Merge pull request #54232 from MicrosoftDocs/NEW-configure-defender-vulnerability-management

Request to push from release branch to main

Author: v-ccolin

learn-pr/wwl-sci/configure-defender-vulnerability-management/1-introduction.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-defender-vulnerability-management.introduction
+title: Introduction
+metadata:
+  title: Introduction
+  description: "Introduction"
+  ms.date: 04/06/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+durationInMinutes: 2
+content: |
+  [!include[](includes/1-introduction.md)]

learn-pr/wwl-sci/configure-defender-vulnerability-management/2-explore-vulnerability-management-integration-defender-servers.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-defender-vulnerability-management.explore-vulnerability-management-integration-defender-servers
+title: Explore Microsoft Defender Vulnerability Management (MDVM) integration with Defender for Servers
+metadata:
+  title: Explore MDVM Integration with Defender for Servers
+  description: "Explore how Microsoft Defender Vulnerability Management integrates with Defender for Servers Plan 1 and Plan 2, comparing agent-based and agentless scanning approaches and the plan capability matrix for Azure VMs."
+  ms.date: 04/06/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+durationInMinutes: 8
+content: |
+  [!include[](includes/2-explore-vulnerability-management-integration-defender-servers.md)]

learn-pr/wwl-sci/configure-defender-vulnerability-management/3-configure-vulnerability-scanning-azure-vms.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-defender-vulnerability-management.configure-vulnerability-scanning-azure-vms
+title: Configure vulnerability scanning for Azure VMs
+metadata:
+  title: Configure Vulnerability Scanning for Azure VMs
+  description: "Configure vulnerability scanning for Azure VMs at subscription and machine scope using Defender for Cloud Environment Settings, including scanning method selection and fixing per-machine coverage gaps via security recommendations."
+  ms.date: 04/06/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+durationInMinutes: 6
+content: |
+  [!include[](includes/3-configure-vulnerability-scanning-azure-vms.md)]

learn-pr/wwl-sci/configure-defender-vulnerability-management/4-review-manage-vulnerability-findings.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-defender-vulnerability-management.review-manage-vulnerability-findings
+title: Review and manage vulnerability findings
+metadata:
+  title: Review and Manage Vulnerability Findings
+  description: "Review vulnerability findings and CVE details in the Microsoft Defender portal, create disable rules to manage accepted risks, and export findings using Azure Resource Graph."
+  ms.date: 04/06/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+durationInMinutes: 7
+content: |
+  [!include[](includes/4-review-manage-vulnerability-findings.md)]

learn-pr/wwl-sci/configure-defender-vulnerability-management/5-apply-premium-vulnerability-management-capabilities.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-defender-vulnerability-management.apply-premium-vulnerability-management-capabilities
+title: Apply Plan 2 premium MDVM capabilities
+metadata:
+  title: Apply Plan 2 Premium MDVM Capabilities
+  description: "Apply Defender for Servers Plan 2 premium capabilities including security baselines assessment using CIS and STIG benchmarks, baseline exception management, and Block Vulnerable Applications configuration for Azure VM device groups."
+  ms.date: 04/06/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+durationInMinutes: 7
+content: |
+  [!include[](includes/5-apply-premium-vulnerability-management-capabilities.md)]

learn-pr/wwl-sci/configure-defender-vulnerability-management/6-knowledge-check.yml

