Deploying Azure Policy for Tenable Nessus Agent Installation in Virtual Machines

Deploying security and monitoring agents at scale across your Azure Virtual Machines (VMs) can be a daunting task—especially when you need silent, automated installations that comply with enterprise governance. In this post, we’ll explore how to leverage Azure Policy to install the Tenable Nessus Agent alongside Azure’s own monitoring and change-tracking solutions. We’ll cover the challenges we encountered with the default installer scripts, our custom fixes, deployment constraints (and a practical workaround), and finally, how to tie it all together with dashboards, alerts, and cost-management considerations.

Why Azure Policy for Agent Deployment?

Azure Policy provides a native, consistent mechanism to ensure that every VM in your management group (or subscription) automatically receives the extensions and configurations you require. By codifying your requirements as policy definitions:

• Compliance at-scale: VMs are audited and remediated automatically, helping you maintain a secure posture.

• Consistency: No more “snowflake” servers—every VM ends up with the same monitoring, change-tracking, and security agents.

• Centralized management: Policies live alongside your other governance artifacts, making them easy to review, version, and roll out.

In our scenario, we needed three key extensions on every VM:

1. Azure Monitoring Agent (with VM Insights)

2. Change Tracking & Inventory

3. Tenable Nessus Agent

We’ll also discuss plans to add CrowdStrike and Tanium later.

Preparing Silent Installer Scripts for Nessus

Out-of-the-box, the Nessus Agent from the Azure Marketplace installs easily. However, we also maintain custom installer scripts for Tanium—and ran into two issues that are common when rolling out third-party agents via Custom Script Extensions:

1. Windows script requires interactive input.

   • The Tanium installer prompts for user input, blocking silent installs.

   • Our fix: Updated the PowerShell script to suppress prompts and install with defaults, enabling fully automated deployment.

2. Linux script misreports success.

   • Due to a flawed conditional block, the original installer reports “Success” even when no installation occurred.

   • Our fix: Corrected the condition checks so that the script only returns success if the agent is actually installed.

Although these fixes apply directly to Tanium, they illustrate the kind of scripting preparation you may need when deploying any third-party agent via Azure Policy.

Dealing with Custom Script Extension Limits

At present, Azure does not allow more than one Custom Script Extension per VM. This means you cannot attach separate Policy definitions for Tanium and CrowdStrike (or any two distinct scripts) onto the same VM simultaneously. To work around this limitation:

• Combine scripts into one extension. Define a single Custom Script Extension that invokes both the CrowdStrike and Tanium installers in sequence (via PowerShell or Bash).

• Deploy Nessus separately. Because Nessus is a native Azure Marketplace extension, it does not count against the Custom Script Extension limit and can coexist with your combined-script policy.

We’re in the process of finalizing a unified PowerShell module to install both CrowdStrike and Tanium; once it’s tested, we’ll roll it out via Policy as well.

Deployment Roadmap

Immediate Rollout

• Azure Monitoring Agent + VM Insights

• Change Tracking & Inventory

• Tenable Nessus Agent

These three policies will be assigned at the management-group scope, ensuring every new or existing VM—Windows or Linux—receives the required extensions.

Future Enhancements

• Combined CrowdStrike & Tanium Script Extension

• (Optional) Additional security or compliance agents

Building Dashboards & Alerts

Installing agents is only half the battle—you need visibility and proactive alerts to respond to critical events. We recommend:

1. Azure Dashboards

   • Display VM performance metrics (CPU, memory, disk I/O) from VM Insights.

   • Surface change-tracking logs to highlight configuration drift or unexpected modifications.

2. Azure Monitor Alerts

   • Trigger on critical events such as failed login attempts, service crashes, or registry changes.

   • Notify stakeholders via email, SMS, or webhook to your incident-management system.

By codifying both the deployment and the observability layers in Terraform (or Bicep), you can deliver a turnkey “deploy-and-forget” solution that installs agents, configures dashboards, and sets up alerts in one seamless pipeline.

Deep Dive: Virtual Machine Insights

VM Insights leverages the Azure Monitoring Agent plus a Data Collection Rule (DCR) to gather performance counters, event logs, and diagnostic data. Key benefits include:

• Unified monitoring: One agent for metrics, logs, and change-tracking (multi-homing into the same Log Analytics workspace).

• Customizable collection: Tailor your DCR to include exactly the counters and logs you need.

• Out-of-the-box visualizations: Prebuilt workbook views for CPU spikes, disk latency, and network traffic.

When deployed via Policy at the management-group level, every VM automatically inherits the DCR and agent extension—no manual onboarding required.

Change Tracking & Inventory Overview

Change Tracking captures file-system modifications, registry changes (Windows), and process/service state shifts. Its highlights:

• File content snapshots stored in a Storage account, viewable before/after change.

• Wildcard and recursive tracking across directories for dynamic environments.

• Registry monitoring to detect unauthorized persistence mechanisms.

Limitations to be aware of:

• Max 2,500 files per 30-minute cycle (beyond this may degrade performance).

• Individual file tracking capped at 5 MB.

• Some Linux daemons may trigger false positives due to service-level data.

Cost Considerations

Understanding your expenses ensures your governance rollout remains within budget:

By monitoring your ingestion and retention rates in Log Analytics, you can strike the right balance between visibility and cost.

With a combination of Azure Policy, custom scripting, and native Marketplace extensions, you can achieve fully automated, silent installation of monitoring and security agents—delivering consistency, compliance, and peace of mind. By pairing agent deployment with dashboards and alerts (deployed via infrastructure as code), you create an end-to-end solution that scales effortlessly across thousands of VMs. Whether you’re onboard a new subscription or remediating existing servers, this Azure Policy–driven approach ensures your environment remains secure, observable, and resilient.