주요 콘텐츠로 건너뛰기

Deploy Guest Configuration

Implementation Effort: Medium
Security and IT teams must enable Defender for Servers Plan 2, assign managed identities, and deploy the machine configuration extension across Azure, Arc-enabled, and multicloud machines.

User Impact: Low
Guest configuration deployment is handled by administrators; end users are not directly involved.

Overview

Guest Configuration in Microsoft Defender for Servers enables continuous assessment of operating system configurations against security baselines, such as the Microsoft Cloud Security Benchmark (MCSB). This is achieved using the Azure Machine Configuration extension, formerly known as the Azure Policy Guest Configuration extension.

Key Capabilities

  • Assesses OS-level settings on Windows and Linux machines.
  • Identifies misconfigurations based on MCSB compute security baselines.
  • Supports Azure VMs, Azure Arc-enabled servers (on-premises, AWS, GCP).

Prerequisites

  • Defender for Servers Plan 2 must be enabled.
  • Machines must support the Azure Machine Configuration extension.
  • System-assigned managed identity is required for Azure VMs 1.

How to Deploy Guest Configuration

For Azure VMs

  1. Go to Microsoft Defender for Cloud > Environment settings > Your subscription > Settings & Monitoring.
  2. Under Guest Configuration, toggle the Guest Configuration agent (preview) to On.
  3. Assign a system-assigned managed identity to each VM.
  4. Search for and remediate the recommendation:
    "Guest Configuration extension should be deployed with system-assigned managed identity."

For Azure Arc-enabled Machines (On-premises, AWS, GCP)

  • The extension is installed automatically when machines are onboarded via Azure Arc.
  • No manual deployment is needed if Arc provisioning is selected during connector setup 1.

Automation Options

  • Use Azure Policy, ARM templates, Bicep, or Terraform to deploy at scale 2.
  • CLI and PowerShell options are also available for scripting deployments.

Failing to deploy guest configuration can result in missed OS-level misconfigurations, reducing visibility into compliance and security posture. This capability supports the "Verify Explicitly" principle of Zero Trust by continuously validating system configurations against known baselines.

Reference