You may already know that Microsoft has introduced a vulnerability assessment capability to Azure – for either SQL Managed Instances, SQL Server or Virtual Machines.

Well, this capability needs to be enabled at the resource level by accessing the Security blade of the virtual machine and click on Vulnerability assessment solution should be installed on your virtual machines. or from the Security Center using the Compute & apps blade under the Resource Security Hygiene section.

 

But these steps only apply to existing resources, meaning when new virtual machine or SQL resources are created (or if the resource is shutdown), they will not have it enabled automatically and you will have to come again and repeat these steps.

Good news, you can now apply a policy to enforce the deployment of the vulnerability extension.

To enable this policy, go to your Security Center and reach the Security Policy blade under the Policy & Compliance section

Then select either the Tenant Group Management (recommended to apply to all subscriptions) or the specific subscription you want to apply the policy

Then Add a custom initiative (available below the Your custom initiatives section)

 

Fill the different fields and search for the Vulnerability Assessment should be enabled on Virtual Machines

Ensure the Effect is set to AuditIfNotExist

You can then complete the initiative creation process and deploy it.