Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Attention: All Microsoft Defender for Cloud features will be officially retired in Azure in China region on August 18, 2026 per the announcement posted by 21Vianet.
This guide is for IT professionals, information security analysts, and cloud administrators whose organizations need to troubleshoot problems related to Microsoft Defender for Cloud.
Use the audit log to investigate problems
The first place to look for troubleshooting information is the audit log for the failed component. In the audit log, you can see details like:
- Which operations were performed.
- Who initiated the operation.
- When the operation occurred.
- The status of the operation.
The audit log contains all write operations (PUT, POST, DELETE) performed on your resources, but not read operations (GET).
Troubleshoot improperly working antimalware protection
The guest agent is the parent process of everything that the Microsoft Antimalware extension does. When the guest agent process fails, the Microsoft Antimalware protection that runs as a child process of the guest agent might also fail.
Here are some troubleshooting tips:
- If the target VM was created from a custom image, make sure that the creator of the VM installed a guest agent.
- If the target is a Linux VM, installing the Windows version of the antimalware extension will fail. The Linux guest agent has specific OS and package requirements.
- If the VM was created with an old version of the guest agent, the old agent might not have the ability to automatically update to the newer version. Always use the latest version of the guest agent when you create your own images.
- Some third-party administration software might disable the guest agent or block access to certain file locations. If third-party administration software is installed on your VM, make sure that the antimalware agent is on the exclusion list.
- Make sure that firewall settings and a network security group aren't blocking network traffic to and from the guest agent.
- Make sure that no access control lists are preventing disk access.
- The guest agent needs sufficient disk space to function properly.
By default, the Microsoft Antimalware user interface is disabled. But you can enable the Microsoft Antimalware user interface on Azure Resource Manager VMs.
Troubleshoot problems with loading the dashboard
If you experience problems with loading the workload protection dashboard, make sure that the user who first enabled Defender for Cloud on the subscription and the user who wants to turn on data collection have the Owner or Contributor role on the subscription. If so, users with the Reader role on the subscription can see the dashboard, alerts, recommendations, and policy.
See also
- Learn how to manage and respond to security alerts in Defender for Cloud.
- Learn about alert validation in Defender for Cloud.
- Review common questions about using Defender for Cloud.