@@ -0,0 +1,60 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-defender-vulnerability-management.knowledge-check
+title: Knowledge check
+metadata:
+  title: Knowledge check
+  description: "Knowledge check"
+  ms.date: 04/06/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  module_assessment: true
+  ai_generated_module_assessment: false
+durationInMinutes: 3
+quiz:
+  title: ""
+  questions:
+  - content: "Which vulnerability scanning method is available in both Defender for Servers Plan 1 and Plan 2?"
+    choices:
+    - content: "Agentless scanning using periodic disk snapshots"
+      isCorrect: false
+      explanation: "Agentless scanning is available in Defender for Servers Plan 2 only. Plan 1 doesn't include agentless scanning."
+    - content: "Agent-based scanning via the Defender for Endpoint sensor"
+      isCorrect: true
+      explanation: "Agent-based scanning uses the Defender for Endpoint sensor and is available in both Plan 1 and Plan 2. It provides near-real-time vulnerability detection on VMs where the sensor is deployed."
+    - content: "Bring-your-own-license (BYOL) scanning using Qualys or Rapid7"
+      isCorrect: false
+      explanation: "BYOL scanner integration doesn't require a Defender for Servers plan at all. It isn't a capability that differentiates Plan 1 from Plan 2."
+  - content: "You need to enable vulnerability scanning for a subscription that has Defender for Servers already active. Where do you configure the Vulnerability assessment toggle in the Azure portal?"
+    choices:
+    - content: "Defender for Cloud > Regulatory compliance > Compliance standards"
+      isCorrect: false
+      explanation: "Regulatory compliance is used for evaluating compliance against security standards. Vulnerability assessment configuration is managed through Environment settings."
+    - content: "Defender for Cloud > Recommendations > Machines should have a vulnerability assessment solution"
+      isCorrect: false
+      explanation: "This recommendation addresses per-machine gaps, not the subscription-level vulnerability assessment configuration. Subscription-level settings are in Environment settings."
+    - content: "Defender for Cloud > Environment settings > subscription > Defender for Servers plan Settings > Settings and monitoring"
+      isCorrect: true
+      explanation: "The Vulnerability assessment toggle is in Defender for Cloud > Environment settings > select subscription > Monitoring coverage column > Defender for Servers Settings > Settings and monitoring. From there, select Edit configuration to choose your scanning method."
+  - content: "Contoso Manufacturing wants to suppress vulnerability findings for software managed by an external vendor under a contractual security agreement. Which criteria can they specify in a Defender for Cloud disable rule?"
+    choices:
+    - content: "Categories, CVEs, CVSS scores, minimum severity, and patchable status"
+      isCorrect: true
+      explanation: "Disable rules support filtering by finding IDs, CVEs, categories, security check text, CVSS2 and CVSS3 scores (1-10), minimum severity (Medium or High), and patchable status. Categories can be used to exclude findings associated with specific software categories."
+    - content: "Resource group name, VM operating system, and Azure region"
+      isCorrect: false
+      explanation: "Disable rules filter findings by vulnerability attributes such as CVE identifiers, severity, and CVSS scores—not by resource metadata like resource group, OS version, or region."
+    - content: "Subscription ID, deployment date, and patch release version"
+      isCorrect: false
+      explanation: "These criteria aren't available in Defender for Cloud disable rules. Disable rules work with vulnerability attributes such as finding IDs, CVEs, categories, and severity levels."
+  - content: "What prerequisite must be met on an Azure VM before you can use Block Vulnerable Applications?"
+    choices:
+    - content: "The VM must have a network security group with outbound rules restricting internet access"
+      isCorrect: false
+      explanation: "Network security group configuration isn't a prerequisite for Block Vulnerable Applications. The requirement is related to the endpoint protection agent on the VM."
+    - content: "Microsoft Defender Antivirus must be in active mode on the VM"
+      isCorrect: true
+      explanation: "Block Vulnerable Applications has three mandatory requirements: Microsoft Defender Antivirus must be in active mode, cloud-delivered protection must be enabled, and Allow or block file must be turned on in Advanced features. For VMs where Defender Antivirus is in passive mode, this feature doesn't apply."
+    - content: "The VM must be onboarded to Azure Automanage and assigned a configuration profile"
+      isCorrect: false
+      explanation: "Azure Automanage isn't a prerequisite for Block Vulnerable Applications. The feature requires Microsoft Defender Antivirus in active mode and is available through Defender for Servers Plan 2."

learn-pr/wwl-sci/configure-defender-vulnerability-management/7-summary.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-defender-vulnerability-management.summary
+title: Summary
+metadata:
+  title: Summary
+  description: "Summary"
+  ms.date: 04/06/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+durationInMinutes: 2
+content: |
+  [!include[](includes/7-summary.md)]

learn-pr/wwl-sci/configure-defender-vulnerability-management/includes/1-introduction.md

@@ -0,0 +1,10 @@
+Contoso Manufacturing operates a large Azure environment with hundreds of Windows Server VMs running production line automation, supply chain management, and ERP workloads. After Contoso enables Microsoft Defender for Servers across their subscriptions, the Cloud Security Engineering team discovers they have no consistent visibility into software vulnerabilities across VM fleets. Some VMs are covered by agent-based scanning through the Defender for Endpoint integration, while others have no scanner deployed. The team can see security recommendations in Defender for Cloud but can't tell which Common Vulnerabilities and Exposures (CVEs) affect which machines. They also can't demonstrate Center for Internet Security (CIS) benchmark compliance with internal auditors or enforce security baselines across their Windows Server fleet.
+
+Microsoft Defender Vulnerability Management (MDVM) provides built-in vulnerability scanning and security baseline assessment for Azure VMs when integrated with Defender for Servers. In this module, you configure MDVM settings to address Contoso's visibility gaps, review vulnerability findings, and enforce compliance policies.
+
+**In this module, you:**
+
+- Explore how Microsoft Defender Vulnerability Management integrates with Defender for Servers Plan 1 and Plan 2 to provide agent-based and agentless vulnerability scanning for Azure VMs
+- Configure vulnerability scanning for Azure VMs at subscription and machine scope using Defender for Cloud Environment Settings
+- Review vulnerability findings, interpret CVE and severity data, and create disable rules to manage accepted risks in the Defender portal
+- Apply Defender for Servers Plan 2 premium capabilities—security baselines assessment and application blocking—to enforce VM security posture

