Understand machine state scanning in Microsoft 365


No matter how well a system is designed, its security posture can degrade over time. Machines can go unpatched, inadvertent configuration changes can be introduced, and regressions to security code can accumulate. All of these issues can make a system less secure than when it was initially deployed. Microsoft has built automation to continually assess our systems for this kind of degradation, enabling us to act immediately to correct issues in our security posture.

Microsoft 365 uses machine state scanning to make sure the machines comprising our infrastructure are up to date with the latest patches and that their base configurations correctly align with relevant frameworks, such as Department of Defense STIGs. Machine state scanning is often referred to as PAVC: patching, anti-malware, vulnerability scanning, and configuration scanning.

A box with four quadrants united by a picture of a lock in the middle. Each quadrant contains a component of PAVC: patching, anti-malware, vulnerability scanning, and configuration scanning.

Effective PAVC requires consistent and reliable machine state scanning throughout the environment. We accomplish it by including a custom security agent in partnership with Qualys (a third-party commercial-off-the-shelf vulnerability scanning vendor) as part of asset deployment. The Microsoft 365 environment is dynamic and elastic, with assets constantly spun up and down to meet demand and provide optimal performance. While Microsoft 365 Services dynamically scale to balance customer workloads and maintain high availability, each active asset includes our security agent to enable machine state scanning and report results to our service teams. Service teams deploy the security agent during asset provisioning.