Get answers to common questions about protecting containers
What are the options to enable the new plan at scale?
You can use the Azure Policy Configure Microsoft Defender for Containers to be enabled, to enable Defender for Containers at scale. You can also see all of the options that are available to enable Microsoft Defender for Containers.
Does Microsoft Defender for Containers support AKS clusters with virtual machines scale sets?
Yes.
Does Microsoft Defender for Containers support AKS without scale set (default)?
No. Only Azure Kubernetes Service (AKS) clusters that use Virtual Machine Scale Sets for the nodes is supported.
Do I need to install the Log Analytics VM extension on my AKS nodes for security protection?
No, AKS is a managed service, and manipulation of the IaaS resources isn't supported. The Log Analytics VM extension isn't needed and might result in extra charges.
How can I use my existing Log Analytics workspace?
You can use your existing Log Analytics workspace by following the steps in the Assign a custom workspace workspace section of this article.
Can I delete the default workspaces created by Defender for Cloud?
We don't recommend deleting the default workspace. Defender for Containers uses the default workspaces to collect security data from your clusters. Defender for Containers are unable to collect data, and some security recommendations and alerts, will become unavailable if you delete the default workspace.
I deleted my default workspace, how can I get it back?
To recover your default workspace, you need to remove the Defender sensor, and reinstall the sensor. Reinstalling the Defender sensor creates a new default workspace.
Where is the default Log Analytics workspace located?
Depending on your region, the default Log Analytics workspace might be located in various locations. To check your region see Where is the default Log Analytics workspace created?
My organization requires me to tag my resources, and the required sensor didn't get installed, what went wrong?
The Defender sensor uses the Log analytics workspace to send data from your Kubernetes clusters to Defender for Cloud. The Defender for Cloud adds the Log analytic workspace and the resource group as a parameter for the sensor to use.
However, if your organization has a policy that requires a specific tag on your resources, it might cause the sensor installation to fail during the resource group or the default workspace creation stage. If it fails, you can either:
- Assign a custom workspace and add any tag your organization requires. - or 
- If your company requires you to tag your resource, you should navigate to that policy and exclude the following resources: - The resource group DefaultResourceGroup-<RegionShortCode>
- The Workspace  DefaultWorkspace-<sub-id>-<RegionShortCode>
 - RegionShortCode is a 2-4 letters string. 
- The resource group 
How does Defender for Containers scan an image?
Defender for Containers pulls the image from the registry and runs it in an isolated sandbox with Microsoft Defender Vulnerability Management for multicloud environments. The scanner extracts a list of known vulnerabilities.
Defender for Cloud filters and classifies findings from the scanner. When an image is healthy, Defender for Cloud marks it as such. Defender for Cloud generates security recommendations only for images that have issues to be resolved. By only notifying you when there are problems, Defender for Cloud reduces the potential for unwanted informational alerts.
How can I identify pull events performed by the scanner?
To identify pull events performed by the scanner, do the following steps:
- Search for pull events with the UserAgent of MDCContainersSecurity/1.0.
- Extract the identity associated with this event.
- Use the extracted identity to identify pull events from the scanner.
What is the difference between Not Applicable Resources and Unverified Resources?
- Not applicable resources are resources for which the recommendation can't give a definitive answer. The not applicable tab includes reasons for each resource that couldn't be assessed.
- Unverified resources are resources scheduled to be assessed, but not assessed yet.
Why is Defender for Cloud alerting me to vulnerabilities about an image that isn't in my registry?
Some images might reuse tags from an image that was already scanned. For example, you might reassign the tag “Latest” every time you add an image to a digest. In such cases, the 'old' image does still exist in the registry and might still be pulled by its digest. If the image has security findings and is pulled, it can expose security vulnerabilities.
Does Defender for Containers scan images in Microsoft Container Registry?
Currently, Defender for Containers can scan images in Azure Container Registry (ACR), AWS Elastic Container Registry (ECR), Google Container Registry (GCR), Google Archive Registry (GAR), and supported external registries only. Microsoft Artifact Registry/Microsoft Container Registry, and Microsoft Azure Red Hat OpenShift (ARO) built-in container image registry aren't supported.
How does Defender for Containers scan a running container?
Defender for Cloud performs agentless scanning of VMs. Snapshots of VM disks are taken every 24 hours to perform out-of-band analysis, without affecting performance.
Data plane containers residing in VM disk snapshots, agnostic of the container image registry from which it was pulled, are assessed for vulnerabilities using Microsoft Defender Vulnerability Management (MDVM). MDVM generates security recommendations for any vulnerable container images.
