Why does "Endpoint Protection not installed on Azure VMs" falsely show as a finding in recommendations?

Question

Why does "Endpoint Protection not installed on Azure VMs" falsely show as a finding in recommendations?

Cusimano, Joey 80

We have had a recommendation in Microsoft Defender for Cloud for a while now called "Endpoint Protection not installed on Azure VMs". This item is a -4% or -3% on the secure score (keeps changing) and we would like to resolve it, but it does not seem to detect that Windows Defender is enabled on all of these VMs.

reclist

There is also a note stating "There is a newer version of this recommendation" that points to "Endpoint protection should be installed on machines", which lists all 8 VMs as "Healthy Resources".

rec1

rec2

We took one of the VMs and verified Windows Defender is running on it.

NDC-DefenderOn

We also ran the Get-MpComputerStatus Powershell command and verified that AMServiceEnabled is set to true.

NDC-GetMpComputerStatus

I assume that because this is the flag being checked, the "newer" recommendation confirms the VM is healthy. But yet, we are being penalized 3-4% for the original one, which provides no way to exempt the machines from it.

Does Microsoft plan to remove this recommendation/seemingly unavoidable penalty since there is a newer version available? It has been around for months. How do we stop this from being flagged to get our score up?

2 answers

Your answer

Answer 1

Cusimano, Joey 80

An update: our MSP opened a ticket with Microsoft and we were informed that this recommendation is deprecated in favor of the newer ones (that can be exempted) and set to be removed from the dashboard in roughly a month. We have decided that we are going to wait for this to happen and regain the small amount of points toward our secure score. I would recommend relaying this information to interested parties and waiting for the item to stop being reported in the Defender for Cloud Recommendations portal.

Pauline Thomas 0 Reputation points

2024-08-13T05:08:13.05+00:00

We are experiencing the very same issue. It's now August, and we are still seeing "Endpoint Protection not installed on Azure VM" recommendation on the portal UI. Would very much appreciate Microsoft confirming when exactly the recommendation will stop reducing the secure score.

Answer 2

Akshay-MSFT 17,956 Microsoft Employee Moderator

@Cusimano, Joey

Thank you for posting your query on Microsoft Q&A. I am reviewing this and will get back to you with further inputs.

Update1:

I tried to reproduce the issue in my lab but found no luck as this recommendation did not appear in my lab environment.

User's image

As a workaround my suggestion here is to try exempting the VMs from this recommendation. If you don't get the option then do let me know so that we could plan for an offline connect.

User's image

Thanks,

Akshay Kaushik

Please "Accept the answer(Yes)" and "share your feedback ". This will help us and others in the community as well.

ArthurS-2048 5 Reputation points

2023-12-06T19:37:25.0266667+00:00

We're experiencing the same issue. In the secure score recommendations it is listed as 'Install Endpoint Protection Solution on Virtual Machines' (displayed as 'Endpoint Protection not installed on Azure VMs' when accessed). Unfortunately, this recommendation does not provide an exempt option.
From what we have noticed, stopped or deallocated machines are being marked as unhealthy even if they have endpoint protection installed.
Cusimano, Joey 80 Reputation points

2023-12-07T18:39:14.7333333+00:00

As shown in the below screenshot, there is nowhere on this recommendation's page to make an exemption. We need support on how to exempt this item and have it stopped being flagged in our recommendations and counting against the secure score. Thank you for your assistance.
Cusimano, Joey 80 Reputation points

2023-12-07T19:01:23.51+00:00

@ArthurS-2048 All 8 of the machines showing in our list are active and running production machines. I shared a screenshot in my other comment that probably matches what you are seeing as well. I am hoping someone helps me figure this out and I or whoever assists me can post an answer to this question that describes how to resolve the issue so it can be fixed for you as well.
Cusimano, Joey 80 Reputation points

2023-12-21T17:24:00.57+00:00

@Akshay-MSFT As shown in the below screenshot, there is nowhere on this recommendation's page to make an exemption. We need support on how to exempt this item and have it stopped being flagged in our recommendations and counting against the secure score. Thank you for your assistance.
Juergen Baur 10 Reputation points

2024-01-15T18:37:27.9433333+00:00

Is there any solution so far?
Shivam Singh 225 Reputation points

2024-03-07T08:35:05.55+00:00

We are also facing the same issue. Has any got solution for this ?
Now I see a notification that due to log analytics agent(MMA) retirement this recommendation is also set to be deprecated by August 2024.
Gorav Gandhi 21 Reputation points

2024-07-16T23:31:22.8766667+00:00

@Akshay-MSFT Any updates on this one? I'm facing the similar issue. Now it comes with another notification as below:
Cusimano, Joey 80 Reputation points

2024-08-13T16:29:39.3166667+00:00

@Gorav Gandhi Per the message, I am waiting for the recommendation to be deprecated this month. If it is not, I will try to reach out to Microsoft through our MSP to see why it is still effecting our score.

Share via

Why does "Endpoint Protection not installed on Azure VMs" falsely show as a finding in recommendations?

2 answers

Your answer