+ Get-OrganizationConfig | Format-List EwsEnabled

+ Title: "Protect unmanaged Windows PCs and Macs in Microsoft 365 Business Premium"

+# Protect unmanaged Windows PCs and Macs in Microsoft 365 Business Premium

+2. In the left navigation pane, select **Show all**, and then select **Data lifecycle management** > **Retention policies**.

+3. Select the **Inactive mailbox** option:

+ 

+4. The **Inactive mailboxes** page displays a list of inactive mailboxes. Select one to see details about that inactive mailbox. Details include how long it's been inactive, the Exchange identifier, when by whom it was put on hold.

+On the **Inactive mailboxes** page, select  **Export** to view or download a CSV file that contains additional information about the inactive mailboxes in your organization.

+Alternatively, you can run the following command in Exchange Online PowerShell to display the list of inactive mailboxes:

+> It's possible that an inactive mailbox might have the same SMTP address as an active user mailbox. In this case, the value of the **DistinguishedName** or **ExchangeGuid** property can be used to uniquely identify an inactive mailbox.

+Archiving in Microsoft 365 (also called *In-Place Archiving*) provides users with more mailbox storage space. For more information, see [Learn about archive mailboxes](archive-mailboxes.md).

+2. In the left pane of the compliance portal, select **Data lifecycle management** > **Archive**.

+ On the **Archive** page, the **Archive mailbox** column identifies whether an archive mailbox is enabled or disabled for each user.

+ > The **Archive** page shows a maximum of 500 users. Use the search box if you can't immediately see the name of the user you want.

+3. In the list of mailboxes, select the user to enable their mailbox for archive, and then select the **Enable Archive** option:

+ 

+ A warning is displayed saying that if you enable the archive mailbox, items in the user's mailbox that are older than the archiving policy assigned to the mailbox will be moved to the new archive mailbox. The default archive policy that is part of the retention policy assigned to Exchange Online mailboxes moves items to the archive mailbox two years after the date the item was delivered to the mailbox or created by the user. For more information, see [Learn about archive mailboxes](archive-mailboxes.md).

+5. Select **Enable** to confirm.

+ It might take a few moments to create the archive mailbox. When it's created, **Enabled** is displayed in the **Archive mailbox** column for the selected user, although you might need to refresh the page to see the change of status.

+Similarly to how you enable an archive mailbox, you can use the **Archive** page in the Microsoft Purview compliance portal to disable a user's archive mailbox. This time, select the **Disable archive** option after you select the user.

+After you disable an archive mailbox, you can reconnect it to the user's primary mailbox within 30 days of disabling it. In this case, the original contents of the archive mailbox are restored. After 30 days, the contents of the original archive mailbox are permanently deleted and can't be recovered. So if you re-enable the archive more than 30 days after disabling it, a new archive mailbox is created.

+The default archive policy assigned to users' mailboxes moves items to the archive mailbox two years after the date the item is delivered. If you disable a user's archive mailbox, no action will be taken on mailbox items and they'll remain in the user's primary mailbox.

+Advanced Message Encryption helps customers meet compliance obligations that require more flexible controls over external recipients and their access to encrypted emails. With Advanced Message Encryption in Office 365, you can control sensitive emails shared outside the organization with automatic policies and track those activities through the encrypted message portal access logs. You configure these policies to identify sensitive information types such as PII, Financial, or Health IDs, or you can use keywords to enhance protection. Once you've configured the policies, you pair policies with custom branded email templates and then add an expiration date for extra control of emails that fit the policy. Also, admins can further control encrypted emails accessed externally through a secure web portal by revoking access to the mail at any time.

+[Revoke email encrypted by Microsoft Purview Advanced Message Encryption](revoke-ome-encrypted-mail.md). Control sensitive emails shared outside the organization and enhance protection by revoking access through a secure web portal to encrypted emails.

+[Encrypted message portal activity log by Microsoft Purview Advanced Message Encryption](ome-message-access-logs.md). Monitor sensitive emails shared outside the organization in the encrypted message portal.

+# Encrypted message portal activity log by Microsoft Purview Advanced Message Encryption (Preview)

+You do this by creating a Messaging Records Management (MRM) retention policy that you then assign to mailboxes. This policy moves items to a user's archive mailbox after a specified period of time and also deletes items from the mailbox after they reach a certain age limit.

+- Enable an archive mailbox for every user in the organization. This procedure gives users more mailbox storage, and is required so that a retention policy can automatically move items to the archive mailbox. A user can also manually move items to their archive mailbox for archival storage.

+- Create three custom retention tags to do the following actions:

+ - Automatically move items that are 3 years old to the user's archive mailbox. Moving items to the archive mailbox frees up space in a user's primary mailbox.

+ - Automatically delete items that are 5 years old from the Deleted Items folder. This also frees up space in the user's primary mailbox. User's will have the opportunity to recover these items if necessary. See the footnote in the [More information](#more-information) section for more details.

+ - Automatically (and permanently) delete items that are 7 years old from both the primary and archive mailbox. Because of compliance regulations, some organization's are required to retain email for a specific period of time. When this time period expires, an organization might want to permanently remove these items from user mailboxes.

+- Create a new retention policy and adding the new custom retention tags to it. Additionally, you'll also add built-in retention tags to the new retention policy. This includes personal tags that users can assign to items in their mailbox. You'll also add a retention tag that moves items from the Recoverable Items folder in the user's primary mailbox to the Recoverable Items folder in their archive mailbox. This action helps free up space in a user's Recoverable Items folder when their mailbox is placed on hold.

+- You must be a global administrator in your organization to perform the steps in this article.

+- When you create a new user account and assign the user an Exchange Online license, a mailbox is automatically created for the user. When the mailbox is created, it's automatically assigned a default retention policy, named Default MRM Policy. In this article, you'll create a new MRM retention policy and then assign it to user mailboxes, replacing the Default MRM policy. A mailbox can have only one MRM retention policy assigned to it at any one time.

+- To learn more about retention tags and MRM retention policies in Exchange Online, see [Retention tags and retention policies](/exchange/security-and-compliance/messaging-records-management/retention-tags-and-policies).

+The first step is to ensure each user in your organization has an archive mailbox. A user's archive mailbox must be enabled so that a retention tag with a "Move to Archive" retention action can move the item after the retention age expires.

+For instructions to enable archive mailboxes, see [Enable archive mailboxes in the Microsoft Purview compliance portal](enable-archive-mailboxes.md).

+1. On the **Retention tags** page, select **New tag**, and then select **applied automatically to entire mailbox (default)**.

+3. Select **Save** to create the custom archive DPT.

+1. On the **Retention tags** page, select **New tag**, and then select **applied automatically to entire mailbox (default)**.

+3. Select **Save** to create the custom deletion DPT.

+The last retention tag to create is a custom retention policy tag (RPT) for the Deleted Items folder. This tag will delete items in the Deleted Items folder after 5 years, and provides a recovery period when users can use the Recover Deleted Items tool to recover an item.

+1. On the **Retention tags** page, select **New tag** , and then select **applied automatically to a default folder**.

