Turning off Defender in Azure VM...won't stay off

Scott Klein 161 Reputation points
2023-11-06T22:05:57.7933333+00:00

We have several Azure VMs (for the sake of argument, let's say 5), and at the Azure subscription level, Azure defender is turned off. Of the 5 VMs, 2 of them have "Microsoft Defender for Servers" OFF. 3 of them are ON:image

When Azure Defender for Servers is ON, it adds an Audit and Extended event. We are trying to turn OFF Defender on the 3 servers, but something is automatically turning it back on. We want to turn off defender because we are trying to do some performance testing by turning off the Extended Event and Audit, but Defender keeps re-enabling them (the XE and Audit).

So, the question is, what might be turning Defender back on (how do we keep it off)?

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
8,111 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,437 questions
{count} votes

Accepted answer
  1. v-vvellanki-MSFT 4,920 Reputation points Microsoft Vendor
    2023-11-07T05:59:35.5033333+00:00

    Hi @Scott Klein ,

    Thanks for contacting Microsoft Q&A.

    Azure Security Center has security policies that can be set at various scopes, including subscription, resource group, and individual resource (e.g., VM). These policies can enforce certain security configurations, and they may override your manual settings. Here's what you can do:

    a. Check Azure Security Center Policies: Go to the Azure Security Center in the Azure portal and review your security policies. Ensure that there are no policies at the subscription or resource group level that are automatically enabling Microsoft Defender for Servers.

    b. Modify or Disable Policies: If you find policies that are affecting your VMs, you can modify or disable them as needed to prevent automatic re-enabling of Microsoft Defender for Servers.

    Hope this helps you.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.