Edit

Share via

Exclude machines from agentless scanning

  • Article

Agentless machine scanning in Microsoft Defender for Cloud improves the security posture of machines connected to Defender for Cloud. Agentless scanning doesn't need any installed agents or network connectivity, and doesn't affect machine performance.

By default agentless scanning is turned on for all supported machines when Defender for Servers Plan 2, or the Defender Cloud Security Posture Management (CSPM) plan is enabled.

In some circumstances, you might want to exclude machines from agentless scanning recommendations. You can do this using preexisting environment tags. Excluded machines are skipped during continuous machine discovery.

Prerequisites

  • Defender for Servers Plan 2, or Defender CSPM.
  • Agentless scanning enabled in the plan.

Exclude machines

  1. In Defender for Cloud, select Environment settings.

  2. Select the relevant subscription or multicloud connector.

  3. For either the Defender Cloud Security Posture Management (CSPM) or Defender for Servers P2 plan, select Settings.

  4. In Agentless scanning for machines, select Edit configuration.

    Screenshot of the link to edit the agentless scanning configuration.

  5. In Agentless scanning configuration, Enter the tag name and value for machines that you want to exclude. You can enter multiple tag:value pairs.

    Screenshot of the tag and value fields for excluding machines from agentless scanning.

  6. Select Save.