Can I get the scan results via REST API?
Yes. The results are under Sub-Assessments REST API. Also, you can use Azure Resource Graph (ARG), the Kusto-like API for all of your resources: a query can fetch a specific scan.
How do I check which media type my containers are using?
To check an image type, you need to use a tool that can check the raw image manifest such as skopeo, and inspect the raw image format.
- For the Docker v2 format, the manifest media type would be application/vnd.docker.distribution.manifest.v1+json or application/vnd.docker.distribution.manifest.v2+json, as documented here.
- For the OCI image format, the manifest media type would be application/vnd.oci.image.manifest.v1+json, and config media type application/vnd.oci.image.config.v1+json, as documented here.
What are the extensions for agentless container posture management?
There are two extensions that provide agentless CSPM functionality:
- Agentless Container vulnerability assessments: Provides agentless containers vulnerability assessments. Learn more about Agentless Container vulnerability assessment.
- Agentless discovery for Kubernetes: Provides API-based discovery of information about Kubernetes cluster architecture, workload objects, and setup.
How can I onboard multiple subscriptions at once?
To onboard multiple subscriptions at once, you can use this script.
Why don't I see results from my clusters?
If you don't see results from your clusters, check the following questions:
- Do you have stopped clusters?
- Are your resource groups, subscriptions, or clusters locked? If the answer to either of these questions is yes, see the answers in the following questions.
What can I do if I have stopped clusters?
We don't support or charge stopped clusters. To get the value of agentless capabilities on a stopped cluster, you can rerun the cluster.
What do I do if I have locked resource groups, subscriptions, or clusters?
We suggest that you unlock the locked resource group/subscription/cluster, make the relevant requests manually, and then relock the resource group/subscription/cluster by doing the following:
- Enable the feature flag manually via CLI by using Trusted Access.
“az feature register --namespace "Microsoft.ContainerService" --name "TrustedAccessPreview”
- Perform the bind operation in the CLI:
az account set -s <SubscriptionId> az extension add --name aks-preview az aks trustedaccess rolebinding create --resource-group <cluster resource group> --cluster-name <cluster name> --name defender-cloudposture --source-resource-id /subscriptions/<SubscriptionId>/providers/Microsoft.Security/pricings/CloudPosture/securityOperators/DefenderCSPMSecurityOperator --roles "Microsoft.Security/pricings/microsoft-defender-operator"
For locked clusters, you can also do one of the following steps:
- Remove the lock.
- Perform the bind operation manually by making an API request. Learn more about locked resources.
Are you using an updated version of AKS?
Learn more about supported Kubernetes versions in Azure Kubernetes Service (AKS).
What's the refresh interval for Agentless discovery of Kubernetes?
It can take up to 24 hours for changes to reflect in the security graph, attack paths, and the security explorer.
How do I upgrade from the retired Trivy vulnerability assessment to the AWS vulnerability assessment powered by Microsoft Defender Vulnerability Management?
The following steps remove the single registry recommendation powered by Trivy and add the new registry and runtime recommendations that are powered by MDVM.
- Open the relevant AWS connector.
- Open the Settings page for Defender for Containers.
- Enable Agentless Container Vulnerability Assessment.
- Complete the steps of the connector wizard, including deployment of the new onboarding script in AWS.
- Manually delete the resources created during onboarding:
- S3 bucket with the prefix defender-for-containers-va
- ECS cluster with the name defender-for-containers-va
- VPC:
- Tag namewith the valuedefender-for-containers-va
- IP subnet CIDR 10.0.0.0/16
- Associated with default security group with the tag nameand the valuedefender-for-containers-vathat has one rule of all incoming traffic.
- Subnet with the tag nameand the valuedefender-for-containers-vain thedefender-for-containers-vaVPC with the CIDR 10.0.1.0/24 IP subnet used by the ECS clusterdefender-for-containers-va
- Internet Gateway with the tag nameand the valuedefender-for-containers-va
- Route table - Route table with the tag nameand valuedefender-for-containers-va, and with these routes:- Destination: 0.0.0.0/0; Target: Internet Gateway with the tagnameand the valuedefender-for-containers-va
- Destination: 10.0.0.0/16; Target:local
 
- Destination: 
 
- Tag 
 
To get vulnerability assessments for running images, either enable Agentless discovery for Kubernetes or deploy the Defender sensor on your Kubernetes clusters.
What happened to Microsoft Defender for Kubernetes?
Microsoft Defender for Kubernetes has been deprecated and replaced with Microsoft Defender for Containers. Existing subscriptions with Defender for Kubernetes enabled can continue to use it, but new subscriptions can't enable this deprecated plan.
All new container security capabilities and improvements are available only in Microsoft Defender for Containers. We recommend upgrading to Microsoft Defender for Containers to access the latest features and enhanced protection capabilities.