Enable Agentless Scanning for Machines
Implementation Effort: Medium
Security and IT teams must validate plan eligibility, review supported VM configurations, and enable agentless scanning through Defender for Cloud settings.
User Impact: Low
Agentless scanning is transparent to end users and managed entirely by administrators.
Overview
Agentless scanning in Microsoft Defender for Servers provides vulnerability, malware, and secrets scanning without requiring any agents or network configuration on the virtual machines. It is designed to improve security posture while minimizing operational overhead and performance impact.
Key Capabilities
- Scans for:
- Software inventory
- Vulnerabilities
- Secrets
- Malware (Plan 2 only)
- No agent installation or network configuration required
- Scans run once every 24 hours on running VMs only
Prerequisites
- Defender for Servers Plan 2 or Defender CSPM must be enabled
- Supported environments:
- Azure VMs (up to 4TB total disk, max 6 disks)
- AWS EC2 and GCP Compute Instances
- Kubernetes node VMs (with Defender for Containers or Plan 2)
How to Enable Agentless Scanning
- Go to Microsoft Defender for Cloud > Environment settings
- Select the relevant subscription
- Under Defender CSPM or Defender for Servers Plan 2, click Settings
- In Settings and monitoring, toggle Agentless scanning for machines to On
- Click Save 1
Limitations
- Unsupported disk types: UltraSSD_LRS, PremiumV2_LRS
- Unsupported file systems: UFS, ReFS, ZFS
- Only scans VMs that are powered on
Failing to enable agentless scanning may result in missed vulnerabilities and malware threats, especially in environments where agent deployment is restricted. This capability supports the "Assume Breach" principle of Zero Trust by ensuring continuous, low-friction visibility into machine security posture.