Ensure that system updates monitoring is enabled within your Azure cloud account in order to be notified about the security and critical updates released from Microsoft Windows Update or Microsoft Windows Server Update service.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
When this feature is enabled, it retrieves a daily list of available security and critical updates from Microsoft Windows Update/Microsoft Windows Server Update. The security updates on this list depend on the service configured for that specific Azure virtual machine (VM) and recommends via notifications that the missing updates be applied as soon as possible. This is to ensure that the virtual machine's operating system is running the most recent security updates provided by the software vendor. For Unix/Linux systems, the feature uses the distro-provided package management system to determine packages that have available updates.
Audit
To determine if the system updates monitoring is enabled within the Microsoft Defender for Cloud security policy, perform the following operations:
Remediation / Resolution
To enable system updates monitoring and recommendations for your Microsoft Azure virtual machines (VMs), perform the following operations:
References
- Azure Official Documentation
- Microsoft Defender for Cloud documentation
- What is Microsoft Defender for Cloud?
- Azure Policy built-in policy definitions
- Manage security policies
- CIS Microsoft Azure Foundations
- Azure Command Line Interface (CLI) Documentation
- az
- az account get-access-token