Installing Microsoft Anti Virus Extension to Azure Resource Manager VM using Set-AzureRmVMExtension

Hi  ! In this article I will show how to install the MS AV extension into an Azure Resource Manager (ARM) based Virtual Machine using PowerShell.  This is because the feature to add it in the portal is not yet available for ARM VMs.  Using a script and a config file also gives us the option to customise the application configuration.

Why Install the Microsoft Anti Virus Extension ?

This extension has been made available from Microsoft for free to protect your virtual machines running in Azure, so there is one good reason to start  with !  As it is a free tool  there is no central management server or console. However with the use of Operations Management Suite (OMS) which also has a free tier you can quickly get a view on all your Azure VM infrastructure and see VM protection status including whether they are up to date or not.

The tool itself is a version of the enterprise class Microsoft System Center suite of products and so it is not just a basic tool and I have known it to behave and work very well.  It also has some good configuration options for a free tool such as specifying exclusion file types and paths, schedules and real-time protection.  I may do another article on the integration with OMS and the business value of the tool in the near future..  For now I will get on with the implementation as there is little documentation out there currently (Feb 2016).

Configuration Options for MSAV Extension

As mentioned above the client can be installed with some configurations options.  The default scripts available just switch it on with default settings and real-time protection.    I have provided a method where you can point to a customised JSON file to configure your settings as required and apply these.   Such as specific exclusions and file paths etc.

For a rundown on the configuration options and a good overview of the product, head here:-


The VM must be a Resource Manager type VM and be associated to a Resource Group.  Your Azure PowerShell module needs to be version 1.0 or above.  Note the RM on the xxx-AzureRm cmdlets.  The VM also needs to be a Windows Server.


Microsoft Azure VM Anti Malware Agent Install Script


# Install Microsoft AntiMalware client on an ARM based Azure VM

# Check note at the end to be able to open up the SCEP antimalware console on the server if there are problems.

# Author – Mitesh Chauhan –

# For Powershell 1.0.1 and above


# Log in with credentials for subscription



# Select your subscription if required (or default will be used)

Select-AzureRmSubscription -SubscriptionId “Your Sub ID here”


$resourceGroupName= “RG NAME”

$location= “North Europe”

$vmName= “VM NAME”


# Use this (-SettingString ) for simple setup

$SettingsString = ‘{ “AntimalwareEnabled”: true,”RealtimeProtectionEnabled”: true}’;


# Use this (-SettingString ) to configure from json file

$MSAVConfigfile = Get-Content ‘C:\Scripts\MSavConfig.json’ -Raw


$allVersions= (Get-AzureRmVMExtensionImage -Location $location -PublisherName “Microsoft.Azure.Security” -Type “IaaSAntimalware”).Version

$typeHandlerVer = $allVersions[($allVersions.count)1]

$typeHandlerVerMjandMn = $typeHandlerVer.split(“.”)

$typeHandlerVerMjandMn = $typeHandlerVerMjandMn[0] + “.” + $typeHandlerVerMjandMn[1]

$SettingsString = ‘{ “AntimalwareEnabled”: true}’;


# Specify for -SettingString parameter here which option you want, simple $settingsstring or $MSAVConfigfile to sue json file.

Set-AzureRmVMExtension -ResourceGroupName $resourceGroupName -VMName $vmName -Name “IaaSAntimalware” -Publisher “Microsoft.Azure.Security” -ExtensionType “IaaSAntimalware” -TypeHandlerVersion $typeHandlerVerMjandMn -SettingString $SettingsString -Location $location


# To remove the ANti malware extension

# Remove-AzureRmVMExtension -ResourceGroupName $resourceGroupName -VMName $vmName -Name “IaaSAntimalware”



# If you have error saying Admin has restricted this app, Navigate to “C:\Program Files\Microsoft Security Client”

# Run “C:\Program Files\Microsoft Security Client\ConfigSecurityPolicy.exe cleanuppolicy.xml”

# Or simply drag the cleanuppolicy.xml file above onto the ConfigSecurityPolicy.exe to sort it and you should be in.


MSAV Config JSON File

Copy the text below into a file and name it MSavConfig.json for example.  the script above used c:\Scripts folder.


“AntimalwareEnabled”: true, 

RealtimeProtectionEnabled“: true, 

ScheduledScanSettings“: {        

       “isEnabled”: true, 

       “day”: 1, 

       “time”: 120, 

       “scanType”: “Quick”  


       Exclusions“: {

             “Extensions”: “.mdf;.ldf”,

             Paths“: “D:\\;E:\\”,

             “Processes”: “excludedproc1.exe;excludedproc2.exe”    




Unsupported Workaround for those who try and open the console

If you try and open the console you can see and change the settings but by default Microsoft have disabled the use of the UI as it should only be managed through the extension (scripting).  The following steps are provided to be able to see the console for testing / dev only.  The solution to do this may not be a supported configuration.

Check Install and fix “Administrator has Restricted access to this app” Message

Once the agent is installed you will see it identified in the extensions section in the Azure portal.


log into the machine and search for the System Center Endpoint Protection Tool.

You may (and probably will) get this error saying “Your system administrator has restricted access to this app.”

Simply navigate to the “c:\programfiles\Microsoft Security client” folder drag the cleanup.xml file to the configureSecurityPolicy.exe file.

The next time you click on the application the console will open. Remember this may not a supported “fix”.


Here are some further screen shots to show setting.





Thanks for visiting and I hope you found this useful !