Merge branch 'main' of https://github.com/MicrosoftDocs/azure-security-docs-pr into WI444612-antimalware

Author: ElazarK

articles/defender-for-cloud/TOC.yml

@@ -826,10 +826,16 @@
               - name: Overview
                 href: runtime-gated-overview.md
               - name: Enable gated deployment
+                displayName: gated deployment, enable
                 href: enablement-guide-runtime-gated.md
+              - name: Gated deployment for Infrastructure as Code
+                displayName: gated deployment, infrastructure as code, IaC
+                href: gated-deployment-infrastructure-as-code.md
               - name: Troubleshooting
+                displayName: troubleshooting, gated deployment
                 href: troubleshooting-runtime-gated.md
               - name: Frequently asked questions
+                displayName: faq, frequently asked questions, gated deployment
                 href: faq-runtime-gated.md
       - name: Protect clusters with AKS Security Dashboard
         displayName: k8s, containers

articles/defender-for-cloud/defender-cli-syntax.md

@@ -14,8 +14,9 @@ The Defender for Cloud CLI provides commands to scan container images for securi
 
 ## CLI Options
 
-Option | Required | Type   | Description                                                  
+Option | Required | Type | Description                                                  
 --- | --- | --- | --- 
+`--defender-debug` | No | Bool | Output debug information to the console.
 `--output-formats` | No | String | Option: HTML
 `--defender-output` | No | String | Sets the path to the output file [default: `pwd`]
 `--defender-break` | No | Bool | Exit with a non-zero code if critical issues are found                  

articles/defender-for-cloud/deploy-helm.md

@@ -3,7 +3,7 @@ title: Install Defender for Containers sensor using Helm
 description: Learn how to install the Microsoft Defender for Containers sensor on Kubernetes clusters using Helm.
 author: Elazark
 ms.topic: how-to
-ms.date: 02/01/2026
+ms.date: 02/18/2026
 ms.author: elkrieger
 ai-usage: ai-assisted
 ---
@@ -58,7 +58,7 @@ Depending on your deployment type, follow the relevant instructions to install t
 
 - Helm version 3.8 or later (the available version supports OCI)
 
-- Azure CLI must be [installed](/cli/azure/install-azure-cli?view=azure-cli-latest) and [logged in](/cli/azure/reference-index?view=azure-cli-latest) to an account with resource group owner role for the target cluster.
+- Azure CLI must be [installed](/cli/azure/install-azure-cli?view=azure-cli-latest&preserve-view=true) and [logged in](/cli/azure/reference-index?view=azure-cli-latest&preserve-view=true) to an account with resource group owner role for the target cluster.
 
 - Azure resource ID for the target cluster
 
@@ -81,7 +81,7 @@ Depending on your deployment type, follow the relevant instructions to install t
 
    Or, run the [delete_conflicting_policies.sh](https://github.com/microsoft/Microsoft-Defender-For-Containers/blob/main/scripts/delete_conflicting_policies.sh) script with the following command:
 
-   ```azurecli   
+   ```bash   
    delete_conflicting_policies.sh <CLUSTER_AZURE_RESOURCE_ID>
    ```
    This command removes resource group and subscription level policies for setting up the generally available (GA) version of Defender for Containers. It can affect clusters other than the one you're configuring.
@@ -92,11 +92,11 @@ Use the [install_defender_sensor_aks.sh](https://github.com/microsoft/Microsoft-
 
 Run the script with the command:
     
-```azurecli
-install_defender_sensor_aks.sh --id <CLUSTER_AZURE_RESOURCE_ID> --version <VERSION> [--release_train <RELEASE_TRAIN>] [--antimalware]
+```bash
+install_defender_sensor_aks.sh --id <CLUSTER_AZURE_RESOURCE_ID> --version <VERSION> [--release_train <RELEASE_TRAIN>] [--namespace <NAMESPACE>] [--antimalware]
 ```
 
-Replace the placeholder text `<CLUSTER_AZURE_RESOURCE_ID>`, `<RELEASE_TRAIN>`, and `<VERSION>` with your own values. 
+Replace the placeholder text `<CLUSTER_AZURE_RESOURCE_ID>`, `<RELEASE_TRAIN>`, `<NAMESPACE>`, and `<VERSION>` with your own values: 
 
 - Replace `<VERSION>` with:
   - `latest` for the most recent version.
@@ -106,6 +106,11 @@ Replace the placeholder text `<CLUSTER_AZURE_RESOURCE_ID>`, `<RELEASE_TRAIN>`, a
   - `stable` (default).
   - `public` for the preview version.
     
+- Replace `<NAMESPACE>` with `kube-system` if you are deploying to AKS Automatic.
+
+ > [!NOTE]
+ > Don’t provide this parameter for standard AKS deployments. If not specified, the default namespace is `mdc`.
+
 - Use the `--antimalware` flag to enable antimalware scanning.
 
 > [!NOTE]
@@ -117,7 +122,7 @@ Replace the placeholder text `<CLUSTER_AZURE_RESOURCE_ID>`, `<RELEASE_TRAIN>`, a
 
 - Helm version 3.8 or later (the available version supports OCI)
 
-- Azure CLI must be [installed](/cli/azure/install-azure-cli?view=azure-cli-latest) and [logged in](/cli/azure/reference-index?view=azure-cli-latest) to an account with resource group owner role for the security connector.
+- Azure CLI must be [installed](/cli/azure/install-azure-cli?view=azure-cli-latest&preserve-view=true) and [logged in](/cli/azure/reference-index?view=azure-cli-latest&preserve-view=true) to an account with resource group owner role for the security connector.
 
 - Ensure the cluster account is connected to Microsoft Defender for Cloud. Learn how to [connect your AWS account](quickstart-onboard-aws.md) or [connect your GCP project](quickstart-onboard-gcp.md) to your Defender for Cloud.
 
@@ -140,7 +145,7 @@ Replace the placeholder text `<CLUSTER_AZURE_RESOURCE_ID>`, `<RELEASE_TRAIN>`, a
 
 1. Set the `kubeconfig` context to the target cluster by using the following command:
 