learn-pr/wwl-sci/configure-defender-vulnerability-management/includes/2-explore-vulnerability-management-integration-defender-servers.md

@@ -0,0 +1,64 @@
+Contoso Manufacturing enabled Defender for Servers across their Azure VM fleet, but inconsistent agent deployment means some machines have rich vulnerability data while others remain invisible. Microsoft Defender Vulnerability Management (MDVM) is natively integrated into Defender for Servers and provides continuous vulnerability scanning—but the scanning method, coverage depth, and premium features depend on which plan tier you use and whether VMs have the Defender for Endpoint agent deployed. Here, you explore how MDVM integrates with Defender for Servers, compare agent-based and agentless scanning approaches, and understand which capabilities unlock at each plan tier.
+
+| Scanning Approach | Availability | How It Works |
+|-------------------|--------------|--------------|
+| Agent-based | Plan 1 and Plan 2 | Uses the Defender for Endpoint sensor deployed on VMs for near-real-time vulnerability detection |
+| Agentless | Plan 2 only | Scans VMs without requiring agent installation, providing visibility even for unmanaged machines |
+
+## Explore how MDVM integrates with Defender for Servers
+
+MDVM is automatically enabled when you activate Defender for Servers. MDVM gives you continuous vulnerability scanning across Azure VMs, on-premises machines connected through Azure Arc, and multicloud VMs from AWS or GCP. For Contoso Manufacturing's scenario, every Windows Server VM in their production automation, supply chain, and ERP environments gets scanned without manual configuration. While this module focuses on Windows Server VMs, MDVM vulnerability scanning also supports macOS and a broad range of Linux distributions for organizations with mixed-OS environments.
+
+MDVM delivers four core capabilities that transform raw vulnerability data into actionable security intelligence.
+
+| Feature | Description |
+|---------|-------------|
+| **Continuous asset discovery** | Tracks every software package, application, and service running on your servers. |
+| **Risk-based intelligent prioritization** | Ranks vulnerabilities by combining Common Vulnerabilities and Exposures (CVE) severity scores with active threat intelligence and breach likelihood predictions, so your team focuses on exploitable risks rather than theoretical weaknesses. |
+| **CVE-linked findings** | Provides detailed remediation guidance for each vulnerability, including software version upgrades, patches, or configuration changes. |
+| **Remediation tracking** | Monitors progress across your VM fleet, showing which vulnerabilities remain open and which teams own responsibility for fixes. |
+
+The integration happens at the infrastructure layer rather than requiring separate licensing or configuration. When Defender for Cloud deploys the Defender for Endpoint agent on a VM, MDVM scanning activates automatically. For VMs without agents, Plan 2 customers benefit from agentless scanning that operates transparently in the background.
+
+## Compare agent-based and agentless scanning approaches
+
+:::image type="content" source="../media/agent-versus-agentless.png" alt-text="Diagram comparing agent-based and agentless vulnerability scanning paths in Defender for Servers, showing how each method collects data and reports findings to Defender for Cloud.":::
+
+Defender for Servers supports two distinct scanning methods, each optimized for different deployment scenarios and visibility requirements. Understanding which approach applies to your VMs determines how fresh your vulnerability data is and which machines appear in your security dashboard.
+
+**Agent-based scanning** uses the **Microsoft Defender for Endpoint (MDE)** sensor that Defender for Cloud automatically deploys on your VMs. This sensor runs continuously on the machine, monitoring software installations, configuration changes, and system behavior in near-real-time. When a new CVE is published or software is updated, the agent detects the change within minutes. The agent reports findings to Defender for Cloud. Agent-based scanning is available in **both Plan 1 and Plan 2**, making it the baseline scanning method for all Defender for Servers customers. For Contoso Manufacturing's production VMs that already have MDE deployed, this approach provides the richest and freshest vulnerability data.
+
+> [!NOTE]
+> Enabling Defender for Servers (Plan 1 or Plan 2) includes a bundled Microsoft Defender for Endpoint Plan 2 license for your servers—you don't need a separate MDE subscription. When you enable Defender for Servers, MDE integration is turned on by default, and the agent is automatically provisioned on supported VMs.
+
