Forum Discussion
Unable to resolve - A vulnerability assessment solution should be enabled on your virtual machines
We currently have a mix of approximately 45 Windows / Linux Servers and AVD machines which are not successfully being marked as compliant with the Defender recommendation "A vulnerability assessment ...
Hello Michele,
Since we have Defender for Endpoint as a product disabled on the subscription level (issues with it on some VMs that were not able to be resolved). What actual VM level extension do we need deployed?
We have this policy configured to deploy the vulnerability assessment to the VMs using the mdeTvm option. Would the solution to change it to "default" which would deploy Qualys?
{
"properties": {
"displayName": "CORP : Configure machines to receive a vulnerability assessment provider",
"policyType": "Custom",
"mode": "Indexed",
"description": "Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed.",
"metadata": {
"category": "Security Center",
"createdBy": "d4277436-a66a-44f0-b2cc-378794ef8d94",
"createdOn": "2025-04-16T21:45:24.1691704Z",
"updatedBy": "d4277436-a66a-44f0-b2cc-378794ef8d94",
"updatedOn": "2025-04-16T22:32:54.705415Z"
},
"version": "1.0.0",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
},
"vaType": {
"type": "String",
"metadata": {
"displayName": "Vulnerability assessment provider type",
"description": "Select the vulnerability assessment solution to provision to machines."
},
"allowedValues": [
"default",
"mdeTvm"
],
"defaultValue": "default"
}
},
"policyRule": {
"if": {
"anyof": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.HybridCompute/machines"
},
{
"field": "tags",
"notContainsKey": "MDFCSecurityConnector"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Security/assessments",
"name": "ffff0522-1e88-47fc-8382-2a80ba848f5d",
"evaluationDelay": "PT60M",
"existenceCondition": {
"anyOf": [
{
"field": "Microsoft.Security/assessments/status.code",
"equals": "NotApplicable"
},
{
"allOf": [
{
"field": "Microsoft.Security/assessments/status.code",
"equals": "Healthy"
},
{
"field": "Microsoft.Security/assessments/status.cause",
"equals": "[parameters('vaType')]"
}
]
}
]
},
"deployment": {
"properties": {
"mode": "Incremental",
"template": {
"contentVersion": "1.0.0.0",
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"parameters": {
"vmName": {
"type": "String"
},
"resourceType": {
"type": "string"
},
"vaType": {
"type": "string"
}
},
"variables": {
"resourceNameAndVaType": "[concat(parameters('vmName'), '/Microsoft.Security/', parameters('vaType'))]"
},
"resources": [
{
"condition": "[equals(toLower(parameters('resourceType')), toLower('microsoft.compute/virtualmachines'))]",
"type": "Microsoft.Compute/virtualMachines/providers/serverVulnerabilityAssessments",
"name": "[variables('resourceNameAndVaType')]",
"apiVersion": "2020-01-01"
},
{
"condition": "[equals(toLower(parameters('resourceType')), toLower('microsoft.hybridcompute/machines'))]",
"type": "Microsoft.HybridCompute/machines/providers/serverVulnerabilityAssessments",
"name": "[variables('resourceNameAndVaType')]",
"apiVersion": "2020-01-01"
}
]
},
"parameters": {
"vmName": {
"value": "[field('name')]"
},
"resourceType": {
"value": "[field('type')]"
},
"vaType": {
"value": "[parameters('vaType')]"
}
}
}
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
"/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
]
}
}
},
"versions": [
"1.0.0"
]
},
"id": "/providers/Microsoft.Management/managementGroups/CORP-Root-Management/providers/Microsoft.Authorization/policyDefinitions/101da161-9792-4b63-9672-4514662807be",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "101da161-9792-4b63-9672-4514662807be",
"systemData": {
"createdBy": "email address removed for privacy reasons",
"createdByType": "User",
"createdAt": "2025-04-16T21:45:24.1427793Z",
"lastModifiedBy": "email address removed for privacy reasons",
"lastModifiedByType": "User",
"lastModifiedAt": "2025-04-16T22:32:54.6617065Z"
}
}
Hi, since Defender for Endpoint is disabled, the mdeTvm option won’t onboard anything (it relies on the MDE sensor). To make your VMs compliant, change the policy’s vaType to “default”, this deploys the Qualys VM extension to all machines. Alternatively, you could manually install the Microsoft Defender for Vulnerability Management extension, but it still requires the Defender sensor to be active.