Forum Discussion
Unable to resolve - A vulnerability assessment solution should be enabled on your virtual machines
We currently have a mix of approximately 45 Windows / Linux Servers and AVD machines which are not successfully being marked as compliant with the Defender recommendation "A vulnerability assessment solution should be enabled on your virtual machines".
On the subscription level we have Defender for Servers Plan 2 enabled and Agentless Scanning CSPM enabled. Within a subscription some of the of these VMs are compliant and others are not. Their compliance state doesn't appear to have any relevance to if the Qualys or MDE extensions are installed. We have servers that are healthy that have Qualys, MDE, or none installed and are healthy.
Our VMs are not using the full feature set of Defender Plan 2 as we use CrowdStrike so the Defender for Endpoint functionality of the Defender for Servers Plan 2 has been disabled, but to my knowledge this shouldn't impact Vulnerability assessments.
In Security Portal it does seem that generally all the VMs that healthy for this recommendation are visible in the devices section. Whereas these 45 that are not, are either not searchable or have sensor health state "inactive".
We have an Azure Policy generated to onboard devices to Vulnerability assessment using MDE.Tvm and it seems to be generally working but not for these 45 devices.
The Microsoft Documentation is really unclear, what do we need to make these systems compliant?
6 Replies
Hi micheleariis - We did try deploying this using the "Default" option in the policy but deployments are failing saying that Qualys is end of life.
Error codeBuiltInQualysDeprecation
MessageThe Default (built-in Qualys) VA type is deprecated.
Hi, Qualys is not deprecated; Defender Vulnerability Management is the recommended evolution. In Defender for Cloud the recommendation “Deploy Defender Vulnerability Management” invokes an API that installs the VM extension, but if you've disabled Endpoint protection the sensor doesn't onboard and remains “inactive.” To make them compliant you have to actually deploy the VM extension Microsoft Defender for Vulnerability Management (or the Qualys extension) on all machines, either manually or via Azure Policy, making sure the Log Analytics agent is active. After a few minutes the status will change to “Healthy.”
Hello Michele,
Since we have Defender for Endpoint as a product disabled on the subscription level (issues with it on some VMs that were not able to be resolved). What actual VM level extension do we need deployed?
We have this policy configured to deploy the vulnerability assessment to the VMs using the mdeTvm option. Would the solution to change it to "default" which would deploy Qualys?{ "properties": { "displayName": "CORP : Configure machines to receive a vulnerability assessment provider", "policyType": "Custom", "mode": "Indexed", "description": "Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed.", "metadata": { "category": "Security Center", "createdBy": "d4277436-a66a-44f0-b2cc-378794ef8d94", "createdOn": "2025-04-16T21:45:24.1691704Z", "updatedBy": "d4277436-a66a-44f0-b2cc-378794ef8d94", "updatedOn": "2025-04-16T22:32:54.705415Z" }, "version": "1.0.0", "parameters": { "effect": { "type": "String", "metadata": { "displayName": "Effect", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ "DeployIfNotExists", "Disabled" ], "defaultValue": "DeployIfNotExists" }, "vaType": { "type": "String", "metadata": { "displayName": "Vulnerability assessment provider type", "description": "Select the vulnerability assessment solution to provision to machines." }, "allowedValues": [ "default", "mdeTvm" ], "defaultValue": "default" } }, "policyRule": { "if": { "anyof": [ { "field": "type", "equals": "Microsoft.Compute/virtualMachines" }, { "allOf": [ { "field": "type", "equals": "Microsoft.HybridCompute/machines" }, { "field": "tags", "notContainsKey": "MDFCSecurityConnector" } ] } ] }, "then": { "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Security/assessments", "name": "ffff0522-1e88-47fc-8382-2a80ba848f5d", "evaluationDelay": "PT60M", "existenceCondition": { "anyOf": [ { "field": "Microsoft.Security/assessments/status.code", "equals": "NotApplicable" }, { "allOf": [ { "field": "Microsoft.Security/assessments/status.code", "equals": "Healthy" }, { "field": "Microsoft.Security/assessments/status.cause", "equals": "[parameters('vaType')]" } ] } ] }, "deployment": { "properties": { "mode": "Incremental", "template": { "contentVersion": "1.0.0.0", "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "parameters": { "vmName": { "type": "String" }, "resourceType": { "type": "string" }, "vaType": { "type": "string" } }, "variables": { "resourceNameAndVaType": "[concat(parameters('vmName'), '/Microsoft.Security/', parameters('vaType'))]" }, "resources": [ { "condition": "[equals(toLower(parameters('resourceType')), toLower('microsoft.compute/virtualmachines'))]", "type": "Microsoft.Compute/virtualMachines/providers/serverVulnerabilityAssessments", "name": "[variables('resourceNameAndVaType')]", "apiVersion": "2020-01-01" }, { "condition": "[equals(toLower(parameters('resourceType')), toLower('microsoft.hybridcompute/machines'))]", "type": "Microsoft.HybridCompute/machines/providers/serverVulnerabilityAssessments", "name": "[variables('resourceNameAndVaType')]", "apiVersion": "2020-01-01" } ] }, "parameters": { "vmName": { "value": "[field('name')]" }, "resourceType": { "value": "[field('type')]" }, "vaType": { "value": "[parameters('vaType')]" } } } }, "roleDefinitionIds": [ "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd" ] } } }, "versions": [ "1.0.0" ] }, "id": "/providers/Microsoft.Management/managementGroups/CORP-Root-Management/providers/Microsoft.Authorization/policyDefinitions/101da161-9792-4b63-9672-4514662807be", "type": "Microsoft.Authorization/policyDefinitions", "name": "101da161-9792-4b63-9672-4514662807be", "systemData": { "createdBy": "email address removed for privacy reasons", "createdByType": "User", "createdAt": "2025-04-16T21:45:24.1427793Z", "lastModifiedBy": "email address removed for privacy reasons", "lastModifiedByType": "User", "lastModifiedAt": "2025-04-16T22:32:54.6617065Z" } }Hi, since Defender for Endpoint is disabled, the mdeTvm option won’t onboard anything (it relies on the MDE sensor). To make your VMs compliant, change the policy’s vaType to “default”, this deploys the Qualys VM extension to all machines. Alternatively, you could manually install the Microsoft Defender for Vulnerability Management extension, but it still requires the Defender sensor to be active.
Hi, all VMs must have a supported vulnerability assessment extension (Qualys or Defender Vulnerability Management): agentless CSPM alone is not enough. Deploy the extension on all machines (manually or via Azure Policy “Deploy Qualys VM extension” or “Deploy Microsoft Defender Vulnerability Management”), verify that the Log Analytics agent and the Defender sensor are active, and wait a few minutes: the status will change to “Healthy.”
Hello Michele,
We had understood that Qualys has been depreciated in favor of Defender for Vulnerability management.
Defender for Servers Plan 2 is enabled with Azure Monitor, and Vulnerability assessment for Machines. But we have disabled Defender Endpoint protection as we use an alternative endpoint protection software.
Defender Vulnerability management is not an extension, in Defender for Cloud the recommendation that deploys it applies a PUT on a specific Azure Management API url. We have a policy that does this but it doesn't actually onboard the VM to Defender for Endpoint since we do not use that functionality.