+**Agentless scanning** operates without requiring any software installation on target VMs. Defender for Cloud takes periodic snapshots of VM disks and analyzes the file system, registry, and installed software inventory offline. This approach discovers vulnerabilities even on VMs that aren't connected to the corporate network, have no agents deployed, or run in isolated environments. Agentless scanning is **exclusive to Plan 2**, extending visibility to machines that fall outside your agent footprint. For Contoso Manufacturing's development VMs or temporary workloads that don't justify agent deployment, agentless scanning fills critical visibility gaps.
+
+When both scanning methods are available on the same VM, Defender for Cloud applies a priority rule: **agent-based results take precedence** because they're fresher and more detailed. If a machine has both MDE agent installed and agentless scanning enabled, you see agent-based findings in your dashboard. If a machine lacks the MDE agent, Defender for Cloud automatically scans it agentlessly (Plan 2 only), ensuring no VM goes unmonitored. Organizations using BYOL scanners from Qualys or Rapid7 follow a similar priority—partner agent results appear for machines with those agents installed, while agentless MDVM results fill gaps for machines without partner coverage.
+
+## Evaluate Defender for Servers plan tiers and MDVM features
+
+Defender for Servers offers two plan tiers with distinctly different MDVM capabilities. Choosing between Plan 1 and Plan 2 affects not just scanning methods, but the depth of security insights you receive.
+
+**Plan 1** provides foundational vulnerability management through agent-based scanning. Every VM with the Defender for Endpoint sensor gets continuous monitoring, configuration assessment, risk-based prioritization, remediation tracking, software inventory, and software usage insights. This tier gives Contoso Manufacturing's security team everything they need to identify and remediate critical vulnerabilities across their production Windows Server fleet. The limitation is coverage: VMs without agents remain invisible, and advanced assessment features aren't available.
+
+**Plan 2** includes everything in Plan 1 plus agentless scanning and six advanced assessment capabilities that compliance-focused organizations require. **Security baselines assessment** evaluates VMs against CIS Benchmarks and DISA STIG standards, generating compliance scores for audit reporting. **Block vulnerable applications** lets you prevent execution of software with known critical vulnerabilities until patches are applied. **Digital certificate assessment** identifies expired or weak certificates that create authentication risks. **Browser extensions assessment** discovers risky or malicious browser plugins on server VMs. **Network share analysis** maps exposed file shares and their permissions. **Hardware and firmware assessment** detects vulnerabilities in BIOS, UEFI, and hardware components that software-only scanners miss.
+
+For Contoso Manufacturing, the choice depends on coverage requirements and compliance obligations. If their Compliance Manager needs CIS Benchmark scores for audit reports or their security policies require blocking vulnerable applications, Plan 2 is essential. If their cloud security engineer simply needs vulnerability visibility across the entire VM fleet—including development and temporary workloads—Plan 2's agentless scanning extends coverage without operational overhead.
+
+| Feature | Plan 1 | Plan 2 |
+|---------|--------|--------|
+| Agent-based vulnerability scanning | Supported | Supported |
+| Agentless vulnerability scanning | - | Supported |
+| Configuration assessment | Supported | Supported |
+| Risk-based prioritization | Supported | Supported |
+| Remediation tracking | Supported | Supported |
+| Software inventory | Supported | Supported |
+| Software usage insights | Supported | Supported |
+| Security baselines assessment (CIS/STIG) | - | Supported |
+| Block vulnerable applications | - | Supported |
+| Digital certificate assessment | - | Supported |
+| Browser extensions assessment | - | Supported |
+| Network share analysis | - | Supported |
+| Hardware and firmware assessment | - | Supported |
+
+Organizations with existing Qualys or Rapid7 deployments can integrate BYOL (bring your own license) scanners with Defender for Cloud instead of using integrated MDVM scanning. BYOL scanners report findings to their own management platforms, which feed vulnerability data back to Defender for Cloud's security dashboard. This option doesn't require a paid Defender for Servers plan, though you lose access to MDVM's premium features like security baselines assessment and remediation tracking. This module focuses on the integrated MDVM experience rather than BYOL scenarios.