Find vulnerabilities and collect software inventory with agentless scanning (Preview)

Agentless scanning provides visibility into installed software and software vulnerabilities on your workloads to extend vulnerability assessment coverage to server workloads without a vulnerability assessment agent installed.

Learn more about agentless scanning.

Agentless vulnerability assessment uses the Defender Vulnerability Management engine to assess vulnerabilities in the software installed on your VMs, without requiring Defender for Endpoint to be installed. Vulnerability assessment shows software inventory and vulnerability results in the same format as the agent-based assessments.

Compatibility with agent-based vulnerability assessment solutions

Defender for Cloud already supports different agent-based vulnerability scans, including Microsoft Defender for Endpoint (MDE), BYOL and Qualys. Agentless scanning extends the visibility of Defender for Cloud to reach more devices.

When you enable agentless vulnerability assessment:

  • If you have no existing integrated vulnerability assessment solutions, Defender for Cloud automatically displays vulnerability assessment results from agentless scanning.

  • If you have Vulnerability assessment with MDE integration, Defender for Cloud shows a unified and consolidated view that optimizes coverage and freshness.

    • Machines covered by just one of the sources (MDE or agentless) show the results from that source.
    • Machines covered by both sources show the agent-based results only for increased freshness.
  • If you have Vulnerability assessment with Qualys or BYOL integrations - Defender for Cloud shows the agent-based results by default. Results from the agentless scan will be shown for machines that don't have an agent installed or from machines that aren't reporting findings correctly.

    If you want to change the default behavior so that Defender for Cloud always displays results from Defender vulnerability management (regardless of a third-party agent solution), select the Defender vulnerability management setting in the vulnerability assessment solution.

Enabling agentless scanning for machines

When you enable Defender Cloud Security Posture Management (CSPM) or Defender for Servers P2, agentless scanning is enabled on by default.

If you have Defender for Servers P2 already enabled and agentless scanning is turned off, you need to turn on agentless scanning manually.

Agentless vulnerability assessment on Azure

To enable agentless vulnerability assessment on Azure:

  1. From Defender for Cloud's menu, open Environment settings.

  2. Select the relevant subscription.

  3. For either the Defender Cloud Security Posture Management (CSPM) or Defender for Servers P2 plan, select Settings.

    Screenshot of link for the settings of the Defender plans for Azure accounts.

    The agentless scanning setting is shared by both Defender Cloud Security Posture Management (CSPM) or Defender for Servers P2. When you enable agentless scanning on either plan, the setting is enabled for both plans.

  4. In the settings pane, turn on Agentless scanning for machines.

    Screenshot of settings and monitoring screen to turn on agentless scanning.

  5. Select Save.

Agentless vulnerability assessment on AWS

  1. From Defender for Cloud's menu, open Environment settings.

  2. Select the relevant account.

  3. For either the Defender Cloud Security Posture Management (CSPM) or Defender for Servers P2 plan, select Settings.

    Screenshot of link for the settings of the Defender plans for AWS accounts.

    When you enable agentless scanning on either plan, the setting applies to both plans.

  4. In the settings pane, turn on Agentless scanning for machines.

    Screenshot of the agentless scanning status for AWS accounts.

  5. Select Save and Next: Configure Access.

  6. Download the CloudFormation template.

  7. Using the downloaded CloudFormation template, create the stack in AWS as instructed on screen. If you're onboarding a management account, you'll need to run the CloudFormation template both as Stack and as StackSet. Connectors will be created for the member accounts up to 24 hours after the onboarding.

  8. Select Next: Review and generate.

  9. Select Update.

After you enable agentless scanning, software inventory and vulnerability information is updated automatically in Defender for Cloud.

Exclude machines from scanning

Agentless scanning applies to all of the eligible machines in the subscription. To prevent specific machines from being scanned, you can exclude machines from agentless scanning based on your pre-existing environment tags. When Defender for Cloud performs the continuous discovery for machines, excluded machines are skipped.

To configure machines for exclusion:

  1. From Defender for Cloud's menu, open Environment settings.

  2. Select the relevant subscription or multicloud connector.

  3. For either the Defender Cloud Security Posture Management (CSPM) or Defender for Servers P2 plan, select Settings.

  4. For agentless scanning, select Edit configuration.

    Screenshot of the link to edit the agentless scanning configuration.

  5. Enter the tag name and value that applies to the machines that you want to exempt. You can enter multiple tag:value pairs.

    Screenshot of the tag and value fields for excluding machines from agentless scanning.

  6. Select Save to apply the changes.

Next steps

In this article, you learned about how to scan your machines for software vulnerabilities without installing an agent.

Learn more about: