This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi All,
we just switched on Defender for Cloud (using Azure Monitor Agent and a custom workspace) and configured auto-provisioning.
This has - as expected - create a policy initiative called "Custom Defender for Cloud provisioning Azure Monitor agent" with a whole bunch of policies. (The whole list is below my signature - there are also other policy initiatives for Kubernetes and SQL which I think are not relevant to this question)
I fully expected there to be policies to deploy AMA itself and also the various association rules.
However, I am really surprised by two things:
(1) What is the "Azure Security Agent" those policies want to install? Opening the policy definition it wants to install an extension of type "AzureSecurityWindowsAgent" from publisher "Microsoft.Azure.Security.Monitoring" I tried finding this in the MS Doc, but struggled to find anything.
(2) Why are there no policies to install the Qualys agent? We are on Plan 2 and have selected the Qualys agent (just double-checked) as our chosen Vulnerability Management Solution. I believe the type of that is Qualys.WindowsAgent.AzureSecurityCenter with name WindowsAgent.AzureSecurityCentre
Any input is greatly appreciated - in particular the first point bothers me a little - I would rather not have an unidentified piece of software running on my machines!
Kind Regards
Jens
[Preview]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor AgentDeployIfNotExistsCompliant00[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual MachinesDeployIfNotExistsCompliant00[Preview]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection RuleDeployIfNotExistsCompliant00[Preview]: Configure supported Windows Arc machines to automatically install the Azure Security agentDeployIfNotExistsCompliant00Configure Linux Arc-enabled machines to run Azure Monitor AgentDeployIfNotExistsCompliant00[Preview]: Configure supported Windows machines to automatically install the Azure Security agentDeployIfNotExistsCompliant00Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authenticationDeployIfNotExistsCompliant00Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authenticationDeployIfNotExistsCompliant00Configure Windows Arc-enabled machines to run Azure Monitor AgentDeployIfNotExistsCompliant00[Preview]: Configure supported Linux Arc machines to automatically install the Azure Security agentDeployIfNotExistsCompliant00[Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agentDeployIfNotExistsCompliant00[Preview]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection RuleDeployIfNotExistsCompliant00[Preview]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor AgentDeployIfNotExists
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 39%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
@Anonymous Did you get chance to look into my previous comment? Kindly revert if you have further questions.
@Anonymous Hope the information provided is useful. Let me know if you have further questions.
The policy installs the agent as an extension on the VM or Arc system. See the Extensions section on the VM/Arc dashboard/blade. I think Qualys is now the secondary option. MDFC uses MDE's assessment engine. You can still choose Qualys in the settings. I would expect this triggers a similar policy and extension.
Thanks! I have in the meantime answered my second question (I did find the policy in the end), but I am still not clear on my first question:
At the moment the following agents are installed (visible in the Extensions pane of the test VM):
AzureMonitorWindowsAgent Type: Microsoft.Azure.Monitor.AzureMonitorWindowsAgent
AzurePolicyforWindows Type: Microsoft.GuestConfiguration.ConfigurationforWindows
AzureSecurityWindowsAgent: Type Microsoft.Azure.Security.Monitoring.AzureSecurityWindowsAgent
MDE.Windows: Type: Microsoft.Azure.AzureDefenderForServers.MDE.Windows
MicrosoftMonitoringAgent Type: Microsoft.EnterpriseCloud.Monitoring.MicrosoftMonitoringAgent
WindowsAgent.AzureSecurityCenter Type: Qualys.WindowsAgent.AzureSecurityCenter
I am clear what they all are (AMA, Guest Configuration, Defender for Endpoint, MMA (Legacy) and Qualys), except for the one in bold which is the one I queried above.
There seems to be no documentation I could find. Which component uses this and why?
Also - one of the reasons I am asking - this "AzureSecurityWindowsAgent" wasnt deployed by the policy to some our VMs and I am not clear why. So some have it now and some don't, but thats hard for me to diagnose without even knowing what and why it is in the first instance.
Would really like your insight!
THanks
Jens
AzureSecurityWindowsAgent is a lightweight agent that can be installed on Windows servers to collect security-related events and send them to Azure Security Center for analysis. The agent can collect events related to security configurations, malware detection, and other security-related activities.
The free pricing tier of the Azure Security Center is enabled by default on all Azure subscriptions, once you visit the Azure Security Center in the portal for the first time (or activate it via the API). Then it will automatically discover and onboard Azure resources, including PaaS services in Azure (Service Fabric, SQL Database etc).
Once the agent is installed, it will start collecting security-related events and sending them to Azure Security Center. You can view the collected events in the Azure Security Center portal and use them to identify security issues and take appropriate actions to remediate them.
Note that the AzureSecurityWindowsAgent is just one of several agents and tools that can be used to collect security-related events in Azure. Other agents and tools include the Azure Security Center agent for Linux, the Azure ATP sensor for Windows, and the Microsoft Monitoring Agent (MMA) for Windows. Let me know if you have any other questions!
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more