Configure vulnerability scanning with Defender Vulnerability Management
Vulnerability scanning identifies security weaknesses in operating systems, applications, and software packages before attackers exploit them. Defender for Servers provides two complementary scanning methods—agent-based and agentless—that work together to ensure comprehensive vulnerability coverage across your server estate with minimal operational overhead.
| Scanning Method | Plan Requirement | How It Works | Update Frequency | Performance Challenge |
|---|---|---|---|---|
| Agent-based | Plan 1 or Plan 2 | Microsoft Defender for Endpoint (MDE) sensor scans locally installed software | Continuous, real-time | Minimal CPU/memory usage |
| Agentless | Plan 2 only | Disk snapshots analyzed offline | Every 24 hours | None (runs outside VM) |
Use agent-based vulnerability scanning for real-time detection
Agent-based vulnerability scanning runs through the Microsoft Defender for Endpoint sensor installed on each protected machine. The sensor continuously monitors installed software, compares it against Microsoft's vulnerability intelligence database, and reports findings in near real-time. When a new vulnerability disclosure affects software running on your servers, the agent detects it within minutes and surfaces the finding in Defender for Cloud.
The agent-based approach provides the fastest detection because the sensor runs locally on each machine and doesn't depend on scheduled scans. For critical production servers where rapid vulnerability identification matters, this continuous monitoring ensures that you learn about exploitable weaknesses immediately after vulnerability databases update.
Agent-based scanning is available with both Plan 1 and Plan 2, making it the baseline vulnerability assessment method for all Defender for Servers deployments. The MDE sensor consumes minimal system resources—typically less than 2% CPU and 100 MB of memory—making it suitable even for resource-constrained factory servers running OT workloads.
Use agentless scanning to eliminate agent deployment overhead
Agentless vulnerability scanning takes a fundamentally different approach. Instead of installing software on your VMs, agentless scanning creates a snapshot of each VM's disk, then analyzes that snapshot in an isolated Azure environment completely outside your virtual machine. The VM itself experiences no performance issues because the analysis happens on a copy of the disk data.
Here's how the technical process works. Once every 24 hours, Defender for Cloud takes a point-in-time snapshot of each running VM's disk. The snapshot process uses Azure's native snapshot capabilities, which complete in seconds without pausing or interrupting the VM. Defender for Cloud then mounts the snapshot disk in a secure analysis environment, scans the file system to build a software inventory, and compares installed packages against vulnerability databases. After analysis completes, the snapshot is immediately deleted. Your VM never knows the scan happened.
Agentless scanning requires Defender for Servers Plan 2 or Defender CSPM. The capability is enabled by default when you activate Plan 2. If you need to verify or manually enable it, navigate to Environment Settings > Plan settings > Settings & Monitoring > Agentless scanning for machines and toggle the setting to On.
Understand agentless scanning disk and VM limits
Agentless scanning has technical limits based on disk size, disk count, and encryption type. The maximum total disk size that can be scanned is 4 TB, calculated as the sum of all attached disks. If a VM has six disks of 1 TB each (6 TB total), only the OS disk is scanned, provided the OS disk alone is under 4 TB. The maximum number of disks per VM is six—if a VM has more than six disks, the scan skips that VM entirely.
Disk encryption affects scan eligibility. Agentless scanning supports unencrypted disks, disks encrypted with SSE using platform-managed keys, and disks encrypted with SSE using customer-managed keys (CMK). However, certain disk types are unsupported: UltraSSD_LRS, PremiumV2_LRS, and AKS Ephemeral OS Disks can't be scanned because they use storage architectures incompatible with the snapshot-based scanning process.
Only running VMs are scanned. If a VM is powered off or deallocated when the 24-hour scan cycle starts, the scan skips that VM until the next cycle. For servers that run on scheduled start/stop automation, ensure they remain online during scan windows to maintain vulnerability visibility.
Combine agent-based and agentless scanning for hybrid coverage
When you enable both agent-based and agentless scanning—the default configuration for Plan 2—you benefit from the strengths of each method. Agent-based scanning provides continuous, real-time detection with immediate visibility into newly disclosed vulnerabilities. Agentless scanning provides a second layer of validation that doesn't depend on agent health or connectivity, ensuring you maintain visibility even if an agent fails or is tampered with.
The Defender portal displays results using a precedence model. When both scanning methods report data for the same VM, the portal shows agent-based results because they offer better freshness—the agent reports in real-time while agentless scans run once daily. When only agentless scanning is active (for example, on a VM where the MDE sensor isn't deployed yet), the portal displays agentless results. If only agent-based scanning is configured, you see only agent-based data.
This hybrid model provides resilience. If an attacker disables or uninstalls the MDE sensor to hide their activities, the agentless scan still runs the next day and reveals the compromise. If a VM is offline when the agentless scan runs, the agent-based sensor continues reporting until the next scan cycle completes.
Use BYOL scanners as alternatives to Defender Vulnerability Management
Organizations with existing investments in Qualys or Rapid7 vulnerability scanning platforms can integrate those scanners instead of using Microsoft Defender Vulnerability Management. Defender for Cloud supports bring-your-own-license (BYOL) integrations for both Qualys and Rapid7, allowing you to deploy those agents to Defender for Servers-protected VMs and view findings in Defender for Cloud alongside other security data.
The BYOL approach makes sense when you have enterprise licensing agreements with Qualys or Rapid7, when you need vulnerability scanning features specific to those platforms, or when compliance requirements mandate a particular scanning vendor. For most organizations deploying Defender for Servers for the first time, Defender Vulnerability Management provides comprehensive coverage without other licensing costs or agent management complexity.
View vulnerability findings in the Defender portal
After vulnerability scanning activates, findings appear in the Defender portal under Vulnerability management > Recommendations. Each recommendation describes a specific vulnerability, lists affected machines, provides a severity score based on exploitability and issues, and offers remediation guidance. You can filter recommendations by severity, affected machine, or vulnerability type to prioritize remediation efforts.
The vulnerability management dashboard shows trends over time, helping you measure whether your patching processes are reducing the attack surface or if new vulnerabilities are accumulating faster than you remediate them. For Contoso Manufacturing, this visibility transforms factory servers from unknown risk to actively managed assets with quantified vulnerability counts and clear remediation paths.
For Arc-connected on-premises servers in the Contoso factory, agentless scanning delivers vulnerability visibility without agent overhead on systems that can have strict change control requirements. Azure VMs running factory management software, benefits from hybrid coverage—continuous agent-based monitoring backed by daily agentless validation.
Now that vulnerability scanning is configured and reporting findings, you manage the Microsoft Defender for Endpoint integration. You need to configure agentless scanning capabilities, and enable File Integrity Monitoring to detect unauthorized changes to critical server files.