MicrosoftDocs
diff --git a/‎articles/defender-for-cloud/TOC.yml
Lines changed: 6 additions & 0 deletions b/‎articles/defender-for-cloud/TOC.yml
Lines changed: 6 additions & 0 deletions
diff --git a/‎articles/defender-for-cloud/deploy-vulnerability-assessment-byol-vm.md
Lines changed: 7 additions & 5 deletions b/‎articles/defender-for-cloud/deploy-vulnerability-assessment-byol-vm.md
Lines changed: 7 additions & 5 deletions
diff --git a/‎articles/defender-for-cloud/deploy-vulnerability-assessment-vm.md
Lines changed: 2 additions & 2 deletions b/‎articles/defender-for-cloud/deploy-vulnerability-assessment-vm.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/defender-for-cloud/faq-scanner-detection.yml
Lines changed: 74 additions & 0 deletions b/‎articles/defender-for-cloud/faq-scanner-detection.yml
Lines changed: 74 additions & 0 deletions
diff --git a/‎articles/defender-for-cloud/how-to-transition-to-built-in.md
Lines changed: 160 additions & 0 deletions b/‎articles/defender-for-cloud/how-to-transition-to-built-in.md
Lines changed: 160 additions & 0 deletions
diff --git a/‎articles/defender-for-cloud/media/faq-scanner-detection/dashboard.png
619 KB b/‎articles/defender-for-cloud/media/faq-scanner-detection/dashboard.png
619 KB
diff --git a/‎articles/defender-for-cloud/media/how-to-migrate-to-built-in/edit-configuration.png
80.1 KB b/‎articles/defender-for-cloud/media/how-to-migrate-to-built-in/edit-configuration.png
80.1 KB
diff --git a/‎articles/defender-for-cloud/media/how-to-migrate-to-built-in/settings-server.png
184 KB b/‎articles/defender-for-cloud/media/how-to-migrate-to-built-in/settings-server.png
184 KB
diff --git a/‎articles/defender-for-cloud/media/how-to-migrate-to-built-in/two-to-one.png
51.3 KB b/‎articles/defender-for-cloud/media/how-to-migrate-to-built-in/two-to-one.png
51.3 KB
@@ -530,6 +530,12 @@
             - name: Automatically enable a vulnerability assessment solution
               displayName: qualys, rapid7, vulnerability, auto provision
               href: auto-deploy-vulnerability-assessment.md
+            - name: Transition to the integrated Microsoft Defender Vulnerability Management vulnerability assessment solution
+              displayName: qualys, rapid7, vulnerability, migrate, transition, Microsoft Defender Vulnerability Management, mdvm
+              href: how-to-transition-to-built-in.md
+            - name: Common questions 
+              displayName: questions, common, MDVM, Qualys, BYOL, bring your own license, agent, consolidated, vulnerability, management, faq, frequently asked questions
+              href: faq-scanner-detection.yml
         - name: Enable just-in-time access on VMs
           displayName: jit, management, ports
           href: just-in-time-access-usage.md
 
@@ -5,14 +5,14 @@ ms.topic: how-to
 ms.custom: ignite-2022
 ms.author: dacurwin
 author: dcurwin
-ms.date: 06/29/2023
+ms.date: 12/18/2023
 ---
 
 # Enable vulnerability scanning with a Bring Your Own License (BYOL) solution
 
-If you've enabled **Microsoft Defender for Servers**, you're able to use Microsoft Defender for Cloud's built-in vulnerability assessment tool as described in [Integrated Qualys vulnerability scanner for virtual machines](./deploy-vulnerability-assessment-vm.md). This tool is integrated into Defender for Cloud and doesn't require any external licenses - everything's handled seamlessly inside Defender for Cloud. In addition, the integrated scanner supports Azure Arc-enabled machines.
+The Defender for Servers plan in Microsoft Defender for Cloud has a [built-in vulnerability assessment tool](./deploy-vulnerability-assessment-vm.md). The vulnerability assessment tool doesn't require any external licenses and supports Azure Arc-enabled machines.
 
