PMC Endpoint Manager 3.0.1 (and newer versions) can be deployed to Azure Cloud.
When deploying PMC to Azure Cloud, it’s advisable to put the PMC VM into dedicated Resource Group. A new Resource Group can be created in the Create virtual machine step. The already created virtual machine can also be moved to the dedicated Resource Group later.
Please refer to following Knowledge Base article for the information where to find and how to install PMC from Azure Marketplace:
Microsoft Defender for Cloud considerations
Based on the reports from customers using PMC in Azure Cloud, we have noticed that enabling the Microsoft Defender for Cloud option for the Azure Subscription covering the PMC virtual machine can cause serious problems with PMC appliances. The problems arise because the Microsoft Azure Linux Agent (waagent) software component running in PMC virtual machines in Azure Cloud attempts to install certain VM extensions when the Microsoft Defender for Cloud option is enabled. Due to the incompatibility of some of the Microsoft packages installed by the extensions with Debian 11 (the base OS of PMC), the system services installed by the incompatible packages write massive amounts of messages to system journal, unnecessarily consuming the storage space. A shortage of storage space can lead to serious system problems. To avoid the potential issues caused by Microsoft Defender for Cloud installation, we advise creating and assign an Azure Policy, which will prevent the Defender installation.
Follow the below steps to create the Azure Policy:
· In the search bar at the top of Azure Portal page, enter ‘Policy’ to find the Policy service and open it.
· From the Policy task list on the left, select Authoring > Definitions.
· In the toolbar at the top of the page, click the + Policy definition button to create a new Azure Policy.
· Under Definition location, select an Azure Subscription which covers your PMC VM.
· Enter some Name for the new Policy (e.g., Prevent Defender extensions installation).
· Under Category, select the Use existing radio-button and select the Compute category.
· Under Policy Rule, paste the following JSON data:
{ "mode": "All", "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Compute/virtualMachines/extensions" }, { "field": "Microsoft.Compute/virtualMachines/extensions/type", "in": "[parameters('notAllowedExtensions')]" } ] }, "then": { "effect": "deny" } }, "parameters": { "notAllowedExtensions": { "type": "Array", "metadata": { "description": "The list of extensions that will be denied. Example: CustomScriptForLinux, VMAccessForLinux etc.", "displayName": "Denied extension" } } } }
|
If some JSON data was already there, replace it with the above.
· Click Save to create the new Policy definition.
· From the Policy task list on the left, select Authoring > Assignments.
· In the toolbar at the top of the page, click the Assign policy button to create a new Policy Assignment.
· On the Assign policy page, on the Basics tab, under Scope, select your Azure subscription and the Resource Group dedicated for your PMC virtual machines as the Scope for the Policy assignment.
Note: When you omit the Resource Group selection, the Policy will be applied to all ‘Compute’ resources in your Azure Subscription and will prevent the Microsoft Defender for Cloud installation on all virtual machines covered by the subscription, not only on PMC virtual machines.
· On the Assign policy page, go to the Basics tab. Under Basics, select the Policy definition created a moment ago. The Assignment name will be set to selected policy definition name. Select Enabled as Policy enforcement.
· On the Assign policy page, on the Parameters tab, paste the below JSON array (including the square brackets) as the value of the Denied extension parameter:
["MDE.Linux", "OmsAgentForLinux"]
|
·
Click
the Review + create button at the bottom of the page.
· Click the Create button at the bottom of the page to create the Policy Assignment.
When you switch the view to the Resource Group dedicated to PMC virtual machines, the Policy Definition and the Policy Assignment should appear after selecting Settings > Policies from the Resource Group task list on the left-hand side of the page.