+3. Select **Save** to create the custom RPT for the Deleted Items folder.

+2. On the **Retention policies** page, select **New** .

+4. Under **Retention tags**, select **Add** .

+5. Add the 9 retention tags that are highlighted in the following screenshot (these tags are described in more detail in the [More information](#more-information) section). To add a retention tag, select it and then select **Add**.

+6. After you've added the retention tags, select **OK**.

+7. On the **New retention policy** page, select **Save** to create the new policy.

+When a new mailbox is created, a retention policy named Default MRM policy is assigned to it by default. In this step, you'll replace this retention policy by assigning the new retention policy that you created in Step 3 to the user mailboxes in your organization. Replacement is required because a mailbox can have only one MRM retention policy assigned to it at a time. This step assumes that you'll assign the new policy to all mailboxes in your organization.

+3. In the details pane in the EAC, under **Bulk Edit**, select **More options**.

+4. Under **Retention Policy**, select **Update**.

+6. Select **Save** to save the new retention policy assignment.

+7. To verify that the new retention policy was assigned to mailboxes:

+ 1. Select a mailbox on the **Mailboxes** page, and then select **Edit** .

+ 2. On the mailbox properties page for the selected user, select **Mailbox features**.

+### More information about the Managed Folder Assistant

+As previously stated, the Managed Folder Assistant processes mailboxes at least once every 7 days. So it's possible that a mailbox can be processed by the Managed Folder Assistant more frequently. Also, admins can't predict the next time a mailbox is processed by the Managed Folder Assistant, which is one reason why you might want to run it manually.

+However, if you want to temporarily prevent the Managed Folder Assistant from applying the new retention settings to a mailbox, you can run the `Set-Mailbox -ElcProcessingDisabled $true` command to temporarily disable the Managed Folder Assistant from processing a mailbox.

+To re-enable the Managed Folder Assistant for a mailbox, run the `Set-Mailbox -ElcProcessingDisabled $false` command.

+Finally, if a mailbox user has a disabled account, items aren't moved to the archive mailbox for that mailbox.

+In Step 4, you have to assign the new retention policy to existing mailboxes. But you can configure Exchange Online so that the new retention policy is assigned to new mailboxes that are created in the future.

+You do this by using Exchange Online PowerShell to update your organization's default mailbox plan. A *mailbox plan* is a template that automatically configures properties on new mailboxes. In this optional step, you can replace the current retention policy that's assigned to the mailbox plan (by default, the Default MRM Policy) with the MRM retention policy that you created in Step 3. After you update the mailbox plan, the new MRM retention policy will be assigned to new mailboxes.

+

+3. Run the following command to assign the new MRM retention policy that you created in Step 3 (for example, **Alpine House Archive and Retention Policy**) to the default mailbox plan. This example assumes the name of the default mailbox plan is **ExchangeOnlineEnterprise**.

+

+4. You can rerun the command in step 2 to verify that the MRM retention policy assigned to the default mailbox plan was changed.

+- The retention age of mailbox items is calculated from the date of delivery. Or from the date of creation for items such as draft messages that aren't sent but are created by the user. When the Managed Folder Assistant processes items in a mailbox, it stamps a start date and an expiration date for all items that have retention tags with the Delete and Allow Recovery or Permanently Delete retention action. Items that have an archive tag are stamped with a move date.

+- The following table provides more information about each retention tag for the custom MRM retention policy in this article.

+ |Alpine House 7 Year Permanently Delete <br/> |Permanently deletes items in the primary mailbox or the archive mailbox when they're 7 years old. <br/> |Custom (See [Step 2: Create new retention tags for the archive and deletion policies](#step-2-create-new-retention-tags-for-the-archive-and-deletion-policies)) <br/> |Default Policy Tag (deletion); this tag is automatically applied to the entire mailbox. <br/> |

+ > ^\* Users can use the Recover Deleted Items tool in Outlook and Outlook on the web (formerly known as Outlook Web App) to recover a deleted item within the deleted item retention period, which by default is 14 days in Exchange Online. An administrator can use Windows PowerShell to increase the deleted item retention period to a maximum of 30 days. For more information, see: [Recover deleted items in Outlook for Windows](https://support.office.com/article/49e81f3c-c8f4-4426-a0b9-c0fd751d48ce) and [Change the deleted item retention period for a mailbox in Exchange Online](/exchange/recipients-in-exchange-online/manage-user-mailboxes/change-deleted-item-retention).

+- Using the **Recoverable Items 14 days Move to Archive** retention tag helps free up storage space in the Recoverable Items folder in the user's primary mailbox. This is useful when a user's mailbox is placed on hold, which means nothing is ever permanently deleted from the user's mailbox. Without moving items to the archive mailbox, it's possible the storage quota for the Recoverable Items folder in the primary mailbox will be reached. For more information about this and how to avoid it, see [Increase the Recoverable Items quota for mailboxes on hold](./increase-the-recoverable-quota-for-mailboxes-on-hold.md).

+ Title: Discover opportunities in SharePoint Syntex by using the Microsoft 365 Assessment tool

+audience: admin

+- enabler-strategic

+- m365initiative-syntex

+- Adopt

+- admindeeplinkMAC

+search.appverid:

+ms.localizationpriority: medium

+description: Learn how to use the adoption assessment tool to see how your organization can benefit from SharePoint Syntex.

+# Discover opportunities in SharePoint Syntex by using the Microsoft 365 Assessment tool

+> [!IMPORTANT]

+> The Microsoft 365 Assessment tool and all other PnP components are open-source tools backed by an active community providing support for them. There is no SLA for open-source tool support from official Microsoft support channels.

+> [!NOTE]

+> The Microsoft 365 Assessment tool can be run only against SharePoint Online.

+You can assess how SharePoint Syntex will benefit your organization by using the Microsoft 365 Assessment tool. When you run an assessment, you'll generate a Power BI report that summarizes aspects of your SharePoint information architecture that are indicators for where SharePoint Syntex might be of value.

+

+The assessment report includes the following information:

+- **Libraries with custom columns** ΓÇô Identify libraries where SharePoint Syntex can automatically populate columns, improving consistency.

+- **Column usage** ΓÇô Identify patterns of column usage, to target SharePoint Syntex models where they'll have the maximum benefit.

+- **Libraries with custom content types** ΓÇô Identify libraries using custom content types, where SharePoint Syntex models can be used to automatically categorize files.

+- **Content type usage** ΓÇô Identify patterns of content type usage, to target Sharepoint Syntex models where they'll have the maximum benefit.

+- **Libraries with retention labels** ΓÇô Identify libraries where retention labels are used, where SharePoint Syntex can be used to automate and improve consistency.

+- **Library size** ΓÇô Identify large libraries where classification and metadata can improve the content discovery experience.

+- **Library modernization status** ΓÇô Identify libraries that might need to be modernized to fully make use of SharePoint Syntex.

+- **Prebuilt model candidates** ΓÇô Identify libraries where names or content types suggest a prebuilt model could be applied.

+- **Syntex model usage** ΓÇô Review the current use of SharePoint Syntex models in your sites.

