Apply Azure security baselines to machines

To reduce a machine's attack surface and avoid known risks, it's important to configure the operating system (OS) as securely as possible.

The Microsoft cloud security benchmark has guidance for OS hardening which has led to security baseline documents for Windows and Linux.

Use the security recommendations described in this article to assess the machines in your environment and:

  • Identify gaps in the security configurations
  • Learn how to remediate those gaps


Aspect Details
Release state: Preview.
The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Pricing: Free
Prerequisites: Machines must (1) be members of a workgroup, (2) have the Guest Configuration extension, (3) have a system-assigned managed-identity, and (4) be running a supported OS:
• Windows Server 2012, 2012r2, 2016 or 2019
• Ubuntu 14.04, 16.04, 17.04, 18.04 or 20.04
• Debian 7, 8, 9, or 10
• CentOS 7 or 8
• Red Hat Enterprise Linux (RHEL) 7 or 8
• Oracle Linux 7 or 8
• SUSE Linux Enterprise Server 12
Required roles and permissions: To install the Guest Configuration extension and its prerequisites, write permission is required on the relevant machines.
To view the recommendations and explore the OS baseline data, read permission is required at the subscription level.
Clouds: Commercial clouds
National (Azure Government, Azure China 21Vianet)

What are the hardening recommendations?

Microsoft Defender for Cloud includes two recommendations that check whether the configuration of Windows and Linux machines in your environment meet the Azure security baseline configurations:

These recommendations use the guest configuration feature of Azure Policy to compare the OS configuration of a machine with the baseline defined in the Microsoft cloud security benchmark.

Compare machines in your subscriptions with the OS security baselines

To compare machines with the OS security baselines:

  1. From Defender for Cloud's portal pages, open the Recommendations page.

  2. Select the relevant recommendation:

    The two recommendations for comparing the OS configuration of machines with the relevant Azure security baseline.

  3. On the recommendation details page you can see:

    1. The affected resources.
    2. The specific security checks that failed.

    Recommendation details page for the Windows recommendation about vulnerabilities in the baseline configuration of Windows machines.

  4. To learn more about a specific finding, select it.

    Learning more about a specific finding from the guest configuration comparison of an OS configuration with the defined security baseline.

  5. Other investigation possibilities:

    • To view the list of machines that have been assessed, open Affected resources.
    • To view the list of findings for one machine, select a machine from the Unhealthy resources tab. A page will open listing only the findings for that machine.

FAQ - Hardening an OS according to the security baseline

How do I deploy the prerequisites for the security configuration recommendations?

To deploy the Guest Configuration extension with its prerequisites:

  • For selected machines, follow the security recommendation Guest Configuration extension should be installed on your machines from the Implement security best practices security control.

  • At scale, assign the policy initiative Deploy prerequisites to enable Guest Configuration policies on virtual machines.

Why is a machine shown as not applicable?

The list of resources in the Not applicable tab includes a Reason column. Some of the common reasons include:

Reason Details
No scan data available on the machine There aren't any compliance results for this machine in Azure Resource Graph. All compliance results are written to Azure Resource Graph by the Guest Configuration extension. You can check the data in Azure Resource Graph using the sample queries in Azure Policy Guest Configuration - sample ARG queries.
Guest Configuration extension is not installed on the machine The machine is missing the Guest Configuration extension, which is a prerequisite for assessing the compliance with the Azure security baseline.
System managed identity is not configured on the machine A system-assigned, managed identity must be deployed on the machine.
The recommendation is disabled in policy The policy definition that assesses the OS baseline is disabled on the scope that includes the relevant machine.

Next steps

In this document, you learned how to use Defender for Cloud's guest configuration recommendations to compare the hardening of your OS with the Azure security baseline.

To learn more about these configuration settings, see: