Add Azure Antimalware Extension to a VM Scale Set

If you're running a Windows Server 2016 base image, ignore this post because we've built Windows Defender in. However, if you're running Server 2012R2, for example, and wish to apply the Microsoft Antimalware Extension to an existing VM Scale Set, here is a PowerShell script to do it:
# Add the Microsoft Antimalware Extension to an Azure VMSS # Assumes you have already authenticated your PowerShell session # with Login-AzureRMAccount and selected the correct subscription # with Select-AzureRMSubscription $rgname = 'myResourceGroupName' $vmssname = 'myVMSSName' $location = 'westcentralus' # change to the Azure Region of your VMSS # retrieve the most recent major version number of the extension $allVersions= (Get-AzureRmVMExtensionImage -Location $location -PublisherName "Microsoft.Azure.Security" -Type "IaaSAntimalware").Version $latestVersion=$allVersions[-1] $majorVersion=$latestVersion.Substring(0,$latestVersion.IndexOf('.', 2)) $VMSS = Get-AzureRmVmss -ResourceGroupName $rgname -VMScaleSetName $vmssname Add-AzureRmVmssExtension -VirtualMachineScaleSet $VMSS -Name "IaaSAntimalware" -Publisher "Microsoft.Azure.Security" -Type "IaaSAntimalware" -TypeHandlerVersion $majorVersion Update-AzureRmVmss -ResourceGroupName $rgname -Name $vmssname -VirtualMachineScaleSet $VMSS

A customer asked me how to do this. I didn't know, so I asked around, put it together, tested it, and thought I'd share.

Special thanks to Guy Bowerman for help with the script and a quick review.

References Azure VM Scale Sets Windows Defender Built into Server 2016