-Alternatively, you might want to deploy your own privately licensed vulnerability assessment solution from [Qualys](https://www.qualys.com/lp/azure) or [Rapid7](https://www.rapid7.com/products/insightvm/). You can install one of these partner solutions on multiple VMs belonging to the same subscription (but not to Azure Arc-enabled machines).
+If you don't want to use the integrated vulnerability assessment tool, you can use your own privately licensed vulnerability assessment solution from [Qualys](https://www.qualys.com/lp/azure) or [Rapid7](https://www.rapid7.com/products/insightvm/). This article explains the steps needed to deploy one of these partner solutions on multiple VMs belonging to the same subscription (but not to Azure Arc-enabled machines).
 
 ## Availability
 
@@ -40,7 +40,7 @@ Supported solutions report vulnerability data to the partner's management platfo
 
     Your VMs appear in one or more of the following groups:
 
-    - **Healthy resources** – Defender for Cloud has detected a vulnerability assessment solution running on these VMs.
+    - **Healthy resources** – Defender for Cloud detected a vulnerability assessment solution running on these VMs.
     - **Unhealthy resources** – A vulnerability scanner extension can be deployed to these VMs.
     - **Not applicable resources** – these VMs can't have a vulnerability scanner extension deployed.
 
@@ -52,7 +52,7 @@ Supported solutions report vulnerability data to the partner's management platfo
    > - If you haven't got a third-party vulnerability scanner configured, you won't be offered the opportunity to deploy it.
    > - If your selected VMs aren't protected by Microsoft Defender for Servers, the Defender for Cloud integrated vulnerability scanner option will be unavailable.
 
-    :::image type="content" source="media/deploy-vulnerability-assessment-vm/select-vulnerability-solution.png" alt-text="Screenshot of the solutions screen after you have selected the fix button for your resource.":::
+    :::image type="content" source="media/deploy-vulnerability-assessment-vm/select-vulnerability-solution.png" alt-text="Screenshot of the solutions screen after you select the fix button for your resource.":::
 
 1. If you're setting up a new BYOL configuration, select **Configure a new third-party vulnerability scanner**, select the relevant extension, select **Proceed**, and enter the details from the provider as follows:
 
