Summary

Completed

Contoso Manufacturing started with a vulnerability visibility gap—their Azure VMs lacked consistent scanning, findings were buried in noise, and the security team had no enforcement mechanism to prevent known vulnerable applications from running. Contoso transformed that reactive posture into a proactive defense. Now, MDVM scans run automatically across all production VMs. Vulnerability findings surface in the Defender portal with disable rules tuned to filter out accepted risks. CIS Benchmark profiles measure baseline compliance on critical servers, and Block Vulnerable Applications prevents exploitation on endpoints where Defender Antivirus is active. The auditors have their compliance evidence, and the security team has an actionable, noise-reduced view of real risk.

In this module, you:

• Explored how MDVM integrates with Defender for Servers Plan 1 and Plan 2 to provide agent-based and agentless vulnerability scanning for Azure VMs
• Configured vulnerability scanning for Azure VMs at subscription and machine scope using Defender for Cloud Environment Settings
• Reviewed vulnerability findings, interpreted CVE and severity data, and created disable rules to manage accepted risks in the Defender portal
• Applied Defender for Servers Plan 2 premium capabilities—security baselines assessment and application blocking—to enforce VM security posture

Key insights

Scanning method selection drives both coverage and freshness. Plan 1 provides agent-based continuous scanning for machines with the Defender for Endpoint agent; Plan 2 adds agentless scanning for machines without agents, extending coverage across unmanaged and ephemeral VMs. Disable rules are essential for operationalizing MDVM—they prevent recommendation noise by filtering out CVEs that are false positives, accepted risks, or irrelevant to your environment. Finally, Plan 2 premium capabilities shift vulnerability management from detection to enforcement. Security baselines assessment measures compliance against industry standards like CIS Benchmarks, while Block Vulnerable Applications prevents exploitation by stopping applications with known CVEs from executing.

Learn more

• Configure vulnerability scanning for machines
• Enable vulnerability scanning
• Remediate machine vulnerabilities
• Disable vulnerability findings
• Compare Microsoft Defender Vulnerability Management plans and capabilities
• Security baselines assessment
• What is Microsoft Defender Vulnerability Management