Enable Agentless Scanning for Machines

Implementation Effort: Medium – Requires enabling Defender plans and validating machine and disk compatibility across cloud environments.

User Impact: Low – Agentless scanning is transparent to end users and does not impact machine performance.

Overview

Agentless scanning in Microsoft Defender for Containers (via Defender for Cloud) enhances security by scanning virtual machines (VMs) used as Kubernetes nodes for vulnerabilities, malware, secrets, and software inventory—without requiring any agents or network configuration. This scanning is especially useful in multicloud environments where agent deployment may be complex or restricted.

To enable agentless scanning:

1. Enable Defender for Containers or Defender CSPM or Defender for Servers Plan 2 – agentless scanning is automatically enabled with these plans.
2. Ensure that your VMs meet the following requirements:
   • Supported on Azure, AWS EC2, and GCP compute instances.
   • VMs must be running during the scan (scans occur every 24 hours).
   • Supported disk types include unencrypted, PMK-encrypted, and CMK-encrypted disks.
   • Unsupported disk types include UltraSSD_LRS, PremiumV2_LRS, and file systems like ReFS, ZFS, and UFS 1.

Agentless scanning is particularly valuable for Kubernetes node VMs, where it provides visibility into runtime risks without the need to manage agents. It supports the "Assume Breach" principle of Zero Trust by ensuring continuous, low-friction visibility into machine-level threats across containerized environments.

Reference

• Enable agentless scanning for VMs – Microsoft Defender for Cloud
• Agentless machine scanning – Microsoft Defender for Cloud
• Enable agentless container posture – Microsoft Defender for Cloud