Review hardening recommendations


This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the CentOS End Of Life guidance.


As the Log Analytics agent (also known as MMA) is set to retire in August 2024, all Defender for Servers features that currently depend on it, including those described on this page, will be available through either Microsoft Defender for Endpoint integration or agentless scanning, before the retirement date. For more information about the roadmap for each of the features that are currently rely on Log Analytics Agent, see this announcement.

To reduce a machine's attack surface and avoid known risks, it's important to configure the operating system (OS) as securely as possible.

The Microsoft cloud security benchmark has guidance for OS hardening, which has led to security baseline documents for Windows and Linux.

Use the security recommendations described in this article to assess the machines in your environment and:

  • Identify gaps in the security configurations
  • Learn how to remediate those gaps


Aspect Details
Release state: Preview.
The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Pricing: Free
Prerequisites: Machines must (1) be members of a workgroup, (2) have the Guest Configuration extension, (3) have a system-assigned managed-identity, and (4) be running a supported OS:
• Windows Server 2012, 2012r2, 2016 or 2019
• Ubuntu 14.04, 16.04, 17.04, 18.04 or 20.04
• Debian 7, 8, 9, or 10
• CentOS 7 or 8
• Red Hat Enterprise Linux (RHEL) 7 or 8
• Oracle Linux 7 or 8
• SUSE Linux Enterprise Server 12
Required roles and permissions: To install the Guest Configuration extension and its prerequisites, write permission is required on the relevant machines.
To view the recommendations and explore the OS baseline data, read permission is required at the subscription level.
Clouds: Commercial clouds
National (Azure Government, Microsoft Azure operated by 21Vianet)

What are the hardening recommendations?

Microsoft Defender for Cloud includes two recommendations that check whether the configuration of Windows and Linux machines in your environment meet the Azure security baseline configurations:

These recommendations use the guest configuration feature of Azure Policy to compare the OS configuration of a machine with the baseline defined in the Microsoft cloud security benchmark.

Compare machines in your subscriptions with the OS security baselines

To compare machines with the OS security baselines:

  1. From Defender for Cloud's portal pages, open the Recommendations page.

  2. Select the relevant recommendation:

    The two recommendations for comparing the OS configuration of machines with the relevant Azure security baseline.

  3. On the recommendation details page you can see:

    1. The affected resources.
    2. The specific security checks that failed.

    Recommendation details page for the Windows recommendation about vulnerabilities in the baseline configuration of Windows machines.

  4. To learn more about a specific finding, select it.

    Learning more about a specific finding from the guest configuration comparison of an OS configuration with the defined security baseline.

  5. Other investigation possibilities:

    • To view the list of machines that have been assessed, open Affected resources.
    • To view the list of findings for one machine, select a machine from the Unhealthy resources tab. A page will open listing only the findings for that machine.

Next steps

In this document, you learned how to use Defender for Cloud's guest configuration recommendations to compare the hardening of your OS with the Azure security baseline.

To learn more about these configuration settings, see: