Why does "Endpoint Protection not installed on Azure VMs" falsely show as a finding in recommendations?

Cusimano, Joey 80 Reputation points
2023-11-29T16:24:44.4+00:00

We have had a recommendation in Microsoft Defender for Cloud for a while now called "Endpoint Protection not installed on Azure VMs". This item is a -4% or -3% on the secure score (keeps changing) and we would like to resolve it, but it does not seem to detect that Windows Defender is enabled on all of these VMs.

reclist

There is also a note stating "There is a newer version of this recommendation" that points to "Endpoint protection should be installed on machines", which lists all 8 VMs as "Healthy Resources".

rec1

rec2

We took one of the VMs and verified Windows Defender is running on it.

NDC-DefenderOn

We also ran the Get-MpComputerStatus Powershell command and verified that AMServiceEnabled is set to true.

NDC-GetMpComputerStatus

I assume that because this is the flag being checked, the "newer" recommendation confirms the VM is healthy. But yet, we are being penalized 3-4% for the original one, which provides no way to exempt the machines from it.

Does Microsoft plan to remove this recommendation/seemingly unavoidable penalty since there is a newer version available? It has been around for months. How do we stop this from being flagged to get our score up?

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Cusimano, Joey 80 Reputation points
    2024-03-07T14:23:15.9266667+00:00

    An update: our MSP opened a ticket with Microsoft and we were informed that this recommendation is deprecated in favor of the newer ones (that can be exempted) and set to be removed from the dashboard in roughly a month. We have decided that we are going to wait for this to happen and regain the small amount of points toward our secure score. I would recommend relaying this information to interested parties and waiting for the item to stop being reported in the Defender for Cloud Recommendations portal.

    4 people found this answer helpful.

  2. Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator
    2023-11-30T16:41:55.12+00:00

    @Cusimano, Joey

    Thank you for posting your query on Microsoft Q&A. I am reviewing this and will get back to you with further inputs.

    Update1:

    I tried to reproduce the issue in my lab but found no luck as this recommendation did not appear in my lab environment.

    User's image

    As a workaround my suggestion here is to try exempting the VMs from this recommendation. If you don't get the option then do let me know so that we could plan for an offline connect.

    User's image

    Thanks,

    Akshay Kaushik

    Please "Accept the answer(Yes)" and "share your feedback ". This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.