Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

Question regarding manual (or delayed automatic) onboarding of VMs to Microsoft Defender for Cloud

Copper Contributor



I have a use case scenario where my infrastructure consisting of both Linux and Windows Virtual Machines is deployed via Azure DevOps Pipeline to an Azure Subscription, which has Microsoft Defender for Cloud enabled with advanced security features. 


I'd like for my Infrastructure Build Pipeline tasks to finish before letting Microsoft Defender for Cloud do it's magic with enabling Microsoft Defender for Endpoint features (mainly enabling EDR solution on Endpoints) in order to prevent any possible conflicts between these two actions.


So here's my question - is it possible to manually onboard Virtual Machines or delay the automatic onboarding to Microsoft Defender for Cloud?

2 Replies
As soon as MDC discovers a new running VM it starts the onboarding process (deploys the LA agent if auto provisioning is enabled, onboards to MDE if the integration is enabled, etc.). There is no way to delay or control this process other than disable auto provisioning that was created to streamline the onboarding process.
Issue with this is that even if the auto-provisioning of LA agent is disabled - MDC is still initiating the onboarding process. This is true even for VMs that are not connected to any Log Analytics Workspaces (aka - VMs with no MMA agent) - I've tested this and that is indeed the case.
In our case this is problematic for Linux VMs in two ways:
1. Since there is no information on how exactly mdatp agent is being provisioned to the VM, installation could interfere with Ansible configuration tasks after the automatic deployment of the VM.
2. We want to control the configuration state of the built machine, which is going to change after the automatic provisioning of the mdatp agent.
Is there any way to Onboard the agent manually to the VM in order to skip the automatic installation by MDC? This would a sufficient workaround for us and eliminate the need to stop or delay the automatic onboarding of Linux VMs in the Subscription.