Share via

Custom Guest Configuration policies fail when cloned via the Azure Portal.

Kushi Yadav 40 Reputation points
2026-04-29T11:26:32.19+00:00

I am trying to create a custom version of a Guest Configuration policy by clicking 'Duplicate definition' in the Azure Portal. After I assign this new policy to your virtual machines, they all show a status of 'NonCompliant,' even though the settings on the machines are correct. What is the reason?

Azure Policy
Azure Policy

An Azure service that is used to implement corporate governance and standards at scale for Azure resources.

0 comments

Answer accepted by question author

  1. Suchitra Suregaunkar 13,785 Reputation points Microsoft External Staff Moderator
    2026-04-29T12:56:38.76+00:00

    Hello @Kushi Yadav

    Thank you for posting your query on Microsoft Q&A platform.

    When you use “Duplicate definition” in the Azure Portal for a Guest Configuration policy, the portal does not correctly preserve the guestConfiguration metadata block (such as contentUri, contentHash, name, or version).

    Because of this, the duplicated policy cannot correctly map to the original Guest Configuration package, so the Guest Configuration service treats the assignment as invalid. As a result, all assigned VMs are evaluated as NonCompliant, even though their actual configuration is correct.

    • Guest Configuration policies rely on a precise metadata section (metadata.guestConfiguration) to link the policy to the underlying configuration package.
    • The portal “Duplicate definition” action does not reliably clone this metadata, which breaks compliance evaluation.
    • This is a known limitation with portal-based duplication for Guest Configuration policies.

    Microsoft supports creating custom Guest Configuration policies by:

    • Authoring or exporting the policy JSON (using PowerShell / CLI)
    • Ensuring the guestConfiguration metadata (including content URI and hash) is preserved exactly

    The New-GuestConfigurationPolicy PowerShell cmdlet is designed to generate this metadata correctly and avoids this issue.

    Please have a look into below resolution:

    Instead of using the portal, duplicate the policy definition using the Policy Insights API. The following PowerShell sample can copy the policy definition including the metadata using Az.Resources 7.3.0 or higher.

    # duplicates the built-in policy which audits Windows machines for pending reboots
$def = Get-AzPolicyDefinition -id "/providers/Microsoft.Authorization/policyDefinitions/4221adbc-5c0f-474f-88b7-037a99e6114c"
New-AzPolicyDefinition -name (new-guid).guid -DisplayName "$($def.DisplayName) (Copy)" -Description $def.Description -Metadata ($def.Metadata | convertto-json) -Parameter ($def.Parameter | convertto-json) -Policy ($def.PolicyRule | convertto-json -depth 15)

    Thanks,

    Suchitra.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.