+- **Assessment overview** ΓÇô Review the assessment results to identify any failures.

+## Run the assessment

+The SharePoint Syntex assessment is a module in the Microsoft 365 Assessment tool. To run the assessment:

+1. Visit the [Microsoft 365 Assessment tool documentation](https://pnp.github.io/pnpassessment/https://docsupdatetracker.net/index.html) to learn more.

+2. [Download the tool](https://pnp.github.io/pnpassessment/using-the-assessment-tool/download.html).

+3. [Decide on an authentication method](https://pnp.github.io/pnpassessment/using-the-assessment-tool/setupauth.html).

+4. [Configure permissions](https://pnp.github.io/pnpassessment/sharepoint-syntex/requirements.html).

+5. [Run a SharePoint Syntex assessment](https://pnp.github.io/pnpassessment/sharepoint-syntex/assess.html).

+> For these steps, you can use the example files in the [Contracts Management Solution Assets repository](https://github.com/pnp/syntex-samples/tree/main/scenario%20samples/Contracts%20Management). The examples in this repository contain both the document understanding model files and the files used to train the model.

+[Step 2. Use Microsoft Teams to create your contract management channel](solution-manage-contracts-step2.md)

+> This section references code examples that are contained in the [ContractTileFormatting.json](https://github.com/pnp/syntex-samples/blob/main/scenario%20samples/Contracts%20Management/View%20Formatter/ContractTileFormatting.json) file that is included in the [Contracts Management Solution Assets repository](https://github.com/pnp/syntex-samples/tree/main/scenario%20samples/Contracts%20Management).

+The custom tile view you use requires you to make changes to the JSON file used to format the current tile view. You can reference the JSON file used to create the card view by looking at the [ContractTileFormatting.json](https://github.com/pnp/syntex-samples/blob/main/scenario%20samples/Contracts%20Management/View%20Formatter/ContractTileFormatting.json) file. In the following sections, you'll see specific sections of the code for features that are in the contract cards.

+In the [ContractTileFormatting.json](https://github.com/pnp/syntex-samples/blob/main/scenario%20samples/Contracts%20Management/View%20Formatter/ContractTileFormatting.json) file, look at the following section to see the code for how the size and shape of the card is formatted.

+The following code lets you define the status of each title card. Note that each status value (*New*, *In review*, *Approved*, and *Rejected*) will display a different color code for each. In the [ContractTileFormatting.json](https://github.com/pnp/syntex-samples/blob/main/scenario%20samples/Contracts%20Management/View%20Formatter/ContractTileFormatting.json) file, look at the section that defines the status.

+In the [ContractTileFormatting.json](https://github.com/pnp/syntex-samples/blob/main/scenario%20samples/Contracts%20Management/View%20Formatter/ContractTileFormatting.json) file, the following sections define each of these.

+ ```powershell

+ Set-OrganizationConfig -DefaultGroupAccessType Public

+ ```

+ ```powershell

+ Set-OrganizationConfig -DefaultGroupAccessType Private

+ ```

+ ```powershell

+ Get-OrganizationConfig | ft DefaultGroupAccessType

+ ```

+Want to see how it works? Watch this video, which describes [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/defender-vulnerability-management.md).

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4Y1FX]

+[Learn more about Microsoft Defender Vulnerability Management](../defender-vulnerability-management/defender-vulnerability-management.md).

+### [Compare Defender for Endpoint plans](defender-endpoint-plan-1-2.md)

+### [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)

+## [Guidance for active threats and campaigns]()

+### [Manage the Log4Shell vulnerability](tvm-manage-log4shell-guidance.md)

+###### [Certificate inventory]()

+####### [Export certificate inventory assessment](export-certificate-inventory-assessment.md)

+###### [Security baselines]()

+####### [Export security baselines assessment](export-security-baseline-assessment.md)

+####### [List security baselines assessment profiles](get-security-baselines-assessment-profiles.md)

+####### [List security baselines assessment configurations](get-security-baselines-assessment-configurations.md)

+> The integration is available in Corelight Sensor software v25 and later.

+- [Device discovery FAQ](device-discovery-faq.md)

+ Title: Compare Microsoft Defender for Endpoint plans

+# Compare Microsoft Defender for Endpoint plans

+Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Defender for Endpoint provides advanced threat protection that includes antivirus, antimalware, ransomware mitigation, and more, together with centralized management and reporting. You can choose from the following options for Microsoft Defender for Endpoint:

+- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+You can use this article to help clarify what protection is provided by the different features available in Defender for Endpoint Plan 1, Defender for Endpoint Plan 2 and the Defender Vulnerability Management add-on.

+| [Defender for Endpoint Plan 1](defender-endpoint-plan-1.md) | [Defender for Endpoint Plan 2](microsoft-defender-endpoint.md) | [Defender Vulnerability Management add-on](../defender-vulnerability-management/defender-vulnerability-management-capabilities.md)|

+|:|:|:|

+| [Next-generation protection](defender-endpoint-plan-1.md#next-generation-protection) <br/>(includes antimalware and antivirus) <p> [Attack surface reduction](defender-endpoint-plan-1.md#attack-surface-reduction) <p> [Manual response actions](defender-endpoint-plan-1.md#manual-response-actions) <p> [Centralized management](defender-endpoint-plan-1.md#centralized-management) <p>[Security reports](defender-endpoint-plan-1.md#reporting) <p>[APIs](defender-endpoint-plan-1.md#apis) | Defender for Endpoint Plan 1 capabilities, plus: <p> <p> [Device discovery](device-discovery.md) <p> [Device inventory](machines-view-overview.md) <p> [Core Defender Vulnerability Management capabilities](../defender-vulnerability-management/defender-vulnerability-management-capabilities.md) <p> [Threat Analytics](threat-analytics.md) <p> [Automated investigation and response](automated-investigations.md) <p> [Advanced hunting](advanced-hunting-overview.md) <p> [Endpoint detection and response](overview-endpoint-detection-response.md) <p> [Microsoft Threat Experts](microsoft-threat-experts.md) | Additional Defender Vulnerability Management for Defender for Endpoint Plan 2: <p> [Security baselines assessment](../defender-vulnerability-management/tvm-security-baselines.md) <p> [Block vulnerable applications](../defender-vulnerability-management/tvm-block-vuln-apps.md) <p> [Browser extensions](../defender-vulnerability-management/tvm-browser-extensions.md) <p> [Digital certificate assessment](../defender-vulnerability-management/tvm-certificate-inventory.md) <p> [Network share analysis](../defender-vulnerability-management/tvm-network-share-assessment.md)|

+| [Support for Windows 10, iOS, Android OS, and macOS devices](defender-endpoint-plan-1.md#cross-platform-support) | Support for Windows (client and server) and non-Windows platforms<br/> (macOS, iOS, Android, and Linux) | Support for Windows (client and server) and non-Windows platforms<br/> (macOS, iOS, Android, and Linux) |

+| To try Defender for Endpoint Plan 1, visit [https://aka.ms/mdep1trial](https://aka.ms/mdep1trial) | To try Defender for Endpoint Plan 2, visit [https://aka.ms/MDEp2OpenTrial](https://aka.ms/MDEp2OpenTrial) | To try Microsoft Defender Vulnerability Management add-on, visit [https://aka.ms/AddonPreviewTrial](https://aka.ms/AddonPreviewTrial). For more information, see [Get Defender Vulnerability Management](../defender-vulnerability-management/get-defender-vulnerability-management.md).

