How To Update #Microsoft #Antimalware Policies For #Azure Virtual Machines With #PowerShell #ARM #JSON #AzureSecurity

4 min read


Microsoft Antimalware for Azure Virtual Machines is a real-time protection capability that helps identify and remove viruses, spyware, and other malicious software, with configurable alerts when known malicious or unwanted software attempts to install itself or run on your system. The solution can be enabled and configured from the Azure Portal, Service Management REST API, and Microsoft Azure PowerShell cmdlets.

The Microsoft Antimalware extension is supported on Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 operating system families. Windows Defender is the built-in Antimalware enabled in Windows Server 2016 and Windows Server 2019. The Azure VM Antimalware extension can still be added to a Windows Server 2016 and Windows Server 2019 Azure VM with Windows Defender, but in this scenario the extension will apply any optional configuration policies to be used by Windows Defender, the extension will not deploy any additional Antimalware service. You can read more about this update here.

Install Microsoft Antimalware for Azure Virtual Machines

To enable Antimalware with a custom configuration, input the supported values for the configuration settings provided on the Install Extension blade, such as excluding file extensions and processes as showing in the following screenshot, and then click OK.

How To Update #Microsoft #Antimalware Policies For #Azure Virtual Machines With #PowerShell #ARM #JSON #AzureSecurity 1

Once the Antimalware extension is provisioned successfully.

How To Update #Microsoft #Antimalware Policies For #Azure Virtual Machines With #PowerShell #ARM #JSON #AzureSecurity 2

You can check the configuration settings through different ways as follows:

Azure Portal ARM Template

You can got to the Azure portal and use the Automation Script and look for:

“publisher”: “Microsoft.Azure.Security”,
“type”: “[parameters(‘extensions_IaaSAntimalware_name’)]”,

You can find the settings that you set at the initial installation.

How To Update #Microsoft #Antimalware Policies For #Azure Virtual Machines With #PowerShell #ARM #JSON #AzureSecurity 3

Windows Defender

You can also login to the virtual machine and open Windows Defender > Exclusions

If you are using an earlier OS version than Windows Server 2016 or Windows Server 2019, then you should look for Microsoft Antimalware instead of Windows Defender.

How To Update #Microsoft #Antimalware Policies For #Azure Virtual Machines With #PowerShell #ARM #JSON #AzureSecurity 4


You can also open the Registry and look for one of these location based on your operating system:

  • Windows Server 2016 / 2019: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions
  • Windows Server 2012 / R2: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions
  • Windows Server 2008 R2: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions

How To Update #Microsoft #Antimalware Policies For #Azure Virtual Machines With #PowerShell #ARM #JSON #AzureSecurity 5

Now you want to update the settings for Antimalware to add additional Exclusions, Extensions, Paths, and Processes.

Unfortunately, you cannot update the policy through the Azure Portal. The remaining options to update the configuration settings is through ARM JSON template and PowerShell, or you can login to the virtual machine and update the settings manually which is not so efficient if you want to update the policy for many virtual machines.

In this blog post, I will show you how to update Microsoft Antimalware policies through the ARM JSON template so you can automate this process across multiple Azure virtual machines.

Update Microsoft Antimalware Policies

First, you need to customize a JSON template as per MSDN documentation here. For the purpose of this example, I will use the following updated JSON configuration file:

        "AntimalwareEnabled": "true",
        "Exclusions": {
          "Extensions": ".mdf;.log;.ldf",
          "Paths": "D:\\IISlogs;D:\\DatabaseLogs",
          "Processes": "SQLServr.exe"

        "RealtimeProtectionEnabled": "true",
        "ScheduledScanSettings": {
          "isEnabled": "true",
          "scanType": "Full",
          "day": "7",
          "time": "180"

Next, you need to save the JSON template. In this example, I saved it under C:\Temp and I named it template.JSON.

Open an elevated PowerShell window and run the following script.

You will be asked to enter additional details such as Azure subscription name, Azure region, Azure virtual machine name, and resource group name.


//     Copyright (c) {}. All rights reserved.


File Name : Update-AzureIaaSAntimalwarePolicy.ps1
Author    : Charbel Nemnom
Version   : 1.1
Date      : 13-June-2018
Update    : 13-June-2018
Requires  : PowerShell Version 5.0 or above
Module    : AzureRM Version 6.2 or above

To provide feedback or for further assistance please visit:

Try {
    # Login to Azure
    $AzureSubName = Read-Host "`n Enter Azure Subscription name"
    $AzAcctInfo = Login-AzureRmAccount -Subscription $AzureSubName
    Write-Output "Connecting to Azure Cloud..."
Catch {
    Write-Output "Cannot connect to Azure environment. Please check your credentials and Azure Subscription name. Exiting!"

# Get the Azure subscription ID and store it in a variable
$AzureSubID = $AzAcctInfo.Context.Subscription.Id

# Specify location, resource group, and VM for the extension
$Location = Read-Host "`n Enter the Azure region location of your Azure Virtual Machine" # e.g. “West Europe” or “Southeast Asia” or “Central US”
$ResourceGroupName = Read-Host "`n Enter the Azure Resource Group Name"
$vmName = Read-Host "`n Enter the name of your Azure Virtual Machine"

# Read JSON configuration file
# JSON template can be customized as per MSDN documentation @
$SettingString = [IO.File]::ReadAllText('C:\temp\template.json')

Select-AzureRmSubscription -SubscriptionId $AzureSubID

# Retrieve the most recent version number of the IaaS Antimalware extension
$allVersions= (Get-AzureRmVMExtensionImage -Location $location -PublisherName "Microsoft.Azure.Security" -Type "IaaSAntimalware").Version
$versionString = $allVersions[($allVersions.count)-1].Split(".")[0] + "." + $allVersions[($allVersions.count)-1].Split(".")[1]

# Update Microsoft Antimalware Policies for Azure ARM Virtual Machines
Set-AzureRmVMExtension -ResourceGroupName $resourceGroupName -Location $location -VMName $vmName -Name "IaaSAntimalware" `
-Publisher "Microsoft.Azure.Security" -ExtensionType "IaaSAntimalware" -TypeHandlerVersion $versionString -SettingString $SettingString

Now hop over to the virtual machine and see the policy is updated. In this example, I have added the Exclusion for SQL .ldf Extension and two Paths: D:\IISlogs and D:\DatabaseLogs

How To Update #Microsoft #Antimalware Policies For #Azure Virtual Machines With #PowerShell #ARM #JSON #AzureSecurity 6

I want to thank Rakesh Narayan, Azure Security Program Manager for supporting me.

Hope this helps someone out there!

Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

About Charbel Nemnom 577 Articles
Charbel Nemnom is a Cloud Architect, Swiss Certified ICT Security Expert, Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT), totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 17 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems. Excellent communicator is adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design, business continuity, and cloud security.

Be the first to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.