Share via

Defender for Cloud - "Machines should have vulnerability findings resolved" Stopped Populating

Cusimano, Joey 80 Reputation points
2025-08-05T18:04:31.8433333+00:00

I perform weekly reviews of Microsoft Defender for Cloud's "Recommendations" and have noticed that in the past several weeks, we have not had any findings under the item "Machines should have vulnerability findings resolved".

findings1

There are two items that we have been seeing for months and know we have not resolved entirely, so they should still be showing up. Additionally, we typically see other findings show up here. Pending Windows updates, Chrome browser updates, and Visual Studio updates are the most common items and we see should have seen these showing up in the past several weeks but have not seen a single one. These items helped serve as a "sanity check" that data was updating, so their absence has me convinced that something is wrong. Findings under this recommendation do not persist once resolved, so it is not possible to see them as "completed". For example, a missing Chrome update reported as a finding disappears entirely once the update is applied and the dashboard refreshes.

I checked this recommendation for each VM individually and the "Last change date" shows as 7/7/2025 for all of them. The freshness interval shows as 12 hours, but there is no indicator of when the data was last updated to verify that it is in fact doing these checks every 12 hours or more and still showing no findings.

findings2

We need a way to verify that this is updating, and I can't seem to find one. We just see a blank dashboard with a last changed date of 7/7/2025 and no further information, and I have lost confidence that we can trust this dashboard as letting us know that we have no to-do items on this recommendation anymore when we had planned to address two items long term that suddenly stopped showing up weeks ago.

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jose Benjamin Solis Nolasco 5,406 Reputation points
    2025-08-05T19:01:29.8933333+00:00

    Hi @Cusimano, Joey I hope you are doing well,

    Thanks for the detailed report — you’ve clearly done your due diligence, and I can understand your concern about the sudden disappearance of expected findings from Defender for Cloud.

    Here are some targeted steps and insights to help verify whether the recommendation is truly up to date or if something is failing in the backend:

    1. Verify the Dependency: Defender for Endpoint (MDE) Integration

    This specific recommendation depends heavily on Microsoft Defender for Endpoint (MDE) data being properly ingested into Defender for Cloud.

    Please confirm:

    Your machines are still onboarded to MDE.

    MDE sensors are reporting vulnerability data (you can verify this in the Microsoft 365 Defender portal at https://security.microsoft.com > Vulnerabilities).

    In Defender for Cloud, go to Environment Settings > Integrations and verify that Defender for Endpoint integration is still enabled for the affected subscriptions.

    2. Validate Vulnerability Assessment Extension

    For non-MDE environments, Defender for Cloud relies on the Log Analytics agent or the VM extension for vulnerability assessment (Qualys or built-in scanner).

    Check if:

    • The VA extension is still installed and running on the VMs.
    • There are no errors or stale statuses under Defender for Cloud > Inventory > Extensions.

    😊 If my answer helped you resolve your issue, please consider marking it as the correct answer. This helps others in the community find solutions more easily. Thanks!

  2. Praveen Chivarla 105 Reputation points Microsoft External Staff Moderator
    2025-08-19T09:15:12.4766667+00:00

    Hi Cusimano, Joey,
     

    Thank you for posting your query on Microsoft Q&A.

    As per our understanding, you have noticed that the Microsoft Defender for Cloud recommendation "Machines should have vulnerability findings resolved" has stopped showing findings over the past several weeks, even though you know there are unresolved issues such as pending updates. 

    In addition to Jose Benjamin Solis Nolasco, please do check with few more information for clarity.

    This recommendation relies heavily on vulnerability data from Microsoft Defender for Endpoint (MDE) and the vulnerability assessment extensions running on your VMs. Sometimes,
    Azure Advisor’s security recommendation pipeline, which aggregates these findings, can experience delays or drops in data due to internal service-bus backlogs. This can cause the recommendation blade to show stale or no results.

    To verify whether everything is working correctly and to troubleshoot this issue,

    please follow the steps below:

    1. Verify Defender for Endpoint (MDE) Integration
      • Confirm your machines are onboarded to MDE.
        • Check the Microsoft 365 Defender portal at https://security.microsoft.com under Vulnerabilities to ensure MDE is reporting vulnerability data.
          • In Defender for Cloud, navigate to Environment Settings > Integrations and confirm Defender for Endpoint integration is enabled for the affected subscriptions.
    2. Check Vulnerability Assessment (VA) Extension Health
      • Go to Defender for Cloud → Inventory → select an affected VM → Extensions + applications.
        • Verify that the Qualys Vulnerability Assessment extension or the built-in scanner is installed, running, and healthy.
    3. Check Your Permissions and Filters
      • Verify you have Reader or higher permissions on the subscription and resource groups containing the VMs.
        • In the Azure Advisor recommendations blade, check for any resource group or date filters that might hide findings.
    4. Use Defender for Cloud Inventory as Authoritative Data Source
      • If Advisor shows no findings but Inventory still lists vulnerabilities, rely on the Inventory blade as the source of truth.
    5. Re-onboard or Redeploy the Vulnerability Assessment Extension
      • If missing or unhealthy, re-onboard the VA extension via Defender for Cloud’s environment settings and allow 1–2 hours for scans to complete.
    6. Review Azure Advisor Configuration
      • Refresh the recommendations and ensure no filters prevent findings from showing.

    Please "Accept as Answer" if the answer provided is useful, so that you can help others in the community looking for remediation for similar issues.

    0 comments
  3. Cusimano, Joey 80 Reputation points
    2025-08-19T17:38:17.1166667+00:00

    I've opened a ticket with Microsoft about this and am attempting to work with Microsoft and our MSP to troubleshoot it.

    In the meantime, I've discovered that the Microsoft Defender Vulnerability management >Recommendations list is still populating and contains items that I would normally see under "Machines should have vulnerability findings resolved", including Chrome updates and the previously seen outstanding item that we were tracking before. My intent is to keep using this dashboard instead to monitor security recommendations for our VMs.

    Link to dashboard: https://security.microsoft.com/security-recommendations?

    Based on seeing current data in Microsoft Defender, I am convinced that MDE is still functional on our VMs. I see the "MDE.Windows" extension running on the VMs and it needed updates. We applied updates for this extension on some of the VMs, but see no changes in the behavior of the "Machines should have vulnerability findings resolved" item or the statuses of the VMs under it as originally mentioned. We will see what Microsoft says when they respond to our ticket and see if we can get the Azure portal dashboard working again. In the meantime, we are going to use the Microsoft Defender dashboard to monitor needed updates and new recommendations/vulnerabilities.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.