Menu Close

Azure Security Center Part 5 | Virtual Machine Recommendations

Reading Time: 11 minutes

For the 5th and last part of the Azure Security Center Blog series we will handle the biggest category in the recommendations, the Virtual Machine Recommendations. Many thanks to my colleague Tom Klaver for helping me with this part!

Here are the other parts:


Apply disk encryption

Azure Security Center recommends that disk encryption is applied if you have Windows or Linux VM disks that are not encrypted using Azure Disk Encryption. Disk Encryption lets you encrypt Windows and Linux IaaS VM disks. Encryption is recommended for both the OS and data volumes on your VM. Disk Encryption uses the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux. These features provide OS and data encryption to help protect and safeguard your data and meet your organizational security and compliance commitments.

Disk Encryption is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets in your Key Vault subscription, while ensuring that all data in the VM disks are encrypted at rest in your Azure Storage.

To resolve this recommendation you can use the following plan of action.

First the Azure Disk Encryption Prerequisite Setup Script (link) needs to be executed once per subscription.

There are a couple of parameters that need to be added while executing the script. The following parameters need to be added while executing the script:

  • resourceGroupName – This is the resource group where the keyvault will be created
  • keyVaultName – Name of the keyvault that will be created
  • location – this is the location of the keyVault
  • subscriptionId – this is the subscription id where the VMs are that need to be encrypted
  • aadAppName – This is the name of the Azure AD Application
  • keyEncryptionKeyName – This is the name of the key in keyvault

The VM and the keyvault need to be in the same region.

The script will output the following:

  • AAD Client ID
  • AAD Client Secret
  • KeyVaultURL
  • KeyVaultResourceID
  • KeyEncryptionKey URL

When you execute the script you need to log in to the Azure Portal. The script will create a Azure AD Application, a KeyVault with a Key Encryption Key and will set the appropriate rights in the KeyVault for the Azure AD Application.

Before enabling disk encryption on the VM there must be a backup of the VM.
The VM will be rebooted when disk encryption is enabled

There are a couple of options for enabling disk encryption, the most easy way to enable this by running a JSON template called Enable-ade-running-vm which is available on the Azure Quickstart templates Github (link).

When running the Enable-ade-running-vm JSON template,  this template will ask you for the following parameters:

  • VMName: Name of the VM that needs encryption.
  • AAD Client ID: This was a output from the prereq script.
  • AAD Client Secret: This was a output from the prereq script.
  • KeyVaultName: This is the name of the KeyVault that was created by the prereq script.
  • KeyVaultResourceGroup: This the name of the resource group of th KeyVault that was created by the prereq script.
  • KeK or NoKek
  • KeyEncryptionKey URL
  • VolumeType (OS Disk only or All Disks)

After the script is finished there is a new secret created in the keyvault with the name like this.

Key Encryption Key

Disk encryption can also be enabled by using powershell, the following powershell script will enable the encryption:

Encypted VM Back-up

If you want to backup a VM with disk encryption, the Azure Recovery Services Vault needs access to the keys in the KeyVault.
This can be done by the following actions:

  1. Go to the KeyVault
  2. Go to access policies > Add New
  3. Select the principle Backup Management Service.
  4. The required permissions are prefilled for Key permissions and Secret permissions.

If your VM is encrypted by using BEK only, permissions only for secrets are required, so you must remove the selection for Key permissions.

After a successful encryption the Azure Portal still not showed that the disk of the VM is encrypted. This looks like a bug, you can check the encryption status with this powershell script:

Restore to new VM

If you want to restore a restore point to a new VM you can use the following scripts:

  • RestoreVM-ADE-MD.ps1 – for Windows VM with Managed Disks
  • RestoreVM-ADE-UMD.ps1 – for Windows VM with Unmanaged Disks
  • RestoreVM-ADE-MD_Linux.ps1 – for Linux VM with Managed Disks

These scripts create a new VM with the same name with a addition of -RESTORE behind the VM name. The script is very straightforward. The scripts can be downloaded here.

The following parameters should be filled:

  • $recoveryVaultName – Name of Virtual Machine to be restored
  • $vmName – Name of Virtual Machine to be restored
  • $storageAccount – Name of new Storage Account to use for restore
  • $keyvaultName – Name of the Key Vault to retrieve Key Encryption Key (KEK) and Bitlocker Encryption Key (BEK)
  • $virtualNetwork – Name of Virtual Network to use for VM restore
  • $virtualNetworkRG – Name of Resource Group of Virtual Network
  • $subnet – Name of Subnet

Mount disk to Azure VM

Before mounting a restored disk to a Azure VM you must get a .BEK file from the Key vault. You can do this by running the following script:

Change the following variables:

  • $keyVaultName
  • $kekName
  • $bekFilePath
  • $adTenant (in format

Select the secret of the disk that you want to restore (if multiple disks are attached).

After the script is finished the output is a file in $bekFilePath. The VM is restored in Azure as a new VM and you can now mount one of the disks to an existing VM. After you have mounted the disk you can unlock the disk with the .BEK file which is the output of the above script.

