Azure Policy is not picking up new Machine with different image offer, publisher and Sku

Hi,

I have the below Azure Policy to install Microsoft Antimalware

{"properties": {"displayName": "Ent-Non-Prod-Antimalware-Win-10","policyType": "Custom","mode": "Indexed","metadata": {"createdBy": "c82bad04-55c7-46f0-9944-d5c5edbf914b","createdOn": "2019-10-16T00:40:49.2829054Z","updatedBy": "c82bad04-55c7-46f0-9944-d5c5edbf914b","updatedOn": "2019-10-16T23:58:24.5242162Z"
    },"parameters": {},"policyRule": {"if": {"allOf": [
          {"field": "type","equals": "Microsoft.Compute/virtualMachines"
          },
          {"field": "Microsoft.Compute/imagePublisher","in": ["microsoftvisualstudio","MicrosoftWindowsServer"
            ]
          },
          {"field": "Microsoft.Compute/imageOffer","in": ["WindowsServer","Windows"
            ]
          },
          {"field": "Microsoft.Compute/imageSKU","in": ["2008-R2-SP1","2008-R2-SP1-smalldisk","2012-Datacenter","2012-Datacenter-smalldisk","2012-R2-Datacenter","2012-R2-Datacenter-smalldisk","2016-Datacenter","2016-Datacenter-Server-Core","2016-Datacenter-Server-Core-smalldisk","2016-Datacenter-smalldisk","2016-Datacenter-with-Containers","2016-Datacenter-with-RDSH","2019-Datacenter","2019-Datacenter-Core","2019-Datacenter-Core-smalldisk","2019-Datacenter-Core-with-Containers","2019-Datacenter-Core-with-Containers-smalldisk","2019-Datacenter-smalldisk","2019-Datacenter-with-Containers-smalldisk","2019-Datacenter-zhcn","Windows-10-N-x64"
            ]
          }
        ]
      },"then": {"effect": "deployIfNotExists","details": {"type": "Microsoft.Compute/virtualMachines/extensions","existenceCondition": {"allOf": [
              {"field": "Microsoft.Compute/virtualMachines/extensions/type","equals": "IaaSAntimalware"
              },
              {"field": "Microsoft.Compute/virtualMachines/extensions/publisher","equals": "Microsoft.Azure.Security"
              }
            ]
          },"roleDefinitionIds": ["/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
          ],"deployment": {"properties": {"mode": "incremental","template": {"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion": "1.0.0.0","parameters": {"vmName": {"type": "string"
                  },"location": {"type": "string"
                  },"ExclusionsPaths": {"type": "string","defaultValue": "","metadata": {"description": "Semicolon delimited list of file paths or locations to exclude from scanning"
                    }
                  },"ExclusionsExtensions": {"type": "string","defaultValue": "","metadata": {"description": "Semicolon delimited list of file extensions to exclude from scanning"
                    }
                  },"ExclusionsProcesses": {"type": "string","defaultValue": "","metadata": {"description": "Semicolon delimited list of process names to exclude from scanning"
                    }
                  },"RealtimeProtectionEnabled": {"type": "string","defaultValue": "true","metadata": {"description": "Indicates whether or not real time protection is enabled (default is true)"
                    }
                  },"ScheduledScanSettingsIsEnabled": {"type": "string","defaultValue": "false","metadata": {"description": "Indicates whether or not custom scheduled scan settings are enabled (default is false)"
                    }
                  },"ScheduledScanSettingsScanType": {"type": "string","defaultValue": "Quick","metadata": {"description": "Indicates whether scheduled scan setting type is set to Quick or Full (default is Quick)"
                    }
                  },"ScheduledScanSettingsDay": {"type": "string","defaultValue": "7","metadata": {"description": "Day of the week for scheduled scan (1-Sunday, 2-Monday, ..., 7-Saturday)"
                    }
                  },"ScheduledScanSettingsTime": {"type": "string","defaultValue": "120","metadata": {"description": "When to perform the scheduled scan, measured in minutes from midnight (0-1440). For example: 0 = 12AM, 60 = 1AM, 120 = 2AM."
                    }
                  }
                },"resources": [
                  {"name": "[concat(parameters('vmName'),'/IaaSAntimalware')]","type": "Microsoft.Compute/virtualMachines/extensions","location": "[parameters('location')]","apiVersion": "2015-06-15","properties": {"publisher": "Microsoft.Azure.Security","type": "IaaSAntimalware","typeHandlerVersion": "1.3","autoUpgradeMinorVersion": true,"settings": {"AntimalwareEnabled": true,"RealtimeProtectionEnabled": "[parameters('RealtimeProtectionEnabled')]","ScheduledScanSettings": {"isEnabled": "[parameters('ScheduledScanSettingsIsEnabled')]","day": "[parameters('ScheduledScanSettingsDay')]","time": "[parameters('ScheduledScanSettingsTime')]","scanType": "[parameters('ScheduledScanSettingsScanType')]"
                        },"Exclusions": {"Extensions": "[parameters('ExclusionsExtensions')]","Paths": "[parameters('ExclusionsPaths')]","Processes": "[parameters('ExclusionsProcesses')]"
                        }
                      }
                    }
                  }
                ]
              },"parameters": {"vmName": {"value": "[field('name')]"
                },"location": {"value": "[field('location')]"
                },"RealtimeProtectionEnabled": {"value": "true"
                },"ScheduledScanSettingsIsEnabled": {"value": "true"
                }
              }
            }
          }
        }
      }
    }
  },"id": "/providers/Microsoft.Management/managementGroups/Enterprise-NonProduction-EMG-v01/providers/Microsoft.Authorization/policyDefinitions/f37e3ed9-a0e1-4637-8ab6-bb4dd1f9889a","type": "Microsoft.Authorization/policyDefinitions","name": "f37e3ed9-a0e1-4637-8ab6-bb4dd1f9889a"
}

However, I spin a new 2016-Datacentre VM and it does not have the extension, how to troubleshoot? What is the issue?

Azure Policy is the correct tag but since it was not there I choose closest one, Azure Virtual Machine.

Please assist.