Review & Remediate Guest Configuration Recommendations

Implementation Effort: Medium
Security and IT teams must ensure the guest configuration extension is deployed, review OS-level misconfigurations, and apply remediations based on Microsoft Cloud Security Benchmark (MCSB) baselines.

User Impact: Low
Guest configuration remediation is handled by administrators and security teams; end users are not directly involved.

Overview

Microsoft Defender for Servers uses the Azure Policy machine configuration extension (formerly known as Guest Configuration) to assess operating system settings against security baselines. These baselines are defined by the Microsoft Cloud Security Benchmark (MCSB) and help organizations harden their server environments.

When misconfigurations are detected, Defender for Cloud generates recommendations that guide remediation efforts for both Windows and Linux machines.

Prerequisites

• Defender for Servers Plan 2 must be enabled.
• The Azure Policy machine configuration extension must be installed on each machine.
• Avoid using the deprecated Log Analytics agent (MMA) to prevent duplicate recommendations 1.

How to Review Guest Configuration Recommendations

1. Go to Microsoft Defender for Cloud > Recommendations.
2. Look for:
   • "Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)"
   • "Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)"
3. Select the recommendation to view:
   • Affected resources
   • Specific misconfigurations
   • Suggested remediation steps 1

How to Remediate

• Follow the Remediation steps provided in the recommendation details.
• Use Azure Resource Graph queries to identify and track misconfigurations at scale.
• Apply configuration changes manually or automate them using Azure Policy, PowerShell, or configuration management tools 1.

Additional Tools

• Azure Resource Graph: Enables querying of unhealthy rules and affected machines.
• Security Exposure Management: Provides a centralized view of OS-level misconfigurations and other posture gaps.

Failing to remediate guest configuration findings can result in non-compliance and increased exposure to threats. This capability supports the "Verify Explicitly" and "Assume Breach" principles of Zero Trust by ensuring all systems are continuously assessed and hardened.

Reference

• Review OS misconfiguration recommendations in Microsoft Defender for Cloud
• Set up Azure Policy guest configuration on machines protected by Defender for Cloud
• Operating system misconfigurations in Defender for Cloud