Recently, I was investigating in managing the Microsoft Antimalware extension on Azure virtual machines.
As we all know, the Microsoft Antimalware extension can be enabled when creating a new Azure virtual machine in the Azure portal. While enabling the Microsoft Antimalware extension can be enabled there, only the default settings will be applied. This might work in most scenario’s but company policy may require customization when specified, this may be extended to customizing the extension for specific server roles or even desktops.
It became clear that the only way to customize the configuration is using Azure PowerShell.
NOTE: More customization is also possible in the ‘new’ portal available at http://portal.azure.com . At his time of writing this portal is still in Preview though so it is not support.
After checking out the cmdlet reference for Azure, I found the Set-AzureVMMicrosoftAntimalwareExtension cmdlet. More information on this cmdlet is available at https://msdn.microsoft.com/en-us/library/dn771716.aspx
After reading the article I noticed that .json files can be used to provision a configuration for the extension. This brings a new challenge: what configuration should be in the .json file for a specific server role.
If an existing System Center Configuration Manager 2012 or newer infrastructure is available and the Endpoint Protection Point is enabled and used, then either existing configurations or the Endpoint Protection templates can be used. The trick is to read a template and ‘translate’ it into a .json file.
I decided to use the Domain Controller template as a reference. After analyzing the template .xml file, the resulting .json may look like this:
“Paths”: “%systemroot%\\NTDS\\Ntds.dit;%systemroot%\\NTDS\\EDB*.log;%systemroot%\\NTDS\\Edbres*.jrs;%systemroot%\\SYSVOL\\domain\\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\;%systemroot%\\SYSVOL\\staging;%systemroot%\\SYSVOL\\staging areas;%systemroot%\\SYSVOL\\sysvol”,
Keep in mind though that using wildcards in the .json file is not recommended by Microsoft as stated in the cmdlet reference page for the Set-AzureVMMicrosoftAntimalwareExtension cmdlet.
This method allows administrators to create multiple .json files for specific server roles and specify them when enabling the extension.
Feel free to use this method yourself. As always, try this out in a test environment or separate subscription used for testing purposes.
Hope this helps…