This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 12%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello.
We are currently operating Microsoft Defender for Cloud (MDC). We aim to comply with one of MDC's recommendations, 'EDR solution should be installed on Virtual Machines.' While Windows machines have Microsoft Defender for Endpoint (MDE) installed as an extension and are recognized as normal resources, Linux machines utilize a third-party antivirus solution, Crowdstrike. However, MDC fails to recognize this and marks them as abnormal resources. Upon reviewing relevant MS Docs, it seems this might be due to the following reasons. With this in mind, we have the following two questions:
Q1. How should we handle resources marked as abnormal under the recommendation 'EDR solution should be installed on Virtual Machines' (utilizing a third-party Crowdstrike antivirus) as there is no mention of exception handling in the recommendation? Is there a way to transition such resources to normal status or proceed with exception handling?
Q2. MDE.Linux was deployed as an extension to Linux machines with Crowdstrike antivirus installed, but deployment failed (confirmed due to conflicts with falcon-sensor). Will redeployment occur if the extension is removed? Alternatively, in case of deployment failure for MDE extension, is a separate MDE offboarding process required? Currently, we are using Plan2 with MDE integration, as shown in the image below.
Thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 90%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Hello 용현 정,
Regarding your first question on Exemptions, please find the link below on how to exempt resources from recommendations. https://learn.microsoft.com/en-us/azure/defender-for-cloud/exempt-resource Regarding the second question, you can try removing the MDE extension and then redeploying it, ensure that you first address the conflict with falcon sensor.
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Hello,
Thank you for your response.
Regarding Q1, as I mentioned in my question, the recommendation 'EDR solution should be installed on Virtual Machines' does not show an option to exempt resources. Therefore, we are unable to perform the exemption method referenced in the provided link. Could you please provide guidance on alternative methods for handling exceptions?
For Q2, your response suggested resolving the conflict with the falcon-sensor. However, in our environment, we must use Crowdstrike (falcon-sensor) antivirus on our Linux systems instead of MDE. Therefore, we cannot remove the falcon-sensor and need to ensure that MDE is not deployed. My question was whether removing MDE.Linux from the extension will prevent MDE from being reinstalled.
Thank you for your assistance.
Thank you for your time and patience, kindly follow the action plan suggested below and let me know if this don't work out.
Regarding Q1, as I mentioned in my question, the recommendation 'EDR solution should be installed on Virtual Machines' does not show an option to exempt resources. Therefore, we are unable to perform the exemption method referenced in the provided link. Could you please provide guidance on alternative methods for handling exceptions?
The EDR recommendation is enabled when you have agentless scanning for virtual machines enabled.
Defender for Cloud has the ability to tell you if you have a supported endpoint detection and response solution enabled on your virtual machines (VM) and which one it is.
I am not sure why it is not giving you option to exempt the VM as If an EDR solution is installed but not discoverable by this recommendation, it can be exempted.
So, my recommendation here is to install Crowdstrike (falcon-sensor) as an extension and disable "Endpoint Protection" from the server plan. Once done then wait for 24 hours to validate any changes.
If this does not solve the issue, then share the screenshot of the EDR solution recommendation by choosing the resource from "Inventory" > Under recommendation select "'EDR solution should be installed on Virtual Machines" .
Q2, your response suggested resolving the conflict with the falcon-sensor. However, in our environment, we must use Crowdstrike (falcon-sensor) antivirus on our Linux systems instead of MDE. Therefore, we cannot remove the falcon-sensor and need to ensure that MDE is not deployed. My question was whether removing MDE.Linux from the extension will prevent MDE from being reinstalled.
Defender for Cloud discovers a supported endpoint detection and response solution on your VM, the agentless machine scanner performs the following checks to see:
CrowdStrike (Falcon) is a supported endpoint detection and response solution
You could install Crowdstrike (falcon-sensor) as an extension in the VM.
To remove the Defender for Endpoint solution from your machines:
Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.
Thanks,
Akshay Kaushik