Automate Defender for Cloud settings: FIM, Vulnerability Assessment, and Guest Configuration Agent
I’m working on automating the configuration of Microsoft Defender for Cloud – Server Plans across multiple subscriptions (100+), including any newly deployed subscriptions. The goal is to avoid manual changes and ensure compliance from day one. Current Setup: I’ve used the built-in policy: Configure Microsoft Defender for Servers plan, which successfully enables: Defender for Cloud Plan P2 Endpoint Protection Agentless scanning I attempted to copy this policy and add parameters for Vulnerability Assessment, but the assignment fails with an error. What I’ve Tried: For File Integrity Monitor: Policy name → Configure ChangeTracking Extension for Windows virtual machines For Vulnerability Assessment: Policy name → Configure machines to receive a vulnerability assessment provider Assigning these policies works on my non-prod subscription, but the toggle in Defender for Cloud → Environment Settings remains No. Challenge: How can I ensure these options (File Integrity Monitoring, Vulnerability Assessment, and preferably Guest Configuration Agent) are automatically enabled for: All existing subscriptions Any new subscriptions created in the future Goal: No manual intervention in Defender for Cloud portal Fully automated via Azure Policy or another recommended approach uestions: Is there a way to extend the built-in policy or create a custom initiative that enforces these settings at the subscription level? Are there ARM templates, Bicep modules, Powershell scripts or REST API calls that can toggle these settings programmatically? Any best practices for ensuring compliance across multiple subscriptions? Any help is much appreciated and looking forward to your expertise! Thank you in advance. Best Regards, Pascal SlotLog Analytics workspace
Hello, can anyone help me understand the workspace used for Defender for Cloud How to identify which workspace is Defender for cloud connected to, older version of Defender for cloud has clear mention of the workspace name to which it is connected, the latest version just displays it as "Default Workspace" not the actual name of the workspace, as there are multiple "Default workspaces" in a subscription/Tenant. Thanks in Adv.Which VM security events are requried for enhanced security features, e.g. in Defender for Servers?
Hi Azure Cloud Defenders! I would like to understand which Defender for Cloud Features require VM Security Events to be collected and to which extent. According to a recent Webinar, it is a common misconception that Threat Detection and Vulnerability Assessments for VMs rely on that data beeing collected/ingested. On the other hand the docs, e.g. for adaptive application control, let me assume that gathering those events/logs is required for that feature. Can someone explain for which cases/scenarios event logs from VMs must be collected and ingested into the log analytics workspace? Furthermore, it would be good to know the level of data to store (all events, common, minimal) for each case. Thank you very much in advance!Defender for Server deployed, integration for DfE checked, but M365 Defender showing "Can be onboard
I'm sure I'm missing something in the slightly complicated way of enabling servers for DfE via Defender for Cloud Server. The licensing is in-place the checkboxes to share data are ticked. The servers are showing as onboarded in Defender for Cloud however, the one portal to rule them all - Microsoft Defender 365 - is still showing the servers as "Can be onboarded" and missing the data of a properly onboarded DfE client. Where should I start my troubleshooting to determine what I've missed or what is going wrong? Paul