-   ```azurecli
+   ```bash
    install_defender_sensor_mc.sh --id <SECURITY_CONNECTOR_AZURE_RESOURCE_ID> --version <VERSION> --distribution <DISTRIBUTION> [--release_train <RELEASE_TRAIN>] [--antimalware]
    ```
     
@@ -172,12 +177,20 @@ Replace the placeholder text `<CLUSTER_AZURE_RESOURCE_ID>`, `<RELEASE_TRAIN>`, a
 
 ### Verify the installation
 
-Verify that the installation succeeded by using the command:
+Verify that the installation succeeded by using the namespace you used during installation:
+
+**For standard AKS, EKS, and GKE**
 
 ```bash
 helm list --namespace mdc
 ```
 
+**For AKS Automatic**
+
+```bash
+helm list --namespace kube-system
+```
+
 The installation is successful if the `STATUS` field displays **deployed**.
 
 ## Configure security rules for gated deployment

articles/defender-for-cloud/gated-deployment-infrastructure-as-code.md

@@ -0,0 +1,53 @@
+---
+title: Gated deployment for Infrastructure as Code
+description: Learn how to deploy gated deployment infrastructure as code for managed cluster API.
+#customer intent: As a Kubernetes administrator, I want to deploy gated deployment infrastructure as code so that I can automate the setup and ensure consistent configuration across environments.
+author: Elazark
+ms.author: elkrieger
+ms.date: 02/16/2026
+ms.topic: how-to
+---
+
+# Gated deployment for Infrastructure as Code
+
+Microsoft Defender for Cloud's gated deployment agent is a Kubernetes admission controller that enforces container image security policies at deployment time. Gated deployment acts as a gatekeeper for container images for known security problems at deployment time and decides whether they're allowed to run.
+
+The gated deployment agent requires read access to all of your Azure Container Registries (ACRs) associated with the cluster. These registries store the container images alongside the vulnerability assessment artifacts generated by Defender for Containers. To enable this access, configure a Managed Service Identity (MSI) with the required ACR read permissions and assign it to the agent.
+
+## Prerequisites
+
+- An Azure subscription with Microsoft Defender for Cloud enabled.
+- You must [enable gated deployment in Defender for Containers](enablement-guide-runtime-gated.md) with the defender sensor and registry access extensions turned on.
+- You must enable on your Azure Kubernetes Service (AKS) cluster: 
+    - [An OpenID Connect (OIDC) issuer](/azure/aks/use-oidc-issuer#create-an-aks-cluster-with-the-oidc-issuer). 
+    - [An Azure Workload Identity](/azure/aks/workload-identity-deploy-cluster?tabs=new-cluster).
+
+> [!NOTE]
+> Security gating only needs to be installed once. The first time you enable the security gating toggle, it installs security gating.
+> After that, security gating is already installed. When the installation runs again, the system detects this and does nothing.
+> If you try to install it again through the API, it fails because security gating already exists.
+>
+> :::image type="content" source="media/gated-deployment-infrastructure-as-code/security-gating-on.png" alt-text="Screenshot that shows security gating is turned to on." lightbox="media/gated-deployment-infrastructure-as-code/security-gating-on.png":::
+
+## Deploy the gated agent
+
+1. [Create a Managed Service Identity (MSI) that the gated deployment agent uses](/entra/identity/managed-identities-azure-resources/manage-user-assigned-managed-identities-azure-portal).
+
+1. [Assign the AcrPull role (or equivalent read role)](/azure/container-registry/container-registry-rbac-built-in-roles-overview?tabs=registries-configured-with-rbac-registry-abac-repository-permissions) to the MSI on all ACRs the cluster uses.
+
+1. [Add a Federated Identity Credential (FIC) to the MSI](/graph/api/resources/federatedidentitycredentials-overview?view=graph-rest-1.0) that allows the gated deployment agent to authenticate by using AKS Workload Identity, with the following FIC parameters:
+
+    - **Issuer**: The AKS OIDC issuer URL
+    - **Subject**: The service account used by the gated deployment agent `system:serviceaccount:kube-system:defender-admission-controller-serviceaccount`.
+    - **Audience**: api://AzureADTokenExchange
+
+1. Under the [securityGating section of the managed cluster API configuration](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters?pivots=deployment-language-arm-template#resource-format-1), set the [MSI’s objectId in the identities parameter](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters?pivots=deployment-language-arm-template#managedclustersecurityprofiledefendersecuritygating-1) under the security gating section of the managed cluster API configuration. 
+
+    :::image type="content" source="media/gated-deployment-infrastructure-as-code/identities.png" alt-text="Screenshot that shows the section of the securityGating section of the managed cluster API configuration, where the code is located." lightbox="media/gated-deployment-infrastructure-as-code/identities.png":::
+
+    This ensures the gated deployment agent can use the MSI at runtime.
+
+## Next step
+
+> [!div class="nextstep"]
+> [Troubleshoot gated deployment in Kubernetes](troubleshooting-runtime-gated.md)