{
    "properties": {

      "mode": "Indexed",
      "description": "This policy adds a system-assigned managed identity to Azure Windows VMs",
      "metadata": {
        "category": "Guest Configuration"
      },
      "policyRule": {
        "if": {
          "allOf": [
            {
              "field": "type",
              "equals": "Microsoft.Compute/virtualMachines"
            },
            {
                "field": "Microsoft.Compute/imagePublisher",
                "equals": "MicrosoftWindowsServer"
              },
              {
                "field": "Microsoft.Compute/imageSKU",
                "notLike": "2008*"
              },

            {
              "anyOf": [
                {
                  "field": "identity.type",
                  "exists": "false"
                },
                {
                  "field": "identity.type",
                  "equals": "None"
                }
              ]
            }
          ]
        },
        "then": {
          "effect": "modify",
          "details": {
            "roleDefinitionIds": [
              "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
            ],
            "operations": [
              {
                "operation": "addOrReplace",
                "field": "identity.type",
                "value": "SystemAssigned"
              }
            ]
          }
        }
      }
    }
  }