Automate Defender for Cloud settings: FIM, Vulnerability Assessment, and Guest Configuration Agent
I’m working on automating the configuration of Microsoft Defender for Cloud – Server Plans across multiple subscriptions (100+), including any newly deployed subscriptions. The goal is to avoid manual changes and ensure compliance from day one. Current Setup: I’ve used the built-in policy: Configure Microsoft Defender for Servers plan, which successfully enables: Defender for Cloud Plan P2 Endpoint Protection Agentless scanning I attempted to copy this policy and add parameters for Vulnerability Assessment, but the assignment fails with an error. What I’ve Tried: For File Integrity Monitor: Policy name → Configure ChangeTracking Extension for Windows virtual machines For Vulnerability Assessment: Policy name → Configure machines to receive a vulnerability assessment provider Assigning these policies works on my non-prod subscription, but the toggle in Defender for Cloud → Environment Settings remains No. Challenge: How can I ensure these options (File Integrity Monitoring, Vulnerability Assessment, and preferably Guest Configuration Agent) are automatically enabled for: All existing subscriptions Any new subscriptions created in the future Goal: No manual intervention in Defender for Cloud portal Fully automated via Azure Policy or another recommended approach uestions: Is there a way to extend the built-in policy or create a custom initiative that enforces these settings at the subscription level? Are there ARM templates, Bicep modules, Powershell scripts or REST API calls that can toggle these settings programmatically? Any best practices for ensuring compliance across multiple subscriptions? Any help is much appreciated and looking forward to your expertise! Thank you in advance. Best Regards, Pascal Slot
File Integrity Monitoring - Agentless Issues in Detecting Changes to Files
Hello! Looks like there have been some recent updates made to File Integrity Monitoring. After reviewing the MS documentation https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#recommended-items-to-monitor it looks like you can now create custom Rules for Files and for custom Registry keys. From what I can gather from the documentation, agentless scans are used for custom rules that you create and an agentless scan occurs once every 24 hours. I have created several custom rules to detect if a file has been Deleted, Added, Modified or Renamed and Defender for Cloud is still not detecting any changes. I have made changes to these files 3 days ago, and no changes have been reported back. Any ideas why this might not be working. I have already confirmed that the appropriate RBAC Roles have been assigned to my Key Vaults where CMK Disks are being used. I also wanted to know if the Agentless FIM can monitor Folders / Directories as well. I haven't seen anything about this in the documentation. Is this even supported?
Unable to resolve - A vulnerability assessment solution should be enabled on your virtual machines
We currently have a mix of approximately 45 Windows / Linux Servers and AVD machines which are not successfully being marked as compliant with the Defender recommendation "A vulnerability assessment solution should be enabled on your virtual machines". On the subscription level we have Defender for Servers Plan 2 enabled and Agentless Scanning CSPM enabled. Within a subscription some of the of these VMs are compliant and others are not. Their compliance state doesn't appear to have any relevance to if the Qualys or MDE extensions are installed. We have servers that are healthy that have Qualys, MDE, or none installed and are healthy. Our VMs are not using the full feature set of Defender Plan 2 as we use CrowdStrike so the Defender for Endpoint functionality of the Defender for Servers Plan 2 has been disabled, but to my knowledge this shouldn't impact Vulnerability assessments. In Security Portal it does seem that generally all the VMs that healthy for this recommendation are visible in the devices section. Whereas these 45 that are not, are either not searchable or have sensor health state "inactive". We have an Azure Policy generated to onboard devices to Vulnerability assessment using MDE.Tvm and it seems to be generally working but not for these 45 devices. The Microsoft Documentation is really unclear, what do we need to make these systems compliant?Secure score power BI dashboard
We are following https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Secure%20Score to deploy secure score over the time dashboard for MDC. however steps for the deployment are very old when we had azure security center instead of MDC and prerequisites are not properly documented. As per the article we need to: Export the secure score data to Log analytics workspace by using continuous report option in MDC portal. Deploy Secure Score over the time workbook which can export the secure score data to Log Analytics workspace (not clear if this will pull reports every 24 hours and what permissions are required on Log Analytics workspace and to deploy the workbook) Do we need to export the secure score data to same Log Analytics workspace on which MDC is deployed or a separate workspace is needed ? If MDC already uses Log analytics workspace in the backend to store the logs then why can't we pull the secure score log data directly? why we need to export the secure score data to Log Analytics workspace first then to connect it to dashboard ?Cost Calculator for Defender for Cloud (Public Preview)
