Forum Discussion
Unable to resolve - A vulnerability assessment solution should be enabled on your virtual machines
Hi, Qualys is not deprecated; Defender Vulnerability Management is the recommended evolution. In Defender for Cloud the recommendation “Deploy Defender Vulnerability Management” invokes an API that installs the VM extension, but if you've disabled Endpoint protection the sensor doesn't onboard and remains “inactive.” To make them compliant you have to actually deploy the VM extension Microsoft Defender for Vulnerability Management (or the Qualys extension) on all machines, either manually or via Azure Policy, making sure the Log Analytics agent is active. After a few minutes the status will change to “Healthy.”
Hello Michele,
Since we have Defender for Endpoint as a product disabled on the subscription level (issues with it on some VMs that were not able to be resolved). What actual VM level extension do we need deployed?
We have this policy configured to deploy the vulnerability assessment to the VMs using the mdeTvm option. Would the solution to change it to "default" which would deploy Qualys?{ "properties": { "displayName": "CORP : Configure machines to receive a vulnerability assessment provider", "policyType": "Custom", "mode": "Indexed", "description": "Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed.", "metadata": { "category": "Security Center", "createdBy": "d4277436-a66a-44f0-b2cc-378794ef8d94", "createdOn": "2025-04-16T21:45:24.1691704Z", "updatedBy": "d4277436-a66a-44f0-b2cc-378794ef8d94", "updatedOn": "2025-04-16T22:32:54.705415Z" }, "version": "1.0.0", "parameters": { "effect": { "type": "String", "metadata": { "displayName": "Effect", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ "DeployIfNotExists", "Disabled" ], "defaultValue": "DeployIfNotExists" }, "vaType": { "type": "String", "metadata": { "displayName": "Vulnerability assessment provider type", "description": "Select the vulnerability assessment solution to provision to machines." }, "allowedValues": [ "default", "mdeTvm" ], "defaultValue": "default" } }, "policyRule": { "if": { "anyof": [ { "field": "type", "equals": "Microsoft.Compute/virtualMachines" }, { "allOf": [ { "field": "type", "equals": "Microsoft.HybridCompute/machines" }, { "field": "tags", "notContainsKey": "MDFCSecurityConnector" } ] } ] }, "then": { "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Security/assessments", "name": "ffff0522-1e88-47fc-8382-2a80ba848f5d", "evaluationDelay": "PT60M", "existenceCondition": { "anyOf": [ { "field": "Microsoft.Security/assessments/status.code", "equals": "NotApplicable" }, { "allOf": [ { "field": "Microsoft.Security/assessments/status.code", "equals": "Healthy" }, { "field": "Microsoft.Security/assessments/status.cause", "equals": "[parameters('vaType')]" } ] } ] }, "deployment": { "properties": { "mode": "Incremental", "template": { "contentVersion": "1.0.0.0", "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "parameters": { "vmName": { "type": "String" }, "resourceType": { "type": "string" }, "vaType": { "type": "string" } }, "variables": { "resourceNameAndVaType": "[concat(parameters('vmName'), '/Microsoft.Security/', parameters('vaType'))]" }, "resources": [ { "condition": "[equals(toLower(parameters('resourceType')), toLower('microsoft.compute/virtualmachines'))]", "type": "Microsoft.Compute/virtualMachines/providers/serverVulnerabilityAssessments", "name": "[variables('resourceNameAndVaType')]", "apiVersion": "2020-01-01" }, { "condition": "[equals(toLower(parameters('resourceType')), toLower('microsoft.hybridcompute/machines'))]", "type": "Microsoft.HybridCompute/machines/providers/serverVulnerabilityAssessments", "name": "[variables('resourceNameAndVaType')]", "apiVersion": "2020-01-01" } ] }, "parameters": { "vmName": { "value": "[field('name')]" }, "resourceType": { "value": "[field('type')]" }, "vaType": { "value": "[parameters('vaType')]" } } } }, "roleDefinitionIds": [ "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd" ] } } }, "versions": [ "1.0.0" ] }, "id": "/providers/Microsoft.Management/managementGroups/CORP-Root-Management/providers/Microsoft.Authorization/policyDefinitions/101da161-9792-4b63-9672-4514662807be", "type": "Microsoft.Authorization/policyDefinitions", "name": "101da161-9792-4b63-9672-4514662807be", "systemData": { "createdBy": "email address removed for privacy reasons", "createdByType": "User", "createdAt": "2025-04-16T21:45:24.1427793Z", "lastModifiedBy": "email address removed for privacy reasons", "lastModifiedByType": "User", "lastModifiedAt": "2025-04-16T22:32:54.6617065Z" } }Hi, since Defender for Endpoint is disabled, the mdeTvm option won’t onboard anything (it relies on the MDE sensor). To make your VMs compliant, change the policy’s vaType to “default”, this deploys the Qualys VM extension to all machines. Alternatively, you could manually install the Microsoft Defender for Vulnerability Management extension, but it still requires the Defender sensor to be active.