To mount a restored disk to an existing VM, go to the portal and select the restored VM.

Detach the disk you want to attach to an existing VM.

  1. Go to the VM
  2. Go to Disks
  3. Select the disk and select detach.

Mount the disk to an existing VM:

  1. Go to the VM
  2. Go to Disks
  3. Select Add a data disk
  4. Select the disk that is available and click save.

Now you can mount the disk in the VM the following command and the .BEK file which is the output of the script above.

manage-bde -unlock F: -rk C:\bek\YOURBEKKEY.BEK’

Apply system updates

Azure Security Center monitors Windows and Linux virtual machines (VMs) on a daily base if computers are missing operating system updates. Security Center retrieves a list of available security and critical updates from Windows Update or Windows Server Update Services (WSUS), depending on which service is configured on a Windows computer. Security Center also checks for the latest updates in Linux systems. If your VM or computer is missing a system update, Security Center will recommend that you apply system updates.

You can also check this recommendation in the Log analytics workspace that is used by Azure Security Center. This can be done by following the following steps:

  1. Go to the Log analytics in the Azure Portal.
  2. Go to the solutions pane in the Log analytics.
  3. Click on the updates solution.
  4. Click on System Update Assessment.
  5. In the solution there is an overview of the Windows and Linux VMs that are connected to the Log analytics workspace.
  6. In the overview you can see the VMs that need updates.

Enable encryption for Azure storage account

Azure Security Center may recommend that you enable Azure Storage Service Encryption for data at rest.
Storage Service Encryption (SSE) works by encrypting the data when it is written to Azure storage and decrypting the data before retrieval. SSE is currently available only for the Azure Blob service and can be used for block blobs, page blobs, and append blobs.

After enabling encryption, only new data is encrypted. Any existing blobs in your storage account remain unencrypted.

To comply to the recommendation execute the following plan:

  1. Go to the recommendation in Azure Security Center.
  2. Select the storage account.
  3. Click on the Enable button and save.

Now the storage account is encrypted.

Enable VM Agent

The Microsoft Monitoring Agent must be installed on virtual machines (VMs) in order to enable data collection. Azure Security Center enables you to see which VMs require the VM Agent and will recommend that you enable the VM Agent on those VMs.

To comply with the recommendation the following plan can be executed:

  1. Go to the VM(s) that the recommendation is about.
  2. Go to extensions > Add.
  3. Select the Microsoft Monitoring Agent.
  4. After the provisioning of the agent is done, go to the Log Analytics workspace that is used by Azure Security Center.
  5. Go to WORKSPACE DATA SOURCES > Virtual Machines.
  6. Click on the virtual machine and select the Connect button.

Endpoint Protection not installed on Azure VMs

Azure Security Center monitors the status of antimalware protection and reports this under the Endpoint protection issues blade. Security Center highlights issues, such as detected threats and insufficient protection, which can make the virtual machines (VMs) and computers vulnerable to antimalware threats. By using the information under Endpoint protection issues, you can identify a plan to address any issues identified.

  1. Go to the recommendation
  2. Select the VM(s) and click [Install on X VMs]
  3. Select the vendor of the Endpoint Protection agent and click install.

Reboot after system updates

This recommendation is very easy, after a system update the VM should be restarted.

Remediate OS vulnerabilities

This recommendations are based on the CCE standard (, Microsoft gives a clear overview of all the OS vulnerabilities and how they can be resolved. I have created a custom group policy with most of the settings that are recommended.

A couple of settings are unable to set by GPO, so these settings are in the PowerShell script.

The GPO settings can be deployed locally by LGPO.exe or by a computer policy in the domain. The GPO files can be found here.

Download the GPO backup and save the following script. Both the files can be uploaded to a location that is accessible from the VM, for example a blob storage account.

To deploy the OS Vulnerabilities custom script extension you can use thefollowing PowerShell commands:

Change the FileUri to your location.

Update OS version

This recommendation is quite simple, it recommends that you update the operating system (OS) version for your Cloud Service to the most recent version available for your OS family.

Add a vulnerability assessment solution

If Security Center doesn’t find a vulnerability assessment solution installed on your VM, it recommends that you install one. A partner agent, after being deployed, starts reporting vulnerability data to the partner’s management platform. In turn, the partner’s management platform provides vulnerability and health monitoring data back to Security Center. You can quickly identify vulnerable VMs on the Security Center dashboard. Switch to the partner management console directly from Security Center for additional reports and information.

Important notes regarding the vulnerability assessment capability:

  • Currently, a vulnerability assessment is available from Qualys. More partners will be added in the future.
  • You can install the vulnerability assessment solution on multiple VMs. The VMs must belong to the same subscription.

If you want to comply to this recommendation there is vulnerability assessment solution from Qualys you can implement. If you want to deploy this solution you need a License Code and a Public Key. This data can be found in the management platform from Qualys.

Thank you for reading.

This is the last blog of the Azure Security Center blog series. Keep post for more blogs!

Leave a Reply

Your email address will not be published.