Forum Discussion
Filter/Exclude VMSS instances from Defender
MicrosoftCan you elaborate on what reports/dashboards are getting dirty by these VMSS instances? is it recommendations? inventory?
It's Device Inventory, i.e., what you get to by navigation to Assets -> Devices
- Matan_Shabtay
Devices appear in Microsoft Defender portal (security.microsoft.com) if the machine (VM / VMSS instance) has the MDE agent installed.
VMSS instances which are nested resource type of uniform VMSS are not natively supported by Defender for Endpoint auto provisioning flow, so the question is - how these VMSS instances are getting Defender for Endpoint installed ?
These are Ubuntu machines that are being used as self-hosted Azure DevOps agents. They are built from the Packer image found here https://github.com/actions/runner-images/blob/main/images/ubuntu/templates/ubuntu-22.04.pkr.hcl
I haven't done anything specifically to enable an MDE agent. I had assumed this was coming through because of agentless defender scanning of Azure VMs (https://learn.microsoft.com/en-us/azure/defender-for-cloud/concept-agentless-data-collection)
- Matan_Shabtay
These machines shouldnt be reported to Defender devices, also not by agentless VM scanning.
Please open a support ticket and provide the relevant VMSS details so it will be checked by the support and product team if needed