Closed Wallace4444 closed 8 months ago
@Wallace4444 Thanks for your feedback! We will investigate and update as appropriate.
@Wallace4444
Thank you for your question.
To exclude individual existing VMs from having Defender for Endpoint deployed when the plan is enabled, you can use the Azure Resource Manager (ARM) template to specify the exclusion list.
Here is an example of how to specify the exclusion list in the ARM template:
"resources": [ { "type": "Microsoft.Security/locations/preventionPolicies", "name": "default", "apiVersion": "2021-01-01-preview", "properties": { "excludedResourceIds": [ "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName1}", "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName2}" ] } } ] In this example, the excludedResourceIds property specifies the list of VMs to exclude from having Defender for Endpoint deployed. You can replace {subscriptionId}, {resourceGroupName}, {vmName1}, and {vmName2} with the appropriate values for your environment.
You can include this ARM template in your deployment process to ensure that the exclusion list is applied when the Defender for Cloud plan is enabled.
I hope this helps. Let me know if you have any further questions.
@Wallace4444
Thank you for your question.
To exclude individual existing VMs from having Defender for Endpoint deployed when the plan is enabled, you can use the Azure Resource Manager (ARM) template to specify the exclusion list.
Here is an example of how to specify the exclusion list in the ARM template:
"resources": [ { "type": "Microsoft.Security/locations/preventionPolicies", "name": "default", "apiVersion": "2021-01-01-preview", "properties": { "excludedResourceIds": [ "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName1}", "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName2}" ] } } ] In this example, the excludedResourceIds property specifies the list of VMs to exclude from having Defender for Endpoint deployed. You can replace {subscriptionId}, {resourceGroupName}, {vmName1}, and {vmName2} with the appropriate values for your environment.
You can include this ARM template in your deployment process to ensure that the exclusion list is applied when the Defender for Cloud plan is enabled.
I hope this helps. Let me know if you have any further questions.
Hello @AjayBathini-MSFT , Thanks for this recommendation.
Could you share links to documentation about Microsoft.Security/locations/preventionPolicies
ARM template resource, I didn't have any luck finding it, additionally I experienced following error when trying to apply above template.
The resource type 'locations' could not be found in the namespace 'Microsoft.Security' for api version '2021-01-01-preview'.
We are in similar situation where we would like to exclude few VMs while enabling Defender for Server Plan 2 on subscription level.
This article (https://learn.microsoft.com/en-us/azure/defender-for-cloud/configure-servers-coverage#the-effect-on-microsoft-defender-for-endpoint-deployment) states "To avoid unintentional agent deployments, exclude individual existing VMs before or at the same time you enable the plan at the subscription level. VMs on the exclusion list won't have Defender for Endpoint deployed when the plan is enabled."
Link to that text here: https://learn.microsoft.com/en-us/azure/defender-for-cloud/configure-servers-coverage#the-effect-on-microsoft-defender-for-endpoint-deployment
Is there some sort of guidance as to how this exclusion is configured?
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.