iCompaas Support

Description:

Automatic Provisioning of Vulnerability Assessment (VA) for Machines enables Microsoft Defender for Cloud to automatically deploy vulnerability assessment extensions on Azure Virtual Machines and hybrid/on-premises servers connected through Azure Arc.

Rationale:

This check verifies that Vulnerability assessment for machines is on under Microsoft Defender for Cloud, Environment Settings. When enabled, Defender for Cloud automatically installs the VA agent, performs recurring vulnerability scans, and generates recommendations for OS misconfigurations, missing updates, insecure settings, and exposed weaknesses. If this setting is Off, machines do not receive automated scanning, resulting in incomplete security visibility and weakened compliance posture across Azure and hybrid environments.

Impact:

• Enables automated vulnerability scanning for Azure and Arc-enabled machines

• Reduces manual onboarding and operational overhead

• Improves detection of OS vulnerabilities, insecure configurations, and missing patches

• Supports compliance with CIS, NIST, Azure Security Benchmark, and regulatory controls

Default Value:

By default, automatic provisioning of the Vulnerability Assessment agent is off. Manual configuration is required to achieve full vulnerability assessment coverage.

Pre-Requisites:

• Defender for Servers Plan 1 or Plan 2 (VA requires these plans)

• Azure Arc configured for non-Azure machines (optional but required for hybrid)

• RBAC permissions, including:

  • Microsoft.Security/*

  • Microsoft.HybridCompute/*

  • Microsoft.Compute/*

Test Plan:

1. Sign in to the Azure portal https://portal.azure.com 

2. Search for  Microsoft Defender for Cloud

3. Under the management section, Select Environment Settings

4. Choose the Subscription

5. Under the settings, click Defender plans

6. In the Defender plans page, click Settings & Monitoring 

7. Verify that Vulnerability assessment for machines is set to On.

8. If it is off, follow the Implementation Steps.

Implementation Steps:

1. Sign in to the Azure portal https://portal.azure.com 

2. Search for Microsoft Defender for Cloud

3. Under the management section, select Environment Settings

4. Choose the target Subscription

5. Under the settings, click Defender plans

6. In the Defender plans page, click Settings & Monitoring 

7. Set Vulnerability assessment for machines to On.

8. Click continue to the Save changes

Backout Plan:

1. Sign in to the Azure portal https://portal.azure.com 

2. Search for Microsoft Defender for Cloud

3. Under the management section, select Environment Settings

4. Select the subscription

5. Under the settings, click Defender plans

6. In the Defender plans page, click Settings & Monitoring 

7. Set Vulnerability assessment for machines is off.

8. Click continue to the Save changes

References:

• https://learn.microsoft.com/azure/defender-for-cloud/enable-datacollection?tabs=autoprovision-va

• https://msdn.microsoft.com/en-us/library/mt704062.aspx

• https://msdn.microsoft.com/en-us/library/mt704063.aspx 

• https://learn.microsoft.com/rest/api/securitycenter/autoprovisioningsettings/list