Share via

What's "DC only" in Secure recommendation mean?

Tan-9136 120 Reputation points
2025-08-02T03:00:14.8133333+00:00

Hi everyone,

When the secure score recommendation has these words "(DC only)", does it mean this only applies to VM that's part of a domain controller?

An example of a recommendation:
N4W7B6 Ensure 'Audit Distribution Group Management' is set to include 'Success' (DC only)

If it means that it's part of the domain controller, I guess I have to remediate it even though my VM is not part of domain controller because there's no way to exempt this recommendation but please let me know if there's away to exempt this recommendation.

Thank you

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
0 comments
Accepted answer
  1. Catherine Kyalo 2,100 Reputation points Microsoft Employee
    2025-08-08T08:56:09.2966667+00:00

    Hi Tan-9136,

    When a Secure Score recommendation includes “(DC only),” it means the recommendation is specifically intended for Domain Controllers (DCs) within your environment. For example, “Ensure ‘Audit Distribution Group Management’ is set to include ‘Success’ (DC only)” applies only to machines that are acting as domain controllers and not to regular member servers or VMs that are not part of a domain controller role.

    I’d like to clarify whether the VM was previously a Domain Controller (DC) that has since been demoted, and if the delay in recommendation updates could be due to propagation time or residual registry entries.

    to exempt please review: - https://learn.microsoft.com/en-us/azure/defender-for-cloud/exempt-resource

    For further investigation please raise a support case

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.