A cloud-native solution that protects workloads across hybrid and multi-cloud environments with threat detection and security recommendations
Enabling vulnerability assessment for Defender for Servers is controlled entirely from Defender for Cloud and is subject to a few prerequisites and behaviors described in the documentation.
- Known behavior / sync considerations
After Defender for Servers is enabled on a subscription:
- A 30‑day trial period starts and cannot be paused or extended.
- Microsoft Defender for Endpoint is automatically installed on supported machines (unless automatic provisioning is disabled).
- Microsoft Defender Vulnerability Management is then enabled by default on machines with the Defender for Endpoint extension installed.
- Agentless vulnerability scanning is enabled by default when Defender for Servers Plan 2 is enabled.
Because vulnerability management is enabled by default with Defender for Servers, the main configuration point is ensuring the plan is correctly enabled and that the underlying agents/extensions are present. The documentation does not describe a persistent backend bug or known issue where vulnerability assessment settings revert, but configuration relies on:
- Defender for Servers plan state
- Automatic provisioning settings
- Machine eligibility (supported OS, connectivity, etc.)
If these are changed or not satisfied, the effective behavior can appear as if vulnerability assessment is not persisting.
- How to validate configuration (portal and at scale)
To validate that vulnerability assessment is enabled at the subscription level:
- In Defender for Cloud, open Environment settings.
- Select the target subscription.
- Under Defender for Servers plan, select Monitoring coverage > Settings.
- In Settings and monitoring, ensure Vulnerability assessment for machines is turned on and that an assessment solution is selected via Edit configuration, then Apply and Save.
This is the authoritative configuration path. The documentation does not provide a specific CLI/PowerShell command in the provided context, but the subscription‑level state is defined by these Defender for Cloud plan and monitoring settings.
For posture validation:
- Use Defender for Cloud recommendations such as:
- “A vulnerability assessment solution should be enabled on your virtual machines” (Azure Policy built‑in definition) to confirm that VMs are being recognized as having a vulnerability assessment solution.
- “Machines should be configured securely (powered by MDVM)” to see security baseline and vulnerability‑related recommendations.
These recommendations provide an effective validation that vulnerability assessment is active and producing results.
- Prerequisites for vulnerability assessment under Defender for Servers
From the vulnerability assessment and Defender for Servers documentation:
- Plan requirements:
- Agent‑based vulnerability scanning requires Defender for Servers Plan 1 (P1) or Plan 2 (P2).
- Agentless vulnerability scanning is on by default when Defender for Servers Plan 2 or the Defender for Servers CSPM plan is enabled.
- Machine requirements:
- Machines must be in the supported OS list for Microsoft Defender Vulnerability Management.
- Permissions:
- Owner at resource group level to deploy the scanner.
- Security Reader to view findings.
- For OS configuration assessment (often surfaced alongside vulnerability assessment):
- Defender for Servers Plan 2 must be enabled.
- Azure Machine Configuration (Guest Configuration) extension must be present on machines, and Azure VMs must have a system‑assigned managed identity.
- For system update/patch recommendations (often part of the same security posture view):
- Defender for Servers Plan 2 must be enabled.
- Machines must be supported by Azure Update Manager.
- Arc‑enabled onboarding is required for on‑premises and multicloud machines.
If these prerequisites are not met, Defender for Cloud may not be able to fully apply or use the vulnerability assessment configuration even if the portal toggle appears enabled.
- Recommended next steps for the described symptoms
Given the behavior described (error on save or apparent reversion):
- Confirm that Defender for Servers Plan 1 or Plan 2 is enabled on the subscription where the error occurs.
- In Environment settings → [subscription] → Defender for Servers → Monitoring coverage → Settings, re‑enable Vulnerability assessment for machines, choose an assessment solution, and save.
- Verify that:
- Machines are supported OS versions for Defender Vulnerability Management.
- Defender for Endpoint is installed (for agent‑based scanning) and that agentless scanning is enabled if using Plan 2.
- Azure Policy recommendation “A vulnerability assessment solution should be enabled on your virtual machines” shows machines as healthy where expected.
- Recommendations such as “Machines should be configured securely (powered by MDVM)” and system update recommendations are appearing for those machines.
If the portal still reports “Not all data collection settings … could be saved” and the plan prerequisites are satisfied, the next step would be to collect the exact subscription and plan state and open a support case, as the provided documentation does not list a known defect that matches this specific error string.
References:
- Enable vulnerability scanning with Microsoft Defender Vulnerability Management
- Defender for Servers
- Operating system misconfigurations
- Remediate system update and patch recommendations
- Posture and vulnerability management
- Security Control v3: Posture and vulnerability management
- Azure security baseline for Virtual Machine Scale Sets