Review & Remediate Security Baseline Recommendations

Implementation Effort: Medium
Security and IT teams must review OS-level misconfigurations, validate guest configuration deployment, and remediate findings based on Microsoft Cloud Security Benchmark (MCSB) baselines.

User Impact: Low
Security baseline remediation is handled by administrators and security teams; end users are not directly involved.

Overview

Microsoft Defender for Servers continuously assesses virtual machines against security baselines defined by the Microsoft Cloud Security Benchmark (MCSB). These baselines help ensure that operating system configurations align with best practices for security and compliance. When deviations are detected, Defender for Cloud generates recommendations to guide remediation.

Prerequisites

• Defender for Servers Plan 2 must be enabled.
• The Azure Policy machine configuration extension (formerly Guest Configuration) must be installed on the VM.
• Machines must not be using the deprecated Log Analytics agent (MMA) to avoid duplicate recommendations 1.

How to Review Security Baseline Recommendations

1. Go to Microsoft Defender for Cloud > Recommendations.
2. Look for:
   • "Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)"
   • "Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)"
3. Select the recommendation to view:
   • Affected resources
   • Specific misconfigurations
   • Remediation guidance 1

How to Remediate

• Follow the Remediation steps provided in the recommendation details.
• Use Azure Resource Graph queries to identify and track misconfigurations at scale.
• Apply configuration changes manually or via automation (e.g., Azure Policy, PowerShell, or configuration management tools) 1.

Additional Tools

• Azure Resource Graph: Query and export baseline compliance data.
• Security Exposure Management: Centralized view of recommendations across Defender for Cloud and Defender Vulnerability Management 2.

Failing to remediate baseline misconfigurations can result in non-compliance and increased exposure to attacks. This capability supports the "Verify Explicitly" and "Assume Breach" principles of Zero Trust by ensuring all systems are hardened and continuously monitored.

Reference

• Review OS misconfiguration recommendations in Microsoft Defender for Cloud
• Security baselines assessment - Microsoft Defender Vulnerability Management
• Review security recommendations in Microsoft Security Exposure Management