@@ -112,6 +112,8 @@ Example (this example doesn't include valid license details):
 -publicKey 'MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCOiOLXjOywMfLZIBGPZLwSocf1Q64GASLK9OHFEmanBl1nkJhZDrZ4YD5lM98fThYbAx1Rde2iYV1ze/wDlX4cIvFAyXuN7HbdkeIlBl6vWXEBZpUU17bOdJOUGolzEzNBhtxi/elEZLghq9Chmah82me/okGMIhJJsCiTtglVQIDAQAB'
 ```
 
+Learn more about obtaining the [Qualys Virtual Scanner Appliance](https://azuremarketplace.microsoft.com/marketplace/apps/qualysguard.qualys-virtual-scanner-app?tab=Overview) in Azure Marketplace.
+
 ## Next steps
 
 - [Remediate the findings from your vulnerability assessment solution](remediate-vulnerability-findings-vm.md)
 
@@ -5,7 +5,7 @@ author: dcurwin
 ms.author: dacurwin
 ms.topic: how-to
 ms.custom: ignite-2022
-ms.date: 06/29/2023
+ms.date: 12/18/2023
 ---
 
 # Enable vulnerability scanning with the integrated Qualys scanner
@@ -72,7 +72,7 @@ The vulnerability scanner extension works as follows:
 
     Your machines appear in one or more of the following groups:
 
-    - **Healthy resources** – Defender for Cloud has detected a vulnerability assessment solution running on these machines.
+    - **Healthy resources** – Defender for Cloud detected a vulnerability assessment solution running on these machines.
     - **Unhealthy resources** – A vulnerability scanner extension can be deployed to these machines. 
     - **Not applicable resources** – [these machines aren't supported for the vulnerability scanner extension](faq-vulnerability-assessments.yml).
 
 
@@ -0,0 +1,74 @@
+### YamlMime:FAQ
+metadata:
+  title: Common questions - the built-in Microsoft Defender Vulnerability Management solution
+  description: Frequently asked general questions about the built-in Microsoft Defender Vulnerability Management solution
+  services: defender-for-cloud
+  author: elkrieger
+  ms.author: elkrieger
+  manager: raynew
+  ms.topic: faq
+  ms.date: 12/03/2023
+title: Common questions about the built-in Microsoft Defender Vulnerability Management solution
+summary: |
+
+sections:
+  - name: Ignored
+    questions:
+      - question: |
+          What are the benefits of having one consolidate VA solution, powered by Microsoft Defender Vulnerability Management (MVDM) across Defender for Cloud?
+        answer: |
+          1. **Hybrid approach:** offers flexible deployments options, by utilizing a consistent vulnerability scanner across various use cases. It's applicable in multicloud environments and different host runtimes: 
+          
+              - **Agentless vulnerability assessment:**  Enabling agentless scanning on a subscription automatically scan all virtual machines in Azure, AWS, and GCP for software inventory and vulnerabilities, powered by MDVM. 
+            
+              - **Consolidated agent:** (MDVM) uses the same agent as Microsoft Defender for Endpoints (MDE) to protect servers, so, if you're an existing MDE customer, you're automatically covered by MDVM.
+          
+          1. **Software vulnerability evidence (coming soon)**: The MDVM scanner identifies vulnerable software and provides the corresponding file path and/or registry key as evidence.
+
+          1. **Software inventory:** The MDVM scanner detects applications installed on virtual machines and establishes a correlation between the software and its associated known vulnerabilities.
+
+          1. **MDVM premium capabilities:** Customers of Defender for Servers P2 have the added benefit of access to premium capabilities of Microsoft Defender’s vulnerability management. These include Certificate Assessment, Baseline Assessment, Block vulnerable applications, and more. You can learn more about [MDVM's premium capabilities](https://learn.microsoft.com/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-capabilities?view=o365-worldwide)
+
+
+      - question: |
+         How can I view the VA findings generated by MDVM with a focus on CVE ID?
+        answer: |
+         You can use the [CVE workbook](https://aka.ms/CVEDashboard) which covers both the built-in Qualys VA solution and the built-in MDVM solution. The CVE workbook provides an overview of machines in your environment that have open vulnerabilities with a focus on CVE IDs. It shows vulnerability findings for either Microsoft Defender Vulnerability Management, or the integrated Qualys VA scanner.
+
+
+      - question: |
+          Why is there a different total number of vulnerabilities on the Recommendation page between MDVM and Qualys?
+        answer: |