+## Exclude devices from vulnerability management

+Excluding devices that are inactive, duplicate, or out of scope allows you to focus on discovering and prioritizing the risks on your active devices. This action can also help reflect a more accurate vulnerability management exposure score, as the excluded devices won't be visible in your vulnerability management reports.

+Once devices are excluded, you won't be able to view updated or relevant information about vulnerabilities and installed software on these devices. It affects all vulnerability management pages, reports, and related tables in advanced hunting.

+ Title: Certificate assessment methods and properties per device

+description: Provides information about the certificates APIs that pull "threat and vulnerability management" data. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization.

+keywords: api, apis, export assessment, per device assessment, per machine assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine,

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mde

+

+# Export certificate inventory per device

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management - Update](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> Want to experience Microsoft Defender Vulnerability Management? [Sign up for a free trial.- Update](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-portaloverview-abovefoldlink)

+There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization.

+- **JSON response** The API pulls all data in your organization as JSON responses. This method is best for _small organizations with less than 100-K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.

+- **via files** This API solution enables pulling larger amounts of data faster and more reliably. So, it's recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. You can download data from Azure Storage as follows:

+ - Call the API to get a list of download URLs with all your organization data.

+ - Download all the files using the download URLs and process the data as you like.

+Data that is collected using either '_JSON response_ or _via files_' is the current snapshot of the current state. It doesn't contain historic data. To collect historic data, customers must save the data in their own data storages.

+> [!NOTE]

+> Unless indicated otherwise, all export security baseline assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**)

+## 1. Export certificate assessment (JSON response)

+### 1.1 API method description

+Returns all certificate assessments for all devices, on a per-device basis. It returns a table with a separate entry for every unique combination of DeviceId, Thumbprint and Path.

+#### 1.2 Limitations

+- Maximum page size is 200,000.

+- Rate limitations for this API are 30 calls per minute and 1000 calls per hour.

+### 1.3 Parameters

+- pageSize (default = 50,000): Number of results in response.

+- $top: Number of results to return (doesn't return @odata.nextLink and so doesn't pull all the data).

+### 1.4 HTTP request

+```http

+GET /api/machines/certificateAssessmentByMachine

+```

+### 1.5 Properties (JSON response)

+> [!NOTE]

+> Each record is approximately 1 KB of data. You should take this into account when choosing the correct pageSize parameter.

+>

+> Some additional columns might be returned in the response. These columns are temporary and might be removed. Only use the documented columns.

+>

+> The properties defined in the following table are listed alphabetically by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.

+Property (ID)|Data type|Description

+:|:|:

+|DeviceId|String|Unique identifier for the device in the service.

+|DeviceName|String|Fully qualified domain name (FQDN) of the device.

+|Thumbprint|Boolean|Unique identifier for the certificate.

+|Path|String|The location of the certificate.

+|SignatureAlgorithm|String|Hashing algorithm and encryption algorithm used.

+|KeySize|String|Size of the key used in the signature algorithm.

+|ExpirationDate|String|The date and time beyond which the certificate is no longer valid.

+|IssueDate|String|The earliest date and time when the certificate became valid.

+|SubjectType|String|Indicates if the holder of the certificate is a CA or end entity.

+|SerialNumber|String|Unique identifier for the certificate within a certificate authority's systems.

+|IssuedTo|Object|Entity that a certificate belongs to; can be a device, an individual, or an organization.

+|IssuedBy|Object|Entity that verified the information and signed the certificate.

+|KeyUsage|String|The valid cryptographic uses of the certificate's public key.

+|ExtendedKeyUsage|String|Other valid uses for the certificate.

+|RbacGroupId|String|The role-based access control (RBAC) group id.

+|RbacGroupName|String|The role-based access control (RBAC) group. If this device isn't assigned to any RBAC groups, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None."

+## 1.6 Example

+### 1.6.1 Request example

+```http

+GET https://api.securitycenter.microsoft.com/api/machines/BaselineComplianceAssessmentByMachine

+```

+### 1.6.2 Response example

+```json

+ {

+ "@odata.context":"https://127.0.0.1/api/$metadata#Collection(microsoft.windowsDefenderATP.api.AssetCertificateAssessment)",

+ "value":[

+ {

+ "deviceId":"49126b9e4a5473b5229c73799e9e55c48668101b",

+ "deviceName":"testmachine5",

+ "thumbprint":"A4B37F4F6DE956922273D5CB8E7E0AAFB7033B90",

+ "path":"LocalMachine\\TestSignRoot\\A4B37F4F6DE956922273D5CB8E7E0AAFB7033B90",

+ "signatureAlgorithm":"sha384ECDSA",

+ "keyLength":0,"notAfter":"0001-01-01T00:00:00Z",

+ "notBefore":"0001-01-01T00:00:00Z",

+ "subjectType":"CA",

+ "serialNumber":"6086A185EAFA2B9943B4671603F40323",

+ "subjectObject":null,

+ "issuerObject":null,

+ "keyUsageArray":null,

+ "extendedKeyUsageArray":null,

+ "isSelfSigned":false,

+ "rbacGroupId":4226,

+ "rbacGroupName":"testO6343398Gq31"}],

+ "@odata.nextLink":"https://127.0.0.1/api/machines/CertificateAssessmentByMachine?pagesize=1&$skiptoken=eyJFeHBvcnREZWZpbml0aW9uIjp7IlRpbWVQYXRoIjoiMjAyMi0wMy0yMS8wNTAxLyJ9LCJFeHBvcnRGaWxlSW5kZXgiOjAsIkxpbmVTdG9wcGVkQXQiOjF9"

+ }

+```

+## 2. Export certificate assessment (via files)

+### 2.1 API method description

+Returns all certificate assessments for all devices, on a per-device basis. It returns a table with a separate entry for every unique combination of DeviceId, Thumbprint and Path.

+#### 2.2 Limitations

+- Rate limitations for this API are 5 calls per minute and 20 calls per hour.

+### 2.3 Parameters

+- sasValidHours: The number of hours that the download URLs will be valid for (Maximum 24 hours).

+### 2.4 HTTP request

+```http

+GET /api/machines/certificateAssessmentExport

+```

+### 2.5 Properties (JSON response)

+> [!NOTE]

+> The files are gzip compressed & in multiline Json format.

+>

+> The download URLs are only valid for 3 hours; otherwise, you can use the parameter.

+>

+> To maximize download speeds, make sure you are downloading the data from the same Azure region where your data resides.

+>

+> Each record is approximately 1KB of data. You should take this into account when choosing the pageSize parameter that works for you.

+>

+> Some additional columns might be returned in the response. These columns are temporary and might be removed. Only use the documented columns.

