Bug Report: Configure Microsoft Defender for Servers plan - how to remediate with subplan P1

Azure / Enterprise-Scale

The Azure Landing Zones (Enterprise-Scale) architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture

https://aka.ms/alz

MIT License

1.72k stars 980 forks source link

Bug Report: Configure Microsoft Defender for Servers plan - how to remediate with subplan P1 #1784

Closed teemukom closed 1 month ago

teemukom commented 1 month ago

Describe the bug https://www.azadvertizer.net/azpolicyadvertizer/5eb6d64a-4086-4d7a-92da-ec51aed0332d.html

Using the policy definition above with parameters subplan "P1" and isAgentlessVmScanningEnabled "false" seems to fail when creating remediation tasks: Extension with name 'AgentlessVmScanning' is not supported for 'VirtualMachines' plan and 'P1' SubPlan (Code: InvalidInputJson)

Steps to reproduce

Assign Configure Microsoft Defender for Servers plan policy with subplan P1 and set isAgentlessVmScanningEnabled to false
Create remediation task for that policy

Springstone commented 1 month ago

@teemukom this is the expected behavior and VM Agentless Scanning is only available in plan P2. Documentation here: https://learn.microsoft.com/en-us/azure/defender-for-cloud/agentless-malware-scanning

Closing as there is no action on ALZ team.

teemukom commented 1 month ago

@Springstone yes I'm aware of that restriction but this particular policy allows P1 as subplan but it can't be used because it also has the agentless scanning set as parameter. It doesn't work even when set to false. To be exact this policy should be renamed to Configure Microsoft Defender for Servers Plan 2 and remove the option for P1.