+          The vulnerability assessment solution for servers, powered by MDVM, provides a unified and consolidated view of vulnerable software on the Recommendations page. Qualys utilizes the Qualys IDs that often contain one or two CVEs. MDVM consolidates these CVEs into a single or a few Vulnerability IDs. MDVM aggregates these CVEs into a single or a few Vulnerability IDs. This consolidation addresses multiple vulnerabilities within the same software simultaneously.
+
+
+      - question: |
+          What are the operating systems (OS) that are compatible with the MDVM scanner? 
+        answer: |
+          Refer to the [list of compatible operating systems](https://learn.microsoft.com/microsoft-365/security/defender-vulnerability-management/tvm-supported-os?view=o365-worldwide) that are compatible with the MDVM scanner.
+
+          If your machine’s operating system isn't on the list of compatible OS, an upgrade is necessary to allow MDVM to perform a scan.
+
+
+      - question: |
+          Which agent is being used by the built-in MDVM VA solution?
+        answer: |
+          The built-in MDVM scanner in Defender for Cloud uses the same agent as Microsoft Defender for Endpoint. If endpoint protection is enabled, the MDVM agent is already enabled.
+
+
+      - question: |
+          If I'm using an EDR solution other than MDE, how can I upgrade my VA solution to MDVM?
+        answer: |
+          For cloud VMs, we recommend enabling agentless scanning under the Defender for Servers P2 plan, to provide a more comprehensive coverage while ensuring minimal effect on your machine’s performance. 
+
+          If you're utilizing an on-premises machine, the [installation of the MDE agent is mandatory](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-server-endpoints?view=o365-worldwide). The MDVM solution requires the agent in order to conduct vulnerability scans.
+
+
+      - question: |
+          How can the premium capabilities offered by MDVM be accessed?
+        answer: |
+          Premium capabilities currently can be accessed through the [MDVM portal](https://security.microsoft.com/). Navigate to the [MDVM portal](https://security.microsoft.com/), and access the premium capabilities features under the vulnerability assessment section.
+
+          :::image type="content" source="media/faq-scanner-detection/dashboard.png" alt-text="Screenshot of the MDVM dashboard.":::
+
+          Learn more about [MDVM's premium capabilities](https://learn.microsoft.com/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-capabilities?view=o365-worldwide).
@@ -0,0 +1,160 @@
+---
+title: Transition to the integrated Microsoft Defender Vulnerability Management vulnerability assessment solution
+description: Learn how to transition to the Microsoft Defender Vulnerability Management solution in Microsoft Defender for Cloud
+services: defender-for-cloud
+ms.service: defender-for-cloud
+ms.topic: how-to
+ms.date: 12/18/2023
+---
+
+# Transition to the integrated Microsoft Defender Vulnerability Management vulnerability assessment solution
+
+With the Defender for Servers plan in Microsoft Defender for Cloud, you can scan compute assets for vulnerabilities. If you're currently using a vulnerability assessment solution other than the Microsoft Defender Vulnerability Management vulnerability assessment solution, this article provides instructions on transitioning to the integrated Defender Vulnerability Management solution.
+
+To transition to the integrated Defender Vulnerability Management solution, you can use the Azure portal, use an Azure policy definition (for Azure VMs), or use REST APIs.
+
+- [Transition with Azure policy (for Azure VMs)](#transition-with-azure-policy-for-azure-vms)
+- [Transition with Defender for Cloud’s portal](#transition-with-defender-for-clouds-portal)
+- [Transition with REST API](#transition-with-rest-api)
+
+## Transition with Azure policy (for Azure VMs) 
+
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+
+1. Navigate to **Policy** > **Definitions**.
+
+1. Search for `Setup subscriptions to transition to an alternative vulnerability assessment solution`. 
+
+1. Select **Assign**.
+
+1. Select a scope and enter an assignment name.
+
+1. Select **Review + create**.
+
+1. Review the information you entered and select **Create**.
+ 
+This policy ensures that all Virtual Machines (VM) within a selected subscription are safeguarded with the built-in Defender Vulnerability Management solution.
+
+Once you complete the transition to the Defender Vulnerability Management solution, you need to [Remove the old vulnerability assessment solution](#remove-the-old-vulnerability-assessment-solution)
+
+## Transition with Defender for Cloud’s portal 
+
+In the Defender for Cloud portal, you have the ability to change the vulnerability assessment solution to the built-in Defender Vulnerability Management solution. 
