The following table captures the impact on security group assignments if the Quarantine Policy was disabled and then you enable it:

Table 1. Security Group Impact of Enabling Quarantine Policy
VM-ID Managed? Threat detected? Security Group after enabling Quarantine Policy
VM1 Yes No vm_underlay_sg .
VM2 Yes Yes default

(AWS) or

quarantine

(Microsoft Azure)
Note: You may manually assign vm_override_sg to managed VMs. This brings them out of quarantine mode and you can repair the problem by accessing such VMs through SSH or RDP. See Quarantine Policy: enabled
VM3 No N/A default

(AWS) or

quarantine

(Microsoft Azure)