Did you know Microsoft Defender for Cloud has a built-in cost calculator to easily calculate the costs of protected resources in your cloud environment? No? Well, I didn’t either until I stumbled upon the button in the MDC portal myself. Apparently, Microsoft announced the preview for the MDC cost calculator last month, on February 19, 2025. With this post, I’m sharing my experience with this new cost calculator for Microsoft Defender for Cloud, providing guidance and comparing available options to calculate the costs. https://myronhelgering.com/cost-calculator-for-defender-for-cloud/
Sensitivity Data Flag will not be deleted after Settings are changed
We have a lot of storage accounts which are flaged with risk factor "Sensitive Data" which also means all storage Accounts which have this label have risklevel critical. We deactivated Sensitive Data Scan but nothing happens As I got it correct once a resource is flagged with "Sensitive Data" the flag will not delete anymore What we did so far: turn off/on/off… the data scanning turn off/on/off Data sensitivity deselect all of different data sensitivity categories like Finance, PII, and Credentials turn off/on/off threshold for sensitive data labels turn off/on complete Defender There is also a support ticket where the support can the recommendation was to open a discussion here to have the product team look at this error (#2502031420002278)Defender for Server deployed, integration for DfE checked, but M365 Defender showing "Can be onboard
I'm sure I'm missing something in the slightly complicated way of enabling servers for DfE via Defender for Cloud Server. The licensing is in-place the checkboxes to share data are ticked. The servers are showing as onboarded in Defender for Cloud however, the one portal to rule them all - Microsoft Defender 365 - is still showing the servers as "Can be onboarded" and missing the data of a properly onboarded DfE client. Where should I start my troubleshooting to determine what I've missed or what is going wrong? Paul
No automatic MDE.Windows installation anymore
We have an Azure subscription to which our on-premises servers are connected via Azure Arc. Actually, only Microsoft Defender for Servers Plan 1 should be used. However, ‘Plan 2’ is billed in the cost analyses, which leads to significantly higher costs than planned. I´ve fixed it but it lead to the Problem of not installing MDE.Windows anymore. The servers are connected to Azure by executing a script, after which some plugins are installed(MDE.Windows, MicrosoftMonitoringAgent, and on some servers "WindowsPatchExtension"). In the environment management of Defender for Cloud we have explicitly selected plan 1, despite this plan 2 is activated for each server. There is no Log-Workspace. Here are the Policies, i think they go automaticly created by Azure. I´ve deleted "ASC provisioning LA agent Windows Arc" and the linux one because this is deploying the two Extensions "MicrosoftMonitoringAgent" and "WindowsPatchExtension", which activate Plan 2. After deleting those to Extensions i should not get billed as Plan 2 anymore. My Problem is now that i don´t have the policy to install the MDE Plugin anymore. How do i get this working again, i need to install only the MDE Plugin on the computers to ensure we only use Plan 1. No other extensions, no Log-Workspace... Appreciate the help.Problems adding Defender for Business Server to a 2019 Windows server.
Hi. We recently purchased a one-year subscription to Microsoft Defender for Business Servers through a retailer. I've onboarded a Windows Server 2019 device using a PowerShell script, following Microsoft's guidance, since the server is not enrolled in Intune. The onboarding process appears to have been successful, as confirmed by event logs. However, the device isn't visible in the Microsoft Defender portal. Additionally, the Defender for Business Servers license isn't assigned to the device in the Office 365 admin center. Is it possible that I'm missing a configuration somewhere in one of the Admin centers (Defender, Office 365, etc.) so the license can be applied to the device? What additional steps might be required to ensure the device is visible in the Microsoft Defender portal and the license is assigned correctly?
Defender for SQL for on-prem Azure Arc connected SQL servers
I am having trouble using the Azure Built-In policy "Configure Arc-enabled SQL Servers with DCR Association to Microsoft Defender for SQL user-defined DCR". I would assume a newly created DCR would work just fine, but I am unsure as when I use the policy that will automatically create a DCR and LA workspace, it works fine. Does my DCR need to be configured with a special data source and destination? (Similarly how Azure Monitor needs a special DCR for Arc machines)
