Vulnerability scanning for machines
The Defender for Servers plan in Microsoft Defender for Cloud provides vulnerability scanning for connected machines.
- Integrated vulnerability scanning in Defender for Cloud uses Microsoft Defender Vulnerability Management.
- Microsoft Defender Vulnerability Management, together with Microsoft Defender for Endpoint, is integrated natively into Defender for Servers.
Integrated vulnerability assessment provides many benefits:
- Scanning consistency: Use a consistent vulnerability scanner across a range of use cases, in multicloud environments, and different host runtimes.
- Risk reduction: Discover vulnerabilities and misconfigurations in near real time.
- Prioritization: Prioritize vulnerabilities based on the threat landscape and detections in your organization.
- Software inventory: Get information about your software inventory.
- Premium features: Use Defender Vulnerability Management premium features in Defender for Servers Plan 2, including certificate assessment, baseline assessment, vulnerable application blocking, and more.
Vulnerability scanning with Defender Vulnerability Management is supported for Azure VMs, AWS and GCP machines connected to Defender for Cloud, and on-premises VMs that are onboarded as Azure Arc VMs.
For a quick overview of Defender Vulnerability Management, watch this video:
Agent-based and agentless scanning
Vulnerability scanning with integrated Defender Vulnerability Management takes a hybrid approach in Defender for Cloud:
- Agentless vulnerability scanning. Defender for Cloud provides agentless vulnerability scanning as part of its agentless scanning capabilities. Agentless scanning is available in Defender for Servers Plan 2 only.
- Agent-based vulnerability scanning. The Defender for Endpoint integration in Defender for Servers provides vulnerability scanning using the Defender for Endpoint sensor. This integration is available in Defender for Servers Plan 1 and Plan 2.
Bring your own license (BYOL)
Instead of using integrated Defender Vulnerability Management scanning, you can use your own privately licensed BYOL vulnerability scanner. Qualys and Rapid7 scanners are supported.
Here's how it works:
- Supported solutions report vulnerability data to the partner's management platform.
- Solution platforms provide vulnerability and health monitoring data back to Defender for Cloud.
You can identify vulnerable machines in Defender for Cloud, and then switch to the partner management console directly from Defender for Cloud for reports and more information.
You don't need a paid plan switched on in Defender for Cloud to use a non-Microsoft vulnerability solution.
Hybrid scanning behavior
Agentless scanning extends the visibility of Defender for Cloud to reach more devices. If agentless vulnerability scanning is enabled, the following occurs:
| Solution (agentless scanning switched on) |
Details |
|---|---|
| No solution | If you don't have an agent-based vulnerability scanning solution enabled on VMs, Defender for Cloud automatically scans agentless with Defender Vulnerability Management. |
| Defender Vulnerability Management integration | If machines are running the Defender for Endpoint agent, Defender for Cloud shows a unified view of vulnerability assessment with optimized coverage and freshness. - Machines using agent-based scanning OR agentless scanning show the results from that enabled source only. - Machines with both agent-based and agentless scanning show the agent-based results only, for better freshness. |
| BYOL solution | If you're using a partner vulnerability assessment solution, Defender for Cloud shows scanning results from the partner solution by default. Agentless scan results are shown for machines that don't have the partner agent installed, for machines that aren't reporting findings correctly. You can modify this default behavior to always display results from Defender Vulnerability Management, regardless of whether a non-Microsoft agent solution is installing, by manually enabling the Vulnerability assessment for machines option in the Environment settings page of Defender for Cloud. |
Premium vulnerability management features
Defender for Servers Plan 2 includes Defender Vulnerability Management premium add-on capabilities that provide consolidated inventories, new assessments, and mitigation tools to further enhance your vulnerability management program. Learn more about premium capabilities.
Next steps
- Learn more about Defender for Servers in this episode of the Defender for Cloud in the Field video series: Microsoft Defender for Servers
- Enable vulnerability scanning