusion Detection and Prevention System (IDPS) signature rules is recommanded to better identify known threats in the traffic flows. To learn more about the Intrusion Detection and Prevention System (IDPS) signatures with Azure Firewall Premium, visit https://aka.ms/fw-idps-signature",
+    "description": "This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.",
     "mode": "Indexed",
     "metadata": {
-      "version": "1.0.0",
-      "category": "Network"
+      "version": "1.1.0-deprecated",
+      "category": "Network",
+      "deprecated": true
     },
-    "version": "1.0.0",
+    "version": "1.1.0",
     "parameters": {
       "effect": {
         "type": "String",
@@ -21,7 +22,7 @@
           "Deny",
           "Disabled"
         ],
-        "defaultValue": "Audit"
+        "defaultValue": "Disabled"
       }
     },
     "policyRule": {
@@ -52,6 +53,7 @@
       }
     },
     "versions": [
+      "1.1.0",
       "1.0.0"
     ]
   },

built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EnableIDPS_Audit.json

@@ -1,14 +1,15 @@
 {
   "properties": {
-    "displayName": "Firewall Policy Premium should enable the Intrusion Detection and Prevention System (IDPS)",
+    "displayName": "[Deprecated]: Firewall Policy Premium should enable the Intrusion Detection and Prevention System (IDPS)",
     "policyType": "BuiltIn",
-    "description": "Enabling the Intrusion Detection and Prevention System (IDPS) allows you to monitor your network for malicious activity, log information about this activity, report it, and optionally attempt to block it. To learn more about the Intrusion Detection and Prevention System (IDPS) with Azure Firewall Premium, visit https://aka.ms/fw-idps",
+    "description": "This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.",
     "mode": "Indexed",
     "metadata": {
-      "version": "1.0.0",
-      "category": "Network"
+      "version": "1.1.0-deprecated",
+      "category": "Network",
+      "deprecated": true
     },
-    "version": "1.0.0",
+    "version": "1.1.0",
     "parameters": {
       "effect": {
         "type": "String",
@@ -21,7 +22,7 @@
           "Deny",
           "Disabled"
         ],
-        "defaultValue": "Audit"
+        "defaultValue": "Disabled"
       }
     },
     "policyRule": {
@@ -46,6 +47,7 @@
       }
     },
     "versions": [
+      "1.1.0",
       "1.0.0"
     ]
   },

built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EnableTlsInspection_Audit.json

@@ -1,14 +1,15 @@
 {
   "properties": {
-    "displayName": "Azure Firewall Premium should configure a valid intermediate certificate to enable TLS inspection",
+    "displayName": "[Deprecated]: Azure Firewall Premium should configure a valid intermediate certificate to enable TLS inspection",
     "policyType": "BuiltIn",
-    "description": "Configure a valid intermediate certificate and enable Azure Firewall Premium TLS inspection to detect, alert, and mitigate malicious activity in HTTPS. To learn more about TLS inspection with Azure Firewall, visit https://aka.ms/fw-tlsinspect",
+    "description": "This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.",
     "mode": "Indexed",
     "metadata": {
-      "version": "1.0.0",
-      "category": "Network"
+      "version": "1.1.0-deprecated",
+      "category": "Network",
+      "deprecated": true
     },
-    "version": "1.0.0",
+    "version": "1.1.0",
     "parameters": {
       "effect": {
         "type": "String",
@@ -21,7 +22,7 @@
           "Deny",
           "Disabled"
         ],
-        "defaultValue": "Audit"
+        "defaultValue": "Disabled"
       }
     },
     "policyRule": {
@@ -46,6 +47,7 @@
       }
     },
     "versions": [
+      "1.1.0",
       "1.0.0"
     ]
   },

built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EnbaleTlsForAllAppRules_Audit.json

@@ -1,14 +1,15 @@
 {
   "properties": {
-    "displayName": "Azure firewall policy should enable TLS inspection within application rules",
+    "displayName": "[Deprecated]: Azure firewall policy should enable TLS inspection within application rules",
     "policyType": "BuiltIn",
-    "description": "Enabling TLS inspection is recommended for all application rules to detect, alert, and mitigate malicious activity in HTTPS. To learn more about TLS inspection with Azure Firewall, visit https://aka.ms/fw-tlsinspect",
+    "description": "This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.",
     "mode": "All",
     "metadata": {
-      "version": "1.0.0",
-      "category": "Network"
+      "version": "1.1.0-deprecated",
+      "category": "Network",
+      "deprecated": true
     },
-    "version": "1.0.0",
+    "version": "1.1.0",
     "parameters": {
       "effect": {
         "type": "String",
@@ -21,7 +22,7 @@
           "Deny",
           "Disabled"
         ],
-        "defaultValue": "Audit"
+        "defaultValue": "Disabled"
       }
     },
     "policyRule": {
@@ -54,6 +55,7 @@
       }
     },
     "versions": [
+      "1.1.0",
       "1.0.0"
     ]
   },

built-in-policies/policyDefinitions/Network/ACAT_Firewall_FirewallPremiumShouldExist_Audit.json

@@ -1,18 +1,19 @@
 {
   "properties": {
-    "displayName": "Subscription should configure the Azure Firewall Premium to provide additional layer of protection",
+    "displayName": "[Deprecated]: Subscription should configure the Azure Firewall Premium to provide additional layer of protection",
     "policyType": "BuiltIn",
-    "description": "Azure Firewall Premium provides advanced threat protection that meets the needs of highly sensitive and regulated environments. Deploy Azure Firewall Premium to your subscription and make sure all the service traffic are protected by Azure Firewall Premium. To learn more about Azure Firewall Premium, visit https://aka.ms/fw-premium",
+    "description": "This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.",
     "mode": "All",
     "metadata": {
-      "version": "1.0.0",
-      "category": "Network"
+      "version": "1.1.0-deprecated",
+      "category": "Network",
+      "deprecated": true
     },
-    "version": "1.0.0",
+    "version": "1.1.0",
     "parameters": {
       "effect": {
         "type": "String",
-        "defaultValue": "AuditIfNotExists",
+        "defaultValue": "Disabled",
         "allowedValues": [
           "AuditIfNotExists",
           "Disabled"
@@ -48,6 +49,7 @@
       }
     },
     "versions": [
+      "1.1.0",
       "1.0.0"
     ]
   },