Edit

Enable vulnerability scanning

The Defender for Servers plan in Microsoft Defender for Cloud provides vulnerability scanning for protected machines.

Integrated vulnerability scanning in Defender for Cloud uses Microsoft Defender Vulnerability Management and provides both agentless and agent-based scanning.

Vulnerability management is enabled by default when you enable Defender for Servers. Use this article only if you need to enable scanning manually.

Prerequisites

Requirement Details
Agentless vulnerability scanning Review agentless scanning requirements.

Agentless scanning is on by default when Defender for Servers Plan 2 or the Defender for Servers Cloud Security Posture Management (CSPM) plan is enabled.
Agent-based vulnerability scanning For agent-based scanning, enable Defender for Servers Plan 1 (P1) or Plan 2 (P2).
Machine support Review supported machines.
Permissions You need Owner (resource group level) permissions to deploy the scanner.

You need Security Reader to view findings.

Enable vulnerability scanning on a subscription

  1. In Defender for Cloud, open Environment settings.

  2. Select the relevant subscription.

  3. Locate Defender for Servers plan, select Monitoring coverage > Settings.

    Screenshot showing selecting service plan settings for server.

  4. In Settings and monitoring, turn on Vulnerability assessment for machines as needed.

  5. Select Edit configuration to choose an assessment solution.

    Screenshot showing where to turn on deployment of vulnerability assessment for machines.

  6. Select Apply > Save.

Configure with the REST API

To configure with the REST API, run PUT/DELETE using this URL:

https://management.azure.com/subscriptions/.../resourceGroups/.../providers/Microsoft.Compute/virtualMachines/.../providers/Microsoft.Security/serverVulnerabilityAssessments/mdetvm?api-version=2015-06-01-preview

Enable vulnerability scanning for a machine

To enable vulnerability scanning for a specific machine, use the recommendation that appears when Defender for Servers doesn't find a vulnerability assessment solution on the machine.

  1. To find all machines without a solution installed, in the Inventory page, select Unhealthy resources. Use the Recommendations filter to search for machines with this recommendation: Machines should have a vulnerability assessment solution.

  2. Open the recommendation.

  3. Follow the remediation steps to fix machines that don't have a vulnerability assessment solution enabled.

  4. Select a vulnerability solution.

    Screenshot of the window that shows the options for selecting a vulnerability assessment solution from the recommendation.

After the process completes, it can take up to 24 hours for resources to move to the Healthy resources tab.

Next steps

View and remediate machine vulnerability findings

  • Last updated on