+
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+
+1. Navigate to **Microsoft Defender for Cloud** > **Environment settings** 
+
+1. Select the relevant subscription.
+
+1. Locate the Defender for Servers plan and select **Settings**.
+
+    :::image type="content" source="media/how-to-migrate-to-built-in/settings-server.png" alt-text="Screenshot of the Defender for Cloud plan page that shows where to locate and select the settings button under the servers plan." lightbox="media/how-to-migrate-to-built-in/settings-server.png":::
+
+1. Toggle `Vulnerability assessment for machines` to **On**.
+
+    If `Vulnerability assessment for machines` was already set to on, select **Edit configuration**
+
+    :::image type="content" source="media/how-to-migrate-to-built-in/edit-configuration.png" alt-text="Screenshot of the servers plan that shows where the edit configuration button is located." lightbox="media/how-to-migrate-to-built-in/edit-configuration.png":::
+
+1. Select **Microsoft Defender Vulnerability Management**.
+
+1. Select **Apply**. 
+
+1. Ensure that `Endpoint protection` or `Agentless scanning for machines` are toggled to **On**.
+
+    :::image type="content" source="media/how-to-migrate-to-built-in/two-to-one.png" alt-text="Screenshot that shows where to turn on endpoint protection and agentless scanning for machines is located." lightbox="media/how-to-migrate-to-built-in/two-to-one.png":::
+
+1. Select **Continue**.
+
+1. Select **Save**.
+
+Once you complete the transition to the Defender Vulnerability Management solution, you need to [Remove the old vulnerability assessment solution](#remove-the-old-vulnerability-assessment-solution)
+
+## Transition with REST API
+
+### REST API for Azure VMs
+
+Using this REST API, you can easily migrate your subscription, at scale, from any vulnerability assessment solution to the Defender Vulnerability Management solution.
+
+`PUT https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Security/serverVulnerabilityAssessmentsSettings/AzureServersSetting?api-version=2022-01-01-preview`
+
+```json
+{
+   "kind": "AzureServersSetting",
+   "properties": {
+    "selectedProvider": "MdeTvm"
+   }
+ }
+```
+
+Once you complete the transition to the Defender Vulnerability Management solution, you need to [Remove the old vulnerability assessment solution](#remove-the-old-vulnerability-assessment-solution)
+
+### REST API for multicloud VMs
+
+Using this REST API, you can easily migrate your subscription, at scale, from any vulnerability assessment solution to the Defender Vulnerability Management solution.
+
+`PUT https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Security/securityconnectors/{connectorName}?api-version=2022-08-01-preview`
+
+```json
+{
+  "properties": {
+   "hierarchyIdentifier": "{GcpProjectNumber}",
+   "environmentName": "GCP",
+   "offerings": [
+    {
+     "offeringType": "CspmMonitorGcp",
+     "nativeCloudConnection": {
+      "workloadIdentityProviderId": "{cspm}",
+      "serviceAccountEmailAddress": "{emailAddressRemainsAsIs}"
+     }
+    },
+    {
+     "offeringType": "DefenderCspmGcp"
+    },
+    {
+     "offeringType": "DefenderForServersGcp",
+     "defenderForServers": {
+      "workloadIdentityProviderId": "{defender-for-servers}",
+      "serviceAccountEmailAddress": "{emailAddressRemainsAsIs}"
+     },
+     "arcAutoProvisioning": {
+      "enabled": true,
+      "configuration": {}
+     },
+     "mdeAutoProvisioning": {
+      "enabled": true,
+      "configuration": {}
+     },
+     "vaAutoProvisioning": {
+      "enabled": true,
+      "configuration": {
+       "type": "TVM"
+      }
+     },
+     "subPlan": "{P1/P2}"
+    }
+   ],
+   "environmentData": {
+    "environmentType": "GcpProject",
+    "projectDetails": {
+     "projectId": "{GcpProjectId}",
+     "projectNumber": "{GcpProjectNumber}",
+     "workloadIdentityPoolId": "{identityPoolIdRemainsTheSame}"
+    }
+   }
+  },
+  "location": "{connectorRegion}"
+}
+```
+
+## Remove the old vulnerability assessment solution
+
+After migrating to the built-in Defender Vulnerability Management solution in Defender for Cloud, you need to offboard each VM from their old vulnerability assessment solution using either of the following methods:
+
+- [Delete the VM extension with PowerShell](/powershell/module/az.compute/remove-azvmextension?view=azps-11.0.0).
+- [REST API DELETE request](/rest/api/compute/virtual-machine-extensions/delete?view=rest-compute-2023-07-01&tabs=HTTP).
+
+## Next steps
+
+[Common questions about vulnerability scanning questions](faq-scanner-detection.yml)