Automate Defender for Cloud settings: FIM, Vulnerability Assessment, and Guest Configuration Agent

I’m working on automating the configuration of Microsoft Defender for Cloud – Server Plans across multiple subscriptions (100+), including any newly deployed subscriptions. The goal is to avoid manual changes and ensure compliance from day one.

Current Setup:

• I’ve used the built-in policy: Configure Microsoft Defender for Servers plan, which successfully enables:
  • Defender for Cloud Plan P2
  • Endpoint Protection
  • Agentless scanning
• I attempted to copy this policy and add parameters for Vulnerability Assessment, but the assignment fails with an error.

What I’ve Tried:

• For File Integrity Monitor: Policy name → Configure ChangeTracking Extension for Windows virtual machines
• For Vulnerability Assessment: Policy name → Configure machines to receive a vulnerability assessment provider
• Assigning these policies works on my non-prod subscription, but the toggle in Defender for Cloud → Environment Settings remains No.

Challenge: How can I ensure these options (File Integrity Monitoring, Vulnerability Assessment, and preferably Guest Configuration Agent) are automatically enabled for:

• All existing subscriptions
• Any new subscriptions created in the future

Goal:

• No manual intervention in Defender for Cloud portal
• Fully automated via Azure Policy or another recommended approach

uestions:

1. Is there a way to extend the built-in policy or create a custom initiative that enforces these settings at the subscription level?
2. Are there ARM templates, Bicep modules, Powershell scripts or REST API calls that can toggle these settings programmatically?
3. Any best practices for ensuring compliance across multiple subscriptions?

Any help is much appreciated and looking forward to your expertise!
Thank you in advance.

Best Regards,

Pascal Slot