“Microsoft Defender for Servers must be enabled on subscriptions” – Vulnerability Assessment configuration not persisting

Rani Chidaraboina (LTIMindtree Limited) 0 Reputation points Microsoft External Staff
2026-06-11T05:36:22.7533333+00:00

We are currently addressing a newly introduced Azure Tenant Security (AZTS) control:

“Microsoft Defender for Servers must be enabled on subscriptions” across all subscriptions.

As per the remediation guidance provided https://eng.ms/docs/cloud-ai-platform/ciso-organization/sigma/infrastructure-security-engineering/infra-security-guidance/azure-tenant-baseline/troubleshooting-guides/azure_subscription_config_enable_microsoftdefender_servers, we are attempting to enable Vulnerability Assessment configuration in Microsoft Defender for Servers.

Issue Observed:

While enabling the vulnerability assessment configuration:

We encounter an error when attempting to save the configuration with an error: “There has been an error. Not all data collection settings for subscription DPP Device Partner Registration - Prod could be saved.”

In some cases:

The Azure portal shows the configuration as successfully saved. However, the changes do not persist internally, and the configuration gets reverted automatically

Clarifications Required:

Are there any known issues or backend sync delays with enabling Defender for Servers (especially vulnerability assessment settings)?

Is there any recommended validation method (CLI/PowerShell) to confirm whether the configuration is actually applied?

Are there additional prerequisites required specifically for enabling vulnerability assessment under Defender for Servers?

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud

1 answer

Sort by: Most helpful
  1. AI answer

    2026-06-11T05:36:51.8633333+00:00

    Enabling vulnerability assessment for Defender for Servers is controlled entirely from Defender for Cloud and is subject to a few prerequisites and behaviors described in the documentation.

    1. Known behavior / sync considerations

    After Defender for Servers is enabled on a subscription:

    • A 30‑day trial period starts and cannot be paused or extended.
    • Microsoft Defender for Endpoint is automatically installed on supported machines (unless automatic provisioning is disabled).
    • Microsoft Defender Vulnerability Management is then enabled by default on machines with the Defender for Endpoint extension installed.
    • Agentless vulnerability scanning is enabled by default when Defender for Servers Plan 2 is enabled.

    Because vulnerability management is enabled by default with Defender for Servers, the main configuration point is ensuring the plan is correctly enabled and that the underlying agents/extensions are present. The documentation does not describe a persistent backend bug or known issue where vulnerability assessment settings revert, but configuration relies on:

    • Defender for Servers plan state
    • Automatic provisioning settings
    • Machine eligibility (supported OS, connectivity, etc.)

    If these are changed or not satisfied, the effective behavior can appear as if vulnerability assessment is not persisting.

    1. How to validate configuration (portal and at scale)

    To validate that vulnerability assessment is enabled at the subscription level:

    1. In Defender for Cloud, open Environment settings.
    2. Select the target subscription.
    3. Under Defender for Servers plan, select Monitoring coverage > Settings.
    4. In Settings and monitoring, ensure Vulnerability assessment for machines is turned on and that an assessment solution is selected via Edit configuration, then Apply and Save.

    This is the authoritative configuration path. The documentation does not provide a specific CLI/PowerShell command in the provided context, but the subscription‑level state is defined by these Defender for Cloud plan and monitoring settings.

    For posture validation:

    • Use Defender for Cloud recommendations such as:
      • “A vulnerability assessment solution should be enabled on your virtual machines” (Azure Policy built‑in definition) to confirm that VMs are being recognized as having a vulnerability assessment solution.
      • “Machines should be configured securely (powered by MDVM)” to see security baseline and vulnerability‑related recommendations.

    These recommendations provide an effective validation that vulnerability assessment is active and producing results.

    1. Prerequisites for vulnerability assessment under Defender for Servers

    From the vulnerability assessment and Defender for Servers documentation:

    • Plan requirements:
      • Agent‑based vulnerability scanning requires Defender for Servers Plan 1 (P1) or Plan 2 (P2).
      • Agentless vulnerability scanning is on by default when Defender for Servers Plan 2 or the Defender for Servers CSPM plan is enabled.
    • Machine requirements:
      • Machines must be in the supported OS list for Microsoft Defender Vulnerability Management.
    • Permissions:
      • Owner at resource group level to deploy the scanner.
      • Security Reader to view findings.
    • For OS configuration assessment (often surfaced alongside vulnerability assessment):
      • Defender for Servers Plan 2 must be enabled.
      • Azure Machine Configuration (Guest Configuration) extension must be present on machines, and Azure VMs must have a system‑assigned managed identity.
    • For system update/patch recommendations (often part of the same security posture view):
      • Defender for Servers Plan 2 must be enabled.
      • Machines must be supported by Azure Update Manager.
      • Arc‑enabled onboarding is required for on‑premises and multicloud machines.

    If these prerequisites are not met, Defender for Cloud may not be able to fully apply or use the vulnerability assessment configuration even if the portal toggle appears enabled.

    1. Recommended next steps for the described symptoms

    Given the behavior described (error on save or apparent reversion):

    • Confirm that Defender for Servers Plan 1 or Plan 2 is enabled on the subscription where the error occurs.
    • In Environment settings → [subscription] → Defender for Servers → Monitoring coverage → Settings, re‑enable Vulnerability assessment for machines, choose an assessment solution, and save.
    • Verify that:
      • Machines are supported OS versions for Defender Vulnerability Management.
      • Defender for Endpoint is installed (for agent‑based scanning) and that agentless scanning is enabled if using Plan 2.
      • Azure Policy recommendation “A vulnerability assessment solution should be enabled on your virtual machines” shows machines as healthy where expected.
      • Recommendations such as “Machines should be configured securely (powered by MDVM)” and system update recommendations are appearing for those machines.

    If the portal still reports “Not all data collection settings … could be saved” and the plan prerequisites are satisfied, the next step would be to collect the exact subscription and plan state and open a support case, as the provided documentation does not list a known defect that matches this specific error string.


    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.