Edit

Investigate Defender for Endpoint misconfiguration recommendations (agentless)

Defender for Cloud uses agentless scanning with Defender for Endpoint integration to surface endpoint detection and response (EDR) misconfiguration recommendations for protected machines. Investigating and remediating these findings helps maintain endpoint protection health and keeps machine posture aligned with Defender for Cloud risk reduction workflows.

Microsoft Defender for Cloud integrates with Microsoft Defender for Endpoint to identify endpoint detection and response configuration issues for machines.

As part of these integrated capabilities, Defender for Cloud uses agentless scanning to evaluate whether Defender for Endpoint is configured correctly on protected machines. Examples of these checks include:

  • Both full and quick scans are out of 7 days
  • Signature out of date
  • Anti-virus is off or partially configured

When misconfigurations are found, Defender for Cloud generates recommendations. Complete remediation actions in Microsoft Defender for Endpoint or on the affected machine.

Note

  • Defender for Cloud uses agentless scanning to assess endpoint detection and response (EDR) settings.
  • Agentless scanning replaces the Log Analytics agent (also known as the Microsoft Monitoring Agent (MMA)), which was previously used to collect machine data.
  • The use of MMA is retired. Scanning using the MMA was deprecated in November 2024.

Prerequisites

Before you start, make sure that:

Investigate misconfiguration recommendations

To investigate and remediate misconfiguration recommendations for Defender for Endpoint, perform the following steps:

  1. Sign in to the Azure portal.

  2. Search for and select Defender for Cloud.

  3. In the Defender for Cloud menu, select Recommendations.

  4. Search for and select one of the following recommendations:

    • EDR configuration issues should be resolved on virtual machines
    • EDR configuration issues should be resolved on EC2s
    • EDR configuration issues should be resolved on GCP virtual machines

    Screenshot that shows the recommendations that configure your endpoint detection and solution and remediate misconfigurations.

  5. Select a security check to review the affected resources.

    Screenshot that shows a selected security check and the affected resources.

  6. Expand Affected resources.

    Screenshot that shows you where you need to select on screen to expand the affected resources section.

  7. Review the resource findings. Screenshot that shows the findings of an affected unhealthy resource.

  8. Drill into the security check to view the remediation steps provided with the recommendation, and complete the remediation in Defender for Endpoint or on the affected machine.

    Screenshot that shows the additional details section.

After remediation is complete, it can take up to 24 hours for the machine to appear in the Healthy resources tab.

Next step

Verify that machines have an EDR solution configured

  • Last updated on