+Property (ID)|Data type|Description

+:|:|:

+|Export files|String[array]|A list of download URLs for files holding the current snapshot of the organization.

+|GeneratedTime|DateTime|The time the export was generated.

+## 2.6 Example

+### 2.6.1 Request example

+```http

+GET https://api.securitycenter.contoso.com/api/machines/certificateAssessmentExport

+```

+### 2.6.2 Response example

+```json

+ {

+ "@odata.context":"https://127.0.0.1/api/$metadata#microsoft.windowsDefenderATP.api.ExportFilesResponse",

+ "exportFiles":["https://tvmexportexternalstgeus.blob.core.windows.net/temp-5c080622-f613-42bb-9fee-e17ccdff90d3/2022-03-20/1318/CertificateAssessmentExport/json/OrgId=47d41a0c-188d-46d3-bbea-a93dbc0bfcaPMwaD3G0RJTZkS4R9J8oN8I3tu%2FOcG35c%3D"],

+ "generatedTime":"2022-03-20T13:18:00Z"

+ }

+```

+ Title: Security baseline assessment methods and properties per device

+description: Provides information about the security baselines APIs that pull "threat and vulnerability management" data. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization.

+keywords: api, apis, export assessment, per device assessment, per machine assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine,

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mde

+

+# Export security baselines assessment per device

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management - Update](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> Want to experience Microsoft Defender Vulnerability Management? [Sign up for a free trial.- Update](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-portaloverview-abovefoldlink)

+There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization.

+- **JSON response** The API pulls all data in your organization as JSON responses. This method is best for _small organizations with less than 100-K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.

+- **via files** This API solution enables pulling larger amounts of data faster and more reliably. So, it's recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. You can download data from Azure Storage as follows:

+ - Call the API to get a list of download URLs with all your organization data.

+ - Download all the files using the download URLs and process the data as you like.

+Data that is collected using either '_JSON response_ or _via files_' is the current snapshot of the current state. It doesn't contain historic data. To collect historic data, customers must save the data in their own data storages.

+> [!NOTE]

+> Unless indicated otherwise, all export security baseline assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**)

+## 1. Export security baselines assessment (JSON response)

+### 1.1 API method description

+Returns all security baselines assessments for all devices, on a per-device basis. It returns a table with a separate entry for every unique combination of DeviceId, ProfileId, ConfigurationId.

+### 1.2 Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.

+Permission type|Permission|Permission display name

+:|:|:

+Application|SecurityBaselinesAssessment.Read.All |'Read all security baselines assessments information'

+Delegated (work or school account)|SecurityBaselinesAssessment.Read|'Read security baselines assessments information'

+### 1.3 Limitations

+- Maximum page size is 200,000.

+- Rate limitations for this API are 30 calls per minute and 1000 calls per hour.

+### 1.4 Parameters

+- pageSize (default = 50,000): Number of results in response.

+- $top: Number of results to return (doesn't return @odata.nextLink and so doesn't pull all the data).

+### 1.5 HTTP request

+```http

+GET /api/machines/baselineComplianceAssessmentByMachine

+```

+### 1.6 Properties (JSON response)

+> [!NOTE]

+> Each record is approximately 1 KB of data. You should take this into account when choosing the correct pageSize parameter.

+>

+> Some additional columns might be returned in the response. These columns are temporary and might be removed. Only use the documented columns.

+>

+> The properties defined in the following table are listed alphabetically by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.

+Property (ID)|Data type|Description

+:|:|:

+|configurationId|String|Unique identifier for a specific configuration in the baseline benchmark.

+|profileId|String|Unique identifier for the profile assessed.

+|deviceId|String|Unique identifier for the device in the service.

+|deviceName|String|Fully qualified domain name (FQDN) of the device.

+|isApplicable|Boolean|Indicates whether the configuration is applicable to this device.

+|isCompliant|Boolean|Indicates whether the device is compliant with configuration.

+|id|String|Unique identifier for the record, which is a combination of DeviceId, ProfileId, and ConfigurationId.

+|osVersion|String|Specific version of the operating system running on the device.

+|osPlatform|String|Operating system platform running on the device. Specific operating systems with variations within the same family, such as Windows 10 and Windows 11. See [TVM supported operating systems and platforms](tvm-supported-os.md) for details.

+|rbacGroupId|Int|The role-based access control (RBAC) group Id. If the device isn't assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None."

+|rbacGroupName|String|The role-based access control (RBAC) group. If the device isn't assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None."

+|DataCollectionTimeOffset|DateTime|The time the data was collected from the device. This field may not appear if no data was collected.

+|ComplianceCalculationTimeOffset|DateTime|The time the assessment calculation was made.

+|RecommendedValue|String|Set of expected values for the current device setting to be complaint.

+|CurrentValue|String|Set of detected values found on the device.

+|Source|String|The registry path or other location used to determine the current device setting.

+## 1.7 Example

+### 1.7.1 Request example

+```http

+GET https://api.securitycenter.microsoft.com/api/machines/BaselineComplianceAssessmentByMachine

+```

+### 1.7.2 Response example

+```json

+{

+"@odata.context": " https://api.securitycenter.microsoft.com /api/$metadata#Collection(microsoft.windowsDefenderATP.api.AssetBaselineAssessment)",

+"value": [

+{

+ "id": "0000682575d5d473e82ed4d8680425d152411251_9e1b90be-e83e-485b-a5ec-4a429412e734_1.1.1",

+ "configurationId": "1.1.1",

+ "deviceId": "0000682575d5d473242222425d152411251",

+ "deviceName": " ComputerPII_365f5c0bb7202c163937dad3d017969b2d760eb4.DomainPII_29596 ",

+ "profileId": "9e1b90be-e83e-485b-a5ec-4a429412e734",

+ "osPlatform": "WindowsServer2019",

+ "osVersion": "10.0.17763.2330",

+ "rbacGroupId": 86,

+ "rbacGroupName": "UnassignedGroup",

+ "isApplicable": true,

+ "isCompliant": false,

+ "dataCollectionTimeOffset": "2021-12-22T00:08:02.478Z",

+ "recommendedValue":ΓÇ»[

+                 "Greater than or equal '24'"

+             ],

+             "currentValue": [

+                 "24"

+             ],

+             "source": [

+                 "password_hist_len"

+             ],

+}

+```

+## 2. Export security baselines assessment (via files)

+### 2.1 API method description

+Returns all security baselines assessments for all devices, on a per-device basis. It returns a table with a separate entry for every unique combination of DeviceId, ProfileId, ConfigurationId.

+### 2.2 Limitations

+- Rate limitations for this API are 5 calls per minute and 20 calls per hour.

+### 2.3 URL

+```http

+GET /api/machines/BaselineComplianceAssessmentExport

+```

+### 2.4 Parameters

+- sasValidHours: The number of hours that the download URLs will be valid for (Maximum 24 hours).

+### 2.5 Properties (via files)

+> [!NOTE]

+> The files are gzip compressed & in multiline Json format.

+>

+>The download URLs are only valid for 3 hours; otherwise you can use the parameter.

