Defender for Cloud - Regulatory compliance not matching with Azure policy

Question

Hi all,

Within MS Defender for Cloud Regulatory compliance - we have a compliance issue with CIS Azure Foundation v1.4.0 "7.4 Ensure that Only Approved Extensions are installed"

Section 7.4 states that we have nearly 100 resources that are unhealthy because they have VM extensions that have not been approved. The policy which controls this part of the compliance is "Only approved VM extensions should be installed". The compliance for this policy is 100% compliant. This is correct - we have added all installed VM extensions into the approved extensions array in the policy - therefore I would not have expected section 7.4 to be flagging with so many issues.

Anyone have any ideas as to why this is the case?

Thanks

Answer 1

Hi Mij,

How long it has been since you updated the policy? Usually 12 hours is the time frame for the policies and data to reflect correct settings so I will suggest to wait and evaluate after 12 hours.

Also check via this command on one of the VMs to see the actual extension installed -

Get-AzVMExtension -ResourceGroupName [ResourceGroupName] -VMName [VMName] | Format-List ExtensionType

Answer 2

Hi Mij,

How long it has been since you updated the policy? Usually 12 hours is the time frame for the policies and data to reflect correct settings so I will suggest to wait and evaluate after 12 hours.

Also check via this command on one of the VMs to see the actual extension installed -

Get-AzVMExtension -ResourceGroupName [ResourceGroupName] -VMName [VMName] | Format-List ExtensionType