Agentless machine scanning
Microsoft Defender for Cloud improves compute posture for Azure, AWS and GCP environments with machine scanning. For requirements and support, see the compute support matrix in Defender for Cloud.
Agentless scanning for virtual machines (VM) provides:
- Broad, frictionless visibility into your software inventory using Microsoft Defender Vulnerability Management.
- Deep analysis of operating system configuration and other machine meta data.
- Vulnerability assessment using Defender Vulnerability Management.
- Secret scanning to locate plain text secrets in your compute environment.
- Threat detection with agentless malware scanning, using Microsoft Defender Antivirus.
Agentless scanning assists you in the identification process of actionable posture issues without the need for installed agents, network connectivity, or any effect on machine performance. Agentless scanning is available through both the Defender Cloud Security Posture Management (CSPM) plan and Defender for Servers P2 plan.
Availability
| Aspect | Details |
|---|---|
| Release state: | GA |
| Pricing: | Requires either Defender Cloud Security Posture Management (CSPM) or Microsoft Defender for Servers Plan 2 |
| Supported use cases: | 
Vulnerability assessment (powered by Defender Vulnerability Management)
Software inventory (powered by Defender Vulnerability Management)
Secret scanning
Malware scanning (Preview) Only available with Defender for Servers plan 2 |
| Clouds: |
Azure Commercial clouds
Azure Government
Microsoft Azure operated by 21Vianet
Connected AWS accounts
Connected GCP projects |
| Operating systems: |
Windows
Linux |
| Instance and disk types: | Azure
Standard VMs
Unmanaged disks
Maximum total disk size allowed: 4TB (the sum of all disks) Maximum number of disks allowed: 6 Virtual machine scale set - Flex
Virtual machine scale set - UniformAWS
EC2
Auto Scale instances
Instances with a ProductCode (Paid AMIs)GCP
Compute instances
Instance groups (managed and unmanaged) |
| Encryption: | Azure
Unencrypted
Encrypted – managed disks using Azure Storage encryption with platform-managed keys (PMK)
Encrypted – other scenarios using platform-managed keys (PMK)
Encrypted – customer-managed keys (CMK) (preview) AWS
Unencrypted
Encrypted - PMK
Encrypted - CMKGCP
Google-managed encryption key
Customer-managed encryption key (CMEK)
Customer-supplied encryption key (CSEK) |
How agentless scanning works
Agentless scanning for VMs uses cloud APIs to collect data. Whereas agent-based methods use operating system APIs in runtime to continuously collect security related data. Defender for Cloud takes snapshots of VM disks and performs an out-of-band, deep analysis of the operating system configuration and file system stored in the snapshot. The copied snapshot remains in the same region as the VM. The VM isn't affected by the scan.
After acquiring the necessary metadata is acquired from the copied disk, Defender for Cloud immediately deletes the copied snapshot of the disk and sends the metadata to Microsoft engines to detect configuration gaps and potential threats. For example, in vulnerability assessment, the analysis is done by Defender Vulnerability Management. The results are displayed in Defender for Cloud, which consolidates both the agent-based and agentless results on the Security alerts page.
The scanning environment where disks are analyzed is regional, volatile, isolated, and highly secure. Disk snapshots and data unrelated to the scan aren't stored longer than is necessary to collect the metadata, typically a few minutes.
Related content
This article explains how agentless scanning works and how it helps you collect data from your machines.
Learn more about how to enable agentless scanning for VMs.
Check out common questions about agentless scanning and how it affects the subscription/account, agentless data collection, and permissions used by agentless scanning.