+>

+>To maximize download speeds, make sure you are downloading the data from the same Azure region where your data resides.

+>

+>Each record is approximately 1KB of data. You should take this into account when choosing the pageSize parameter that works for you.

+>

+>Some additional columns might be returned in the response. These columns are temporary and might be removed. Only use the documented columns.

+Property (ID)|Data type|Description

+:|:|:

+|Export files|array[string]|A list of download URLs for files holding the current snapshot of the organization.

+|GeneratedTime|String|The time that the export was generated.

+## 2.6 Example

+### 2.6.1 Request example

+```http

+GET https://api.securitycenter.microsoft.com/api/machines/BaselineComplianceAssessmentExport

+```

+### 2.6.2 Response example

+```json

+{

+    "@odata.context": "https://api.securitycenter. contoso.com/api/$metadata#microsoft.windowsDefenderATP.api.ExportFilesResponse",

+    "exportFiles": 

+ [

+    "https://tvmexportexternalstgeus.blob.core.windows.net/temp-1ebd3d09-d06a-4aad-ab80-ebc536cec61c/2021-12-22/0500/BaselineAssessmentExport/json/OrgId= OrgId=<Org Id>/_RbacGroupId=<Rbac Group Id>/part-00000-c09dfd00-2278-4735-b23a-71733751fcbc.c000.json.gz?sv=ABCD",

+   "https://tvmexportexternalstgeus.blob.core.windows.net/temp-1ebd3d09-d06a-4aad-ab80-ebc536cec61c/2021-12-22/0500/BaselineAssessmentExport/json/OrgId=<Org Id>/_RbacGroupId=<Rbac Group Id>/part-00001-c09dfd00-2278-4735-b23a-71733751fcbc.c000.json.gz?sv= ABCD",

+    ],

+    "generatedTime": "2021-01-11T11:01:00Z"

+}

+```

+## See also

+- [Get security baselines assessment profiles](get-security-baselines-assessment-profiles.md)

+- [Get security baselines assessment configurations](get-security-baselines-assessment-configurations.md)

+ Title: Security baselines assessment configurations

+description: Provides information about the security baselines assessment configurations that pull "threat and vulnerability management" data. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization.

+keywords: api, apis, export assessment, per device assessment, per machine assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine,

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mde

+# List security baselines assessment configurations

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management - Update](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> Want to experience Microsoft Defender Vulnerability Management? [Sign up for a free trial.- Update](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-portaloverview-abovefoldlink)

+## 1. Get all security baselines assessment configurations

+This API retrieves a list of all the possible security baselines assessment configurations and settings for all the available benchmarks.

+### 1.1 Parameters

+- Supports OData V4 queries

+- OData supported operators:

+ - `$filter` on:  `id`,  `category`,  `name`, `CCE`

+ - `$top` with max value of 10,000

+ - `$skip`

+### 1.2 HTTP request

+```http

+GET /api/baselineConfigurationsΓÇ»

+```

+### 1.3 Request headers

+Name|Type|Description

+:|:|:

+Authorization|String|Bearer {token}. **Required**.

+### 1.4 Response

+If successful, this method returns 200 OK with the list of baseline configurations in the body.ΓÇ»

+### 1.5 Properties

+|Property | Type | Description |

+|:|:|:|

+|Id | String | Unique identifier for the specific configuration in the baseline benchmark.

+|name | String | The configuration name at it appears in the benchmark.

+|description | String | The configuration description as it appears in the benchmark.

+|category | String | The configuration category as it appears in the benchmark.

+|complianceLevel|String|The compliance level of the benchmark where this configuration appears.

+|`cce`|Int|The CCE for this configuration as it appears in the benchmark.

+|rationale |String|The rationale for this configuration as it appears in the benchmark. For STIG benchmark this isn't supplied for this configuration.

+## 1.6 Example

+### 1.5.1 Request example

+```http

+GET https://api.securitycenter.microsoft.com/api/baselineConfigurations

+```

+### 1.6.2 Response example

+```json

+{ΓÇ»

+    "@odata.context": " https://api-df.securitycenter.microsoft.com/api/$metadata#BaselineConfigurations ", 

+    "value": [ 

+        { 

+            "id": "1.1.8", 

+            "name": "(L1) Ensure 'Allow importing of payment info' is set to 'Disabled'", 

+            "description": "<p xmlns:xhtml=\"http://www.w3.org/1999/xhtml\">This policy setting controls whether users are able to import payment information from another browser into Microsoft Edge as well as whether payment information is imported on first use.</p>", 

+            "category": "Microsoft Edge", 

+            "complianceLevels": [ 

+                "Level 1 (L1) - Corporate/Enterprise Environment (general use)", 

+                "Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)" 

+            ], 

+            "cce": "", 

+            "rationale": "<p xmlns:xhtml=\"http://www.w3.org/1999/xhtml\">Having payment information automatically imported or allowing users to import payment data from another browser into Microsoft Edge could allow for sensitive data to be imported into Edge.</p>", 

+            "remediation": "<div xmlns:xhtml=\"http://www.w3.org/1999/xhtml\">\r\n  <p>\r\n    <p>\r\nTo establish the recommended configuration via GP, set the following UI path to                 <span class=\"inline_block\">Disabled</span></p>\r\n    <code class=\"code_block\">Computer Configuration\\Policies\\Administrative Templates\\Microsoft Edge\\Allow importing of payment info\r\n</code>\r\n    <p>\r\n      <strong>Note:</strong>\r\n This Group Policy path may not exist by default. It is provided by the Group Policy template                 <span class=\"inline_block\">MSEdge.admx/adml</span>\r\n that can be downloaded from Microsoft                 <a href=\"https://www.microsoft.com/en-us/edge/business/download\">here</a>\r\n.              </p>\r\n    <p class=\"bold\">Impact:</p>\r\n    <p>\r\n      <p>Users will be unable to perform a payment information import from other browsers into Microsoft Edge.</p>\r\n    </p>\r\n  </p>\r\n</div>", 

+            "benchmarkName": "CIS" 

+"recommendedValue":ΓÇ»[

+                "Equals '0'"

+            ],

+            "source": [

+                "hkey_local_machine\\software\\policies\\microsoft\\windows\\eventlog\\security\\retention"

+            ]

+        }, 

+    ] 

+}ΓÇ»

+```

+## See also

+- [Export security baselines assessment](export-security-baseline-assessment.md)

+- [Get security baselines assessment profiles](get-security-baselines-assessment-profiles.md)

+ Title: Security baselines assessment profiles

+description: Provides information about the security baselines assessment profiles APIs that pull "threat and vulnerability management" data. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization.

+keywords: api, apis, export assessment, per device assessment, per machine assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine,

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mde

+

+# List all security baselines assessment profiles

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management - Update](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> Want to experience Microsoft Defender Vulnerability Management? [Sign up for a free trial.- Update](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-portaloverview-abovefoldlink)

+## 1. Get security baselines assessment profiles

+This API retrieves a list of all security baselines assessment profiles created by the organization.ΓÇ»

+### 1.1 Parameters

+- Supports OData V4 queries. 

