Its not clear, how exactly Defender Plan 2 is deployed

[abe-cyb87]

Hi, based on this learn article, its not clear, how Defender for Endpoint Plan 2 Agent is deployed in a Subscription.

According to the learn article, the Agent is deployed automatically, if defender plan 1 is selected, and the toggle switch in the environmemt settings is turned to "on".

What are the requirements, to deploy Defender Plan 2 Agents to all VMs in a Subscription? Is the Defender Plan 2 Agent deployed automatically to all VMs, in the same manner as the defender plan 1 agent (see above)? Do we still need a Azure Policy? Or is a Azure Policy created automatically? (maybe hidden?)

Is it needed to connect all VMs with a Log analytics workspace through the new Azure Monitor Agent (AMA) ?

The Part "Enable the plan at resource level" (https://learn.microsoft.com/en-us/azure/defender-for-cloud/tutorial-enable-servers-plan#enable-the-plan-at-the-resource-level) is also not clear. How exactly can one exclude a VM from the defender deployment?

Regards

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 61d7cedf-207a-6bd5-9626-0826e6f116a5
• Version Independent ID: 695103be-c1e9-ba5d-d878-d6afdd1fccb0
• Content: Protect your servers with Defender for Servers - Microsoft Defender for Cloud
• Content Source: articles/defender-for-cloud/tutorial-enable-servers-plan.md
• Service: defender-for-cloud
• GitHub Login: @dcurwin
• Microsoft Alias: dacurwin

[SaibabaBalapur-MSFT]

@abe-cyb87 Thanks for your feedback! We will investigate and update as appropriate.

[ElazarK]

reassign:AlizaBernstein

[AlizaBernstein]

Work item created https://dev.azure.com/msft-skilling/Content/_workitems/edit/200670/

label:"backlog-item-created"

[TPavanBalaji]

@dcurwin Could you please review it.