Forum Discussion
Enroll only selected servers in Azure Defender
We have 7-8 different subscriptions and have 1000s of VM. I have enabled Azure defender for Cloud for my subscription. However I want to exclude azure defender for selected servers (Vm's). Is it poss...
StanislavBelov
Microsoft
MicrosoftSince Defender for Servers can only be enabled at the subscription level or higher (management groups or tenant) currently it's not possible to exclude certain servers from protection. We are considering providing more granular onboarding experience in the future. However, it's possible to control what servers get onboarded to MDE (which is one of the Defender for Servers features) by using Azure Policies we recently added:
[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows virtual machines
[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines
[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows Azure Arc machines
[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux hybrid machines
Please keep in mind that in this case you would need to disable the integration with MDE in the subscription settings to disable auto onboarding of all VMs in this sub.
[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows virtual machines
[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines
[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows Azure Arc machines
[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux hybrid machines
Please keep in mind that in this case you would need to disable the integration with MDE in the subscription settings to disable auto onboarding of all VMs in this sub.
Hello everyone, I would like to see if we can already specify the virtual machines that we want to apply in Defender or are all the virtual machines of the subscription still selected @Stanislav Belov StanislavBelov
- StanislavBelovDefender for Servers still can only be enabled at the subscription level.
- We do need this at least on the resource group level OR at bare minimum make a difference between Azure VMs and Arc VMs.
I am in the middle of the migration, I wanted to onboard 200 servers to Arc, to properly scope them for the migration, but thanks to this I can NOT use Arc, because this will push Defender for Server to all Arc machines with 15USD per machine.
At the moment I am left with 3 options:
1) Turn off Defender for entire sub.
2) Do not use Arc.
3) Create brand new subscription just because of this.
This should not be as difficult as it is, at LEAST make a separated switch for Arc machines.
Does this mean the MDE integration is not required from a license standpoint?
Also, what kind of a delay would one be looking at, from resources being added to the policy scope until the extension is deployed?