+- OData supported operators:ΓÇ»

+ - $filter on : id,name, operatingSystem, operatingSystemVersion, status, settingsNumber, passedDevices, totalDevices 

+ - $top with max value of 10,000. 

+ - $skip.

+### 1.2 HTTP request

+```http

+GET:/api/baselineProfiles

+```

+### 1.3 Request headers

+Name|Type|Description

+:|:|:

+Authorization|String|Bearer {token}. **Required**.

+### 1.4 Properties

+|Property | Type | Description |

+|:|:|:|

+|Id | String | Unique identifier for the specific baseline profile.

+|name | String | The profile name.

+|description | String | The profile description.

+|benchmark | String | The profile benchmark.

+|version | String | The profile version.

+|operatingSystem|String|The profile applicable operating system.

+|operatingSystemVersion|String|The profile applicable operating system version.

+|status|Boolean|Indicates whether the profile is active or not

+|complianceLevel|String|The compliance level chosen for the profile.

+|settingsNumber|Int|Number of selected configurations in the profile.

+|createdBy|String|The user that created this profile.

+|lastUpdatedBy|DateTime|The last user to modify this profile.

+|createdOnTimeOffset|DateTime|The date and time the profile was created.

+|lastUpdateTimeOffset|DateTime|The date and time the profile was last updated.

+|passedDevices|Int|The number of devices applicable to this profile that are compliant with all of the profile configurations.

+|totalDevices|Int|Number of devices applicable to this profile.

+## 1.5 Example

+### 1.5.1 Request example

+```http

+GET https://api.securitycenter.microsoft.com/api/baselineProfilesΓÇ»

+```

+### 1.6.2 Response example

+```json

+{ΓÇ»

+    "@odata.context": "https:// api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicBaselineProfileDto)", 

+    "value": 

+ [ΓÇ»

+        { 

+            "id": "02bcbb9d-d197-479e-811e-1cd5a6f9f8fa", 

+            "name": "Windows 10 build 1909 CIS profile", 

+            "description": "important", 

+            "benchmark": "CIS", 

+            "version": "1.0.0", 

+            "operatingSystem": "Windows 10", 

+            "operatingSystemVersion": "1909", 

+            "status": true, 

+            "complianceLevel": "Level 1 (L1) - Corporate/Enterprise Environment (general use)", 

+            "settingsNumber": 51, 

+            "createdBy": "user@org.net", 

+            "lastUpdatedBy": null, 

+            "createdOnTimestampUTC": "0001-01-01T00:00:00Z", 

+            "lastUpdateTimestampUTC": "0001-01-01T00:00:00Z", 

+            "passedDevices": 0, 

+            "totalDevices": 10 

+        } 

+     ] 

+}ΓÇ»

+```

+## See also

+- [Export security baselines assessment](export-security-baseline-assessment.md)

+- [Get security baselines assessment configurations](get-security-baselines-assessment-configurations.md)

+- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)

+The **Device inventory** shows a list of the devices in your network where alerts were generated. By default, the queue displays devices seen in the last 30 days.

+> [!NOTE]

+> The device inventory is available in different Microsoft 365 Defender services. The information available to you will differ depending on your license. You'll get the most complete set of capabilities when using [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037).

+- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)

+> Microsoft Defender for Endpoint is available in two plans, Defender for Endpoint Plan 1 and Plan 2. A new Microsoft Defender Vulnerability Management add-on is now available for Plan 2.

+>

+> For more information on the features and capabilities included in each plan, including the new Defender Vulnerability Management add-on, see [Compare Microsoft Defender for Endpoint plans](defender-endpoint-plan-1-2.md).

+Watch the following video to learn more about Defender for Endpoint:

+<td><a href="#tvm"><center><img src="images/logo-mdvm.png" alt="Vulnerability Management"> <br><b> Core Defender Vulnerability Management</b></center></a></td>

+**[Core Defender Vulnerability Management](../defender-vulnerability-management/defender-vulnerability-management.md)**

+Built-in core vulnerability management capabilities use a modern risk-based approach to the discovery, assessment, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. To further enhance your ability to assess your security posture and reduce risk, a new Defender Vulnerability Management add-on for Plan 2 is available.

+For more information on the different vulnerability management capabilities available to you, see [Compare Microsoft Defender Vulnerability Management offerings](../defender-vulnerability-management/defender-vulnerability-management-capabilities.md).

+Use the **Defender Vulnerability Management** dashboard to expand your visibility on the overall security posture of your organization. You'll see devices that require attention and recommendations that can help you reduce the attack surface in your organization.

+[View the Defender Vulnerability Management dashboard](../defender-vulnerability-management/tvm-dashboard-insights.md) | The **Defender Vulnerability Management dashboard** lets you view exposure and Microsoft Secure Score for Devices side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed devices.

+ Title: Compare Microsoft Defender Vulnerability Management offerings

+description: Compare Defender Vulnerability Management Offerings. Learn about the differences between the plans and select the plan that suits your organization's needs.

+keywords: Defender for Endpoint, advanced threat protection, endpoint protection

+search.appverid: MET150

+audience: ITPro

+ms.technology: mdep1

+ms.localizationpriority: medium

+f1.keywords: NOCSH

+- M365-security-compliance

+- m365initiative-defender-endpoint

+# Compare Microsoft Defender Vulnerability Management offerings

+> [!IMPORTANT]

+> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.

+**Applies to**

+- [Microsoft Defender Vulnerability Management](index.yml)

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> [!NOTE]

+> Microsoft Defender Vulnerability Management, a new standalone offering will provide the complete set of vulnerability tools and capabilities discussed in this article. To learn more, go to [What is Microsoft Defender Vulnerability Management.](defender-vulnerability-management.md)

+This article is intended to provide a high-level overview of the vulnerability features included in:

+- **Microsoft Defender for Endpoint Plan 2**. [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https:%2F%2Faka.ms%2FMDEp2OpenTrial)

+- **Microsoft Defender Vulnerability Management add-on** (for existing Defender for Endpoint Plan 2 customers.) [Sign up for a free trial.](https://signup.microsoft.com/get-started/signup?products=5908ecaa-b8a7-4a04-b6c0-d44fd934b6f2)

+- **Microsoft Defender Vulnerability Management**. To sign up for the Defender Vulnerability Management public preview or if you have any questions, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com).

