Transition to Microsoft Defender Vulnerability Management for servers

  • How-to

With the Defender for Servers plan in Microsoft Defender for Cloud, you can scan compute assets for vulnerabilities. If you're currently using a vulnerability assessment solution other than the Microsoft Defender Vulnerability Management vulnerability assessment solution, this article provides instructions on transitioning to the integrated Defender Vulnerability Management solution.

To transition to the integrated Defender Vulnerability Management solution, you can use the Azure portal, use an Azure policy definition (for Azure VMs), or use REST APIs.

Prerequisites

For prerequisites and other requirements, see Support for the Defender for Servers plan.

Transition with Azure policy for Azure VMs

Follow these steps:

  1. Sign in to the Azure portal.

  2. Navigate to Policy > Definitions.

  3. Search for Setup subscriptions to transition to an alternative vulnerability assessment solution.

  4. Select Assign.

  5. Select a scope and enter an assignment name.

  6. Select Review + create.

  7. Review the information you entered and select Create.

    This policy ensures that all Virtual Machines (VM) within a selected subscription are safeguarded with the built-in Defender Vulnerability Management solution.

    Once you complete the transition to the Defender Vulnerability Management solution, you need to Remove the old vulnerability assessment solution

Transition with Defender for Cloud's portal

In the Defender for Cloud portal, you have the ability to change the vulnerability assessment solution to the built-in Defender Vulnerability Management solution.

  1. Sign in to the Azure portal.

  2. Navigate to Microsoft Defender for Cloud > Environment settings

  3. Select the relevant subscription.

  4. Locate the Defender for Servers plan and select Settings.

    Screenshot of the Defender for Cloud plan page that shows where to locate and select the settings button under the servers plan.

  5. Toggle Vulnerability assessment for machines to On.

    If Vulnerability assessment for machines was already set to on, select Edit configuration

    Screenshot of the servers plan that shows where the edit configuration button is located.

  6. Select Microsoft Defender Vulnerability Management.

  7. Select Apply.

  8. Ensure that Endpoint protection or Agentless scanning for machines are toggled to On.

    Screenshot that shows where to turn on endpoint protection and agentless scanning for machines is located.

  9. Select Continue.

  10. Select Save.

    Once you complete the transition to the Defender Vulnerability Management solution, you need to Remove the old vulnerability assessment solution

Transition with REST API

REST API for Azure VMs

Using this REST API, you can easily migrate your subscription, at scale, from any vulnerability assessment solution to the Defender Vulnerability Management solution.

PUT https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Security/serverVulnerabilityAssessmentsSettings/AzureServersSetting?api-version=2022-01-01-preview

{
  "kind": "AzureServersSetting",
  "properties": {
    "selectedProvider": "MdeTvm"
  }
}

Once you complete the transition to the Defender Vulnerability Management solution, you need to remove the old vulnerability assessment solution.

REST API for multicloud VMs

Using this REST API, you can easily migrate your subscription, at scale, from any vulnerability assessment solution to the Defender Vulnerability Management solution.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Security/securityconnectors/{connectorName}?api-version=2022-08-01-preview

{
  "properties": {
  "hierarchyIdentifier": "{GcpProjectNumber}",
  "environmentName": "GCP",
  "offerings": [
​    {
​     "offeringType": "CspmMonitorGcp",
​     "nativeCloudConnection": {
​      "workloadIdentityProviderId": "{cspm}",
​      "serviceAccountEmailAddress": "{emailAddressRemainsAsIs}"
​     }
​    },
​    {
​     "offeringType": "DefenderCspmGcp"
​    },
​    {
​     "offeringType": "DefenderForServersGcp",
​     "defenderForServers": {
​      "workloadIdentityProviderId": "{defender-for-servers}",
​      "serviceAccountEmailAddress": "{emailAddressRemainsAsIs}"
​     },
​     "arcAutoProvisioning": {
​      "enabled": true,
​      "configuration": {}
​     },
​     "mdeAutoProvisioning": {
​      "enabled": true,
​      "configuration": {}
​     },
​     "vaAutoProvisioning": {
​      "enabled": true,
​      "configuration": {
​       "type": "TVM"
​      }
​     },
​     "subPlan": "{P1/P2}"
​    }
  ],
  "environmentData": {
​    "environmentType": "GcpProject",
​    "projectDetails": {
​     "projectId": "{GcpProjectId}",
​     "projectNumber": "{GcpProjectNumber}",
​     "workloadIdentityPoolId": "{identityPoolIdRemainsTheSame}"
​    }
  }
  },
  "location": "{connectorRegion}"
}

Remove the old vulnerability assessment solution

After migrating to the built-in Defender Vulnerability Management solution in Defender for Cloud, offboard each VM from their old vulnerability assessment solution. To delete the VM extension, you can use the Remove-AzVMExtension PowerShell cmdlet or a REST API Delete request.

Next step

Common questions about vulnerability scanning questions