Introduction
Contoso Manufacturing operates a large Azure environment with hundreds of Windows Server VMs running production line automation, supply chain management, and ERP workloads. After Contoso enables Microsoft Defender for Servers across their subscriptions, the Cloud Security Engineering team discovers they have no consistent visibility into software vulnerabilities across VM fleets. Some VMs are covered by agent-based scanning through the Defender for Endpoint integration, while others have no scanner deployed. The team can see security recommendations in Defender for Cloud but can't tell which Common Vulnerabilities and Exposures (CVEs) affect which machines. They also can't demonstrate Center for Internet Security (CIS) benchmark compliance with internal auditors or enforce security baselines across their Windows Server fleet.
Microsoft Defender Vulnerability Management (MDVM) provides built-in vulnerability scanning and security baseline assessment for Azure VMs when integrated with Defender for Servers. In this module, you configure MDVM settings to address Contoso's visibility gaps, review vulnerability findings, and enforce compliance policies.
In this module, you:
- Explore how Microsoft Defender Vulnerability Management integrates with Defender for Servers Plan 1 and Plan 2 to provide agent-based and agentless vulnerability scanning for Azure VMs
- Configure vulnerability scanning for Azure VMs at subscription and machine scope using Defender for Cloud Environment Settings
- Review vulnerability findings, interpret CVE and severity data, and create disable rules to manage accepted risks in the Defender portal
- Apply Defender for Servers Plan 2 premium capabilities—security baselines assessment and application blocking—to enforce VM security posture