Windows Defender recommendation exclusions table

Author: v-sissondan

azure-local/manage/manage-security-with-defender-for-cloud.md

@@ -4,7 +4,7 @@ description: This article describes how to use Microsoft Defender for Cloud to s
 author: alkohli
 ms.author: alkohli
 ms.topic: how-to
-ms.date: 02/04/2025
+ms.date: 04/22/2025
 ms.service: azure-local
 ---
 
@@ -32,15 +32,15 @@ Before you begin, make sure that the following prerequisites are completed:
 Follow these steps to enable Defender for Cloud for Azure Local.
 
 - Step 1: Turn on Foundational CSPM.
-- Step 2: Turn on Defender for Servers for individual machines and Arc VMs.
+- Step 2: Turn on Defender for Servers for individual machines and Azure Local virtual machines (VMs) enabled by Azure Arc.
 
 ### Step 1: Turn on Foundational CSPM
 
 This step turns on the basic Defender for Cloud plan—at no extra cost. This plan lets you monitor and identify the steps that you can take to secure Azure Local, along with other Azure and Arc resources. For instructions, see [Enable Defender for Cloud on your Azure subscription](/azure/defender-for-cloud/connect-azure-subscription#enable-defender-for-cloud-on-your-azure-subscription).
 
-### Step 2: Turn on Defender for Servers for individual machines and Arc VMs
+### Step 2: Turn on Defender for Servers for individual machines and Azure Local VMs
 
-This step gets you enhanced security features including security alerts for individual machines and Arc VMs.
+This step gets you enhanced security features including security alerts for individual machines and Azure Local VMs.
 
 To do so, follow all the instructions in the [Enable the Defender for Servers plan](/azure/defender-for-cloud/tutorial-enable-servers-plan#enable-the-defender-for-servers-plan) section, which includes:
 
@@ -100,11 +100,26 @@ After you've [enabled Defender for Cloud for Azure Local](#enable-defender-for-c
 
    To learn more about the security recommendations specific to Azure Local, refer to the [Azure compute recommendations](/azure/defender-for-cloud/recommendations-reference-compute#azure-compute-recommendations) section in the [Compute security recommendations](/azure/defender-for-cloud/recommendations-reference-compute) article.
 
-## Monitor servers and Arc VMs
+### Security recommendation exclusions
 
-Go to the Microsoft Defender for Cloud portal to monitor alerts for individual servers and Arc VMs running on Azure Local. You can utilize the regulatory compliance and attack path analysis features, among other enhanced security features.
+You can ignore the Windows Defender for Cloud recommendations below for storage accounts and Azure Key Vaults that are associated with Azure Local instances. However, don't ignore these recommendations for other storage accounts and Azure Key Vaults you may have.
 
-Follow these steps to access the Microsoft Defender for Cloud portal's pages to monitor individual servers and Arc VMs:
+| Affected resource | Recommendation | Exclusion reason |
+| --- | --- | --- |
+| Storage account | Storage accounts should have infrastructure encryption. | Storage account encryption isn't supported for Azure Local instances because it doesn't allow passing in an encryption key. |
+| Storage account | Storage accounts should prevent shared key access. | Azure Local supports accessing storage accounts exclusively through shared keys. |
+| Storage account | Storage account should use a private link connection. | Azure Local doesn't currently support private link connections. |
+| Azure Key Vault | Azure Key Vaults should use a private link. | Azure Local doesn't currently support private link connections. |
+| Azure Arc-enabled server | Windows Defender Exploit Guard should be enabled on Azure Arc-enabled servers. | Windows Defender Exploit Guard isn't applicable to server-core SKUs without a GUI such as the Azure Local OS. |
+| Azure Arc-enabled server | Azure Arc-enabled servers should be configured to periodically check for missing system updates. | Azure Local machines shouldn't be updated individually. Use the Azure Local section in Azure Update Manager to update multiple systems or the Updates page on the Azure Local resource view whenever an update is available for the Azure Local instance. Updating individual machines could result in a mixed-mode state, which isn't supported. |
+| Azure Arc-enabled server | System updates should be installed on your Azure Arc-enabled servers using Azure Update Manager. | Azure Local machines shouldn't be updated individually. Utilize the Azure Local section in Azure Update Manager to update multiple systems or the Updates page on the Azure Local resource view whenever an update is available for the Azure Local instance. Updating individual machines could result in a mixed-mode state, which isn't supported. |
+| Azure Arc-enabled server | Machines should have a vulnerability assessment solution. | Microsoft Defender Vulnerability Management (MDVM) doesn't currently support Azure Local. |
+
+## Monitor servers and Azure Local VMs
+
+Go to the Microsoft Defender for Cloud portal to monitor alerts for individual servers and Azure Local VMs running on Azure Local. You can utilize the regulatory compliance and attack path analysis features, among other enhanced security features.
+
+Follow these steps to access the Microsoft Defender for Cloud portal's pages to monitor individual servers and Azure Local VMs:
 
 1. Sign into the Azure portal, and search for and select **Microsoft Defender for Cloud**.
 
@@ -114,6 +129,7 @@ Follow these steps to access the Microsoft Defender for Cloud portal's pages to
 
    :::image type="content" source="./media/manage-security-with-defender-for-cloud/defender-for-cloud-overview.png" alt-text="Screenshot of the Defender for Cloud Overview page." lightbox="./media/manage-security-with-defender-for-cloud/defender-for-cloud-overview.png" :::
 
+
 ## Next steps
 
 - [Review the deployment checklist and install Azure Local](../deploy/deployment-checklist.md).