Install the Azure machine configuration extension
Defender for Cloud assesses operating system configuration against the Windows and Linux compute security baselines in the Microsoft Cloud Security Benchmark (MCSB).
The information needed for assessment is collected by the Azure machine configuration extension (formerly known as the Azure Policy guest configuration).
This article describes how to deploy the extension.
Prerequisites
| Requirement | Details |
|---|---|
| Plan | To receive operating system recommendations based on MCSB compute security baselines, Defender for Servers Plan 2 must be enabled. |
| Machine support | Review supported Azure VMs and Azure Arc VMs running Windows and Linux. |
| Extension requirements | Review extension deployment requirements for Azure VMs. |
| Permissions | To view the recommendations and explore the OS baseline data, you need Read permission on the relevant Azure subscription. |
Note
Collection with the machine configuration extension replaces the older method of data collection that used the Log Analytics agent (also known as the Microsoft Monitoring Agent (MMA)). Use of the MMA will be supported until November 2024.
Install on AWS/GCP
For AWS/GCP machines, the machine configuration is installed by default when you select Arc provisioning in the AWS or GCP connector.
Install on on-premises machines
For on-premises machines, the machine configuration is enabled by default when you onboard on-premises VMs as Azure Arc-enabled VMs.
Install on an Azure machines
With Defender for Servers Plan 2 enabled, you can install the machine configuration extension on machines using a Defender for Cloud recommendation.
Search for the appropriate recommendations.
- Azure machines: Search for the recommendation Guest Configuration extension should be installed on machines.
- Azure VMs: On Azure VMs only, you must assign a managed identity to the machine. To do this, search for the recommendation virtual machines Guest Configuration extension should be deployed with system-assigned managed identity
Remediate the recommendations as needed.
Autoprovision the guest configuration extension
For Azure VMs, you can autoprovision installation of guest configuration extension on Azure VMs across the entire subscription.
In Defender for Cloud, open Environment settings > Your subscription > Settings & Monitoring.
Under Settings, select Guest Configuration.
Toggle the Guest Configuration agent (preview) to On.
Select Continue.
With the machine configuration extension enabled on machine, the machine can then be assessed against Windows and Linux operating systems baselines.
Next step
Review OS misconfiguration recommendations.