The requirement is to enable Microsoft Defender for Servers Plan 2 on all Azure VMs while excluding Server2 from agentless scanning . Defender for Cloud provides a built-in mechanism to exclude specific machines from agentless scanning based on resource tags . The process is: assign a distinct tag name:value to the VM you want to exclude (Server2), and then, in Defender for Cloud’s Agentless scanning for machines settings, specify that tag pair under exclusions . Defender’s continuous discovery honors these exclusions and skips any VM that matches the configured tag. This approach aligns with the business requirement of least privilege and minimal administrative effort : it avoids broad configuration changes, requires no extensions on the VM, and is reversible by simply removing or changing the tag. The Microsoft Antimalware extension and Automanage configuration are unrelated to agentless scanning behavior, and a resource lock would only prevent modifications/deletions, not scanning. Therefore, to meet the Defender for Cloud requirement precisely, configure an Azure resource tag on Server2 and reference that tag in the agentless scanning exclusion settings.