The SQL Vulnerability Assessment (VA) feature in now available in SSMS (SQL Server Management Studio)! I blogged about this feature in Azure recently, and hinted that SQL Vulnerability Assessment Available in SSMS would be coming soon. Well, today is that day!

Go here to download the latest version of SSMS. You will need version 17.4 for the VA feature. Once you are up and running, all you need to do is right-click to start a scan, like this:

SQL Vulnerability Assessment Scan

When the scan is complete you get the results:

SQL Vulnerability Assessment Scan Results

From there, you can select a row and examine the T-SQL used:

SQL Vulnerability Assessment Scan Results TSQL

And you can set this result to be your baseline (see upper left, ‘Approve as Baseline’ button). And here is one of my favorite features for you to play with right now, you can see a list of columns that are candidates for enhanced security such as Dynamic Data Masking or Always Encrypted:

SQL Vulnerability Assessment Scan Results TSQL Encryption

I will leave scanning the master database as an exercise for the reader.

You may have noticed that there is an ID column in the results, with a six character tag similar to “VA1285”. This would imply that there is a master list of items that VA is scanning for. I am not able to find any such list online at this time. I’m hopeful Microsoft will publish something soon. For now, I can point you to the main page for more information. That’s the page where you will find nuggets of info like “Vulnerability Assessment is supported for SQL Server 2012 and later”. Keep an eye on that page for future details.


To me, SSMS 17.4 is *HUGE* for two reasons. First, the VA feature. This is a wonderful thing. Even more wonderful is that we didn’t need to wait for a service pack in order to get this feature into SSMS. This is why decoupling SSMS from the installer was a step in the right direction. We get wonderful features, delivered faster.