Share via

Defender for Cloud - "Machines should have vulnerability findings resolved" Stopped Populating

Cusimano, Joey 125 Reputation points
2025-08-05T18:04:31.8433333+00:00

I perform weekly reviews of Microsoft Defender for Cloud's "Recommendations" and have noticed that in the past several weeks, we have not had any findings under the item "Machines should have vulnerability findings resolved".

findings1

There are two items that we have been seeing for months and know we have not resolved entirely, so they should still be showing up. Additionally, we typically see other findings show up here. Pending Windows updates, Chrome browser updates, and Visual Studio updates are the most common items and we see should have seen these showing up in the past several weeks but have not seen a single one. These items helped serve as a "sanity check" that data was updating, so their absence has me convinced that something is wrong. Findings under this recommendation do not persist once resolved, so it is not possible to see them as "completed". For example, a missing Chrome update reported as a finding disappears entirely once the update is applied and the dashboard refreshes.

I checked this recommendation for each VM individually and the "Last change date" shows as 7/7/2025 for all of them. The freshness interval shows as 12 hours, but there is no indicator of when the data was last updated to verify that it is in fact doing these checks every 12 hours or more and still showing no findings.

findings2

We need a way to verify that this is updating, and I can't seem to find one. We just see a blank dashboard with a last changed date of 7/7/2025 and no further information, and I have lost confidence that we can trust this dashboard as letting us know that we have no to-do items on this recommendation anymore when we had planned to address two items long term that suddenly stopped showing up weeks ago.

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Cusimano, Joey 125 Reputation points
    2025-08-19T17:38:17.1166667+00:00

    I've opened a ticket with Microsoft about this and am attempting to work with Microsoft and our MSP to troubleshoot it.

    In the meantime, I've discovered that the Microsoft Defender Vulnerability management >Recommendations list is still populating and contains items that I would normally see under "Machines should have vulnerability findings resolved", including Chrome updates and the previously seen outstanding item that we were tracking before. My intent is to keep using this dashboard instead to monitor security recommendations for our VMs.

    Link to dashboard: https://security.microsoft.com/security-recommendations?

    Based on seeing current data in Microsoft Defender, I am convinced that MDE is still functional on our VMs. I see the "MDE.Windows" extension running on the VMs and it needed updates. We applied updates for this extension on some of the VMs, but see no changes in the behavior of the "Machines should have vulnerability findings resolved" item or the statuses of the VMs under it as originally mentioned. We will see what Microsoft says when they respond to our ticket and see if we can get the Azure portal dashboard working again. In the meantime, we are going to use the Microsoft Defender dashboard to monitor needed updates and new recommendations/vulnerabilities.

    Was this answer helpful?

    1 person found this answer helpful.
  2. Gilson Guilherme Ribeiro Kley 0 Reputation points
    2025-10-14T19:22:33.48+00:00

    Olá, estou com um problema semelhante, porém eu uso a licença do 'Defender CSPM' apenas, e desde sexta-feira parou de mostrar as máquinas vulneráveis. Mas sei que a VMs ainda estão vulneráveis, pois não havia feito correção.

    Notei que ele inicia o scan e mostra como vulnerável, mas alguns minutos depois ele simplesmente mostra zero e limpa essa vulnerabilidade detectada.

    Por exemplo, agora mostra assim: enter image description here

    Minutos depois, ele zera e passa a VM para íntegra.

    Was this answer helpful?

    0 comments
  3. Cusimano, Joey 125 Reputation points
    2025-09-15T13:44:36.1866667+00:00

    Resolution: after creating a ticket with Microsoft through our MSP, an internal ticket was created with the Product Group team, who provided a fix for the issue (I have no specific details on what they did). We also had to enable the “Vulnerability assessment for machines” option in each plan to resolve the issue for all machines. This had issues with the UI stating that we did not have "Defender for Servers" even though we did, so using an API call provided by Microsoft in the API Playground (preview) for each subscription was able to toggle this on.

    We are now seeing all machines once again reporting data correctly in the Azure portal under recommendations in Microsoft for Defender.

