Microsoft Defender for Cloud - exclude ARC enabled machines

Question

Microsoft Defender for Cloud - exclude ARC enabled machines

StephenNijsten-8069 120

Hi all,

I have a mix of normal vms and arc-eneabled machines in my subscription. The arc-enabled machines already have enpoint protection software installed so endpoint protection through MDFC is not needed for these machines.

I was wondering if I can exclude the arc-enabled machines from the inventory so that they are not protected by MDFC?

Kind regards,

Stephen.

Andrew Blumhardt 10,051 Reputation points Microsoft Employee

2024-03-20T12:35:32.2566667+00:00

Defender for Servers includes MDE. This is activated by a policy driven extension called Microsoft.MDE or Linux.MDE. You can disable this at the subscription level. You can also block the extension on a resource group using a policy if you need a more granular option. Note that MDE requires a separate license for servers.

Rather than turning this off, since you are technically paying for MDE, I recommend keeping it turned on. MDE and in turn MDAV, goes into a passive mode when a 3rd party AV is detected. This can generate useful reports, logs, inventory, and recommendations as a companion to your preferred EDR (in passive mode). The XDR portal where this is presented (security.microsoft.com) is planned to be the central portal for MDE, MDI, MDO, MDCA, MDC, Sentinel, Purview, Entra, and Copilot for Security.

Accepted answer

0 additional answers

Your answer

Andrew Blumhardt 10,051 Reputation points Microsoft Employee

2024-03-20T12:35:32.2566667+00:00

Defender for Servers includes MDE. This is activated by a policy driven extension called Microsoft.MDE or Linux.MDE. You can disable this at the subscription level. You can also block the extension on a resource group using a policy if you need a more granular option. Note that MDE requires a separate license for servers.

Rather than turning this off, since you are technically paying for MDE, I recommend keeping it turned on. MDE and in turn MDAV, goes into a passive mode when a 3rd party AV is detected. This can generate useful reports, logs, inventory, and recommendations as a companion to your preferred EDR (in passive mode). The XDR portal where this is presented (security.microsoft.com) is planned to be the central portal for MDE, MDI, MDO, MDCA, MDC, Sentinel, Purview, Entra, and Copilot for Security.

Answer 1

@NIJSTEN Stephen Thank you for reaching out to us, as far i am aware - it's not possible to exclude arc enabled machines from defender for cloud.

MDFC is a subscription-level service. The only option would be a subscription where MDFC is disabled.

Azure Arc and Microsoft Defender for Cloud integration - https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/manage/hybrid/server/best-practices/arc-security-center#:~:text=4c3d%2D847f%2D89da613e70a8%27-,Azure%20Arc%20and%20Microsoft%20Defender%20for%20Cloud%20integration,-After%20you%20successfully

Let me know if you have any further questions, feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

Share via

Microsoft Defender for Cloud - exclude ARC enabled machines

0 additional answers

Your answer