If you have Azure policies in place that automatically install Microsoft Monitoring Agent/AMA/Log Analytics Agent or Onboard Defender For Cloud you should removes these before capturing your virtual machine so you don’t have configuration issues when deploying new virtual machines from your Azure compute gallery image. Additionally, you should run the offboarding script before syspreping and shutting the VM down.
Here’s a script to remove those extensions.
#1. We will first get the device name using the $env:COMPUTERNAME environment variable.
#2. Then it will search through the Azure subscription to locate a VM with that name.
#3. Once the VM is found, we can retrieve the resource group associated with that VM.
# Import the necessary module
#Import-Module Az
# Login to your Azure account
#Login-AzAccount
# Get local computer name
$deviceName = $env:COMPUTERNAME
# Find the VM in the Azure subscription that matches the local device name
$vmInfo = Get-AzVM | Where-Object { $_.Name -eq $deviceName }
if (-not $vmInfo) {
Write-Error "No VM found in the Azure subscription with the name $deviceName"
exit
}
$resourceGroupName = $vmInfo.ResourceGroupName
$vmName = $vmInfo.Name
# Uninstall the MDE.Windows extension
$MDEExtensionName = "MDE.Windows"
Remove-AzVMExtension -ResourceGroupName $resourceGroupName -VMName $vmName -Name $MDEExtensionName -Force
# Uninstall the MicrosoftMonitoringAgent extension
$monitoringExtensionName = "MicrosoftMonitoringAgent"
Remove-AzVMExtension -ResourceGroupName $resourceGroupName -VMName $vmName -Name $monitoringExtensionName -Force
Write-Host "Extensions uninstalled successfully from VM $vmName in resource group $resourceGroupName"