    Was this answer helpful?

  4. Anonymous
    2025-08-19T09:15:12.4766667+00:00

    Hi Cusimano, Joey,
     

    Thank you for posting your query on Microsoft Q&A.

    As per our understanding, you have noticed that the Microsoft Defender for Cloud recommendation "Machines should have vulnerability findings resolved" has stopped showing findings over the past several weeks, even though you know there are unresolved issues such as pending updates. 

    In addition to Jose Benjamin Solis Nolasco, please do check with few more information for clarity.

    This recommendation relies heavily on vulnerability data from Microsoft Defender for Endpoint (MDE) and the vulnerability assessment extensions running on your VMs. Sometimes,
    Azure Advisor’s security recommendation pipeline, which aggregates these findings, can experience delays or drops in data due to internal service-bus backlogs. This can cause the recommendation blade to show stale or no results.

    To verify whether everything is working correctly and to troubleshoot this issue,

    please follow the steps below:

    1. Verify Defender for Endpoint (MDE) Integration
      • Confirm your machines are onboarded to MDE.
        • Check the Microsoft 365 Defender portal at https://security.microsoft.com under Vulnerabilities to ensure MDE is reporting vulnerability data.
          • In Defender for Cloud, navigate to Environment Settings > Integrations and confirm Defender for Endpoint integration is enabled for the affected subscriptions.
    2. Check Vulnerability Assessment (VA) Extension Health
      • Go to Defender for Cloud → Inventory → select an affected VM → Extensions + applications.
        • Verify that the Qualys Vulnerability Assessment extension or the built-in scanner is installed, running, and healthy.
    3. Check Your Permissions and Filters
      • Verify you have Reader or higher permissions on the subscription and resource groups containing the VMs.
        • In the Azure Advisor recommendations blade, check for any resource group or date filters that might hide findings.
    4. Use Defender for Cloud Inventory as Authoritative Data Source
      • If Advisor shows no findings but Inventory still lists vulnerabilities, rely on the Inventory blade as the source of truth.
    5. Re-onboard or Redeploy the Vulnerability Assessment Extension
      • If missing or unhealthy, re-onboard the VA extension via Defender for Cloud’s environment settings and allow 1–2 hours for scans to complete.
    6. Review Azure Advisor Configuration
      • Refresh the recommendations and ensure no filters prevent findings from showing.

    Please "Accept as Answer" if the answer provided is useful, so that you can help others in the community looking for remediation for similar issues.

    Was this answer helpful?

    0 comments
  5. Jose Benjamin Solis Nolasco 8,076 Reputation points Volunteer Moderator
    2025-08-05T19:01:29.8933333+00:00

    Hi @Cusimano, Joey I hope you are doing well,

    Thanks for the detailed report — you’ve clearly done your due diligence, and I can understand your concern about the sudden disappearance of expected findings from Defender for Cloud.

    Here are some targeted steps and insights to help verify whether the recommendation is truly up to date or if something is failing in the backend:

    1. Verify the Dependency: Defender for Endpoint (MDE) Integration

    This specific recommendation depends heavily on Microsoft Defender for Endpoint (MDE) data being properly ingested into Defender for Cloud.

    Please confirm:

    Your machines are still onboarded to MDE.

    MDE sensors are reporting vulnerability data (you can verify this in the Microsoft 365 Defender portal at https://security.microsoft.com > Vulnerabilities).

    In Defender for Cloud, go to Environment Settings > Integrations and verify that Defender for Endpoint integration is still enabled for the affected subscriptions.

    2. Validate Vulnerability Assessment Extension

    For non-MDE environments, Defender for Cloud relies on the Log Analytics agent or the VM extension for vulnerability assessment (Qualys or built-in scanner).

    Check if:

    • The VA extension is still installed and running on the VMs.
    • There are no errors or stale statuses under Defender for Cloud > Inventory > Extensions.

    😊 If my answer helped you resolve your issue, please consider marking it as the correct answer. This helps others in the community find solutions more easily. Thanks!

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.