+| Defender Vulnerability Management <p> _Core capabilities part of Defender for Endpoint Plan 2_| Defender Vulnerability Management add-on <p> _Additional capabilities for Defender for Endpoint Plan 2_| Defender Vulnerability Management Standalone <p> _Full vulnerability Management capabilities_|

+|:|:|:|

+ [Device discovery](../defender-endpoint/device-discovery.md) <p> [Device inventory](../defender-endpoint/machines-view-overview.md) <p> [Vulnerability assessment](tvm-weaknesses.md) <p> [Configuration assessment](tvm-microsoft-secure-score-devices.md) <p> [Risk based prioritization](tvm-security-recommendation.md) <p> [Remediation tracking](tvm-remediation.md) <p> [Continuous monitoring](../defender-endpoint/configure-vulnerability-email-notifications.md) <p> [Software assessment](tvm-software-inventory.md) <p> | [Security baselines assessment](tvm-security-baselines.md) <p> [Block vulnerable applications](tvm-block-vuln-apps.md) <p> [Browser extensions](tvm-browser-extensions.md) <p> [Digital certificate assessment](tvm-certificate-inventory.md) <p> [Network share analysis](tvm-network-share-assessment.md) | [Device discovery](../defender-endpoint/device-discovery.md) <p> [Device inventory](../defender-endpoint/machines-view-overview.md) <p> [Vulnerability assessment](tvm-weaknesses.md) <p> [Continuous monitoring](../defender-endpoint/configure-vulnerability-email-notifications.md) <p> [Risk based prioritization](tvm-security-recommendation.md) <p> [Remediation tracking](tvm-remediation.md) <p> [Configuration assessment](tvm-microsoft-secure-score-devices.md) <p> [Software assessment](tvm-software-inventory.md) <p> [Security baselines assessment](tvm-security-baselines.md) <p> [Block vulnerable applications](tvm-block-vuln-apps.md) <p> [Browser extensions](tvm-browser-extensions.md) <p> [Digital certificate assessment](tvm-certificate-inventory.md) <p> [Network share analysis](tvm-network-share-assessment.md)|

+## Next steps

+- [Get Microsoft Defender Vulnerability Management](get-defender-vulnerability-management.md)

+ Title: Microsoft Defender Vulnerability Management

+description: This capability in Microsoft Defender Vulnerability Management uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.

+keywords: vulnerability management, threat and vulnerability management, Microsoft Defender for Endpoint TVM, Microsoft Defender for Endpoint-TVM, vulnerability management, vulnerability assessment, threat and vulnerability scanning, secure configuration assessment, Microsoft Defender for Endpoint, Microsoft Defender Vulnerability Management, endpoint vulnerabilities, next generation

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mde

+# What is Microsoft Defender Vulnerability Management

+> [!IMPORTANT]

+> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.

+**Applies to:**

+- [Microsoft Defender Vulnerability Management](defender-vulnerability-management-capabilities.md)

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+Reducing cyber risk requires comprehensive risk-based vulnerability management to identify, assess, remediate, and track all your biggest vulnerabilities across your most critical assets, all in a single solution.

+Defender Vulnerability Management delivers asset visibility, intelligent assessments, and built-in remediation tools for Windows, macOS, Linux, Android, iOS, and network devices. Leveraging Microsoft threat intelligence, breach likelihood predictions, business contexts, and devices assessments, Defender Vulnerability Management rapidly and continuously prioritizes the biggest vulnerabilities on your most critical assets and provides security recommendations to mitigate risk.

+Watch the following video to learn more about Defender Vulnerability Management.

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4Y1FX]

+> To sign up for the Defender Vulnerability Management public preview or if you have any questions, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com).

+>

+> Already have Defender for Endpoint P2? [Sign up for a free trial of the Defender Vulnerability Management Add-on.](https://signup.microsoft.com/get-started/signup?products=5908ecaa-b8a7-4a04-b6c0-d44fd934b6f2)

+> [!TIP]

+>For more information on the features and capabilities that are included in each offering, see [Compare Microsoft Defender Vulnerability Management offerings.](defender-vulnerability-management-capabilities.md)

+With Defender Vulnerability Management, you can empower your security and IT teams to bridge workflow gaps and prioritize and address critical vulnerabilities and misconfigurations across your organization. Reduce cyber security risk with:

+## Asset discovery & inventoryΓÇï

+Defender Vulnerability Management built-in and agentless scanners continuously monitor and detect risk in your organization even when devices arenΓÇÖt connected to the corporate network.

+A single inventory with a real-time consolidated view of your organization's software applications, digital certificates, network shares, and browser extensions helps you discover and assess all your organizationΓÇÖs assets.

+View information on extension permissions and associated risk levels, identify certificates before they expire, detect potential vulnerabilities due to weak signature algorithms, and assess misconfigurations in internal network shares.ΓÇï

+## Vulnerability & configuration assessment

+Understand and assess your cyber exposure with advanced vulnerability and configuration assessment toolsΓÇï.

+- **Security baselines assessment** - Create customizable baseline profiles to measure risk compliance against established benchmarks, such as, Center for Internet Security (CIS) and Security Technical Implementation Guides (STIG).

+- **Visibility into software and vulnerabilities** - Get a view of the organization's software inventory, and software changes like installations, uninstalls, and patches.

+- **Network share assessment** - See actionable security recommendations, in the security recommendations page, for network share configurations identified as vulnerable.

+- **Threat analytics & event timelinesΓÇï** - Use event timelines, and entity-level vulnerability assessments to understand and prioritize vulnerabilities.

+- **Browser extensions** - View a list of the browser extensions installed across different browsers in your organization.

+- **Digital certificatesΓÇï** - View a list of certificates installed across your organization in a single central certificate inventory page.

+## Risk-based intelligent prioritization

+Defender Vulnerability Management leverage MicrosoftΓÇÖs threat intelligence, breach likelihood predictions, business contexts, and device assessments to quickly prioritize the biggest vulnerabilities in your organization. A single view of prioritized recommendations from multiple security feeds, along with critical details including related CVEs and exposed devices helps you quickly remediate the biggest vulnerabilities on your most critical assets. Risk-based intelligent prioritization:

+- **Focuses on emerging threats** - Dynamically aligns the prioritization of security recommendations with vulnerabilities currently being exploited in the wild and emerging threats that pose the highest risk.

+- **Pinpoints active breaches** - Correlates vulnerability management and EDR insights to prioritize vulnerabilities being exploited in an active breach within the organization.

+- **Protects high-value assets** - Identifies exposed devices with business-critical applications, confidential data, or high-value users.

+## Remediation and tracking ΓÇï

+Enable security administrators and IT administrators to collaborate and seamlessly remediate issues with built-in workflows.

+- **Remediation requests sent to IT** - Create a remediation task in Microsoft Intune from a specific security recommendation.

+- **Block vulnerable applications** - Mitigate risk with the ability to block vulnerable applications for specific device groups.

+- **Alternate mitigations** - Gain insights on other mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities.

+- **Real-time remediation status** - Real-time monitoring of the status and progress of remediation activities across the organization.

+## Navigation pane

+<br>

+****

+|Area|Description|

+|||

+|[Dashboard](tvm-dashboard-insights.md)|Get a high-level view of the organization exposure score, threat awareness, Microsoft Secure Score for Devices, expiring certificates, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed device data.|

+|[**Recommendations**](tvm-security-recommendation.md)|See the list of security recommendations and related threat information. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you've enabled your Intune connections in Defender for Endpoint.|

+|[**Remediation**](tvm-remediation.md)|See remediation activities you've created and recommendation exceptions.|

+|[**Inventories**](tvm-software-inventory.md)|Discover and assess all your organizationΓÇÖs assets in a single view.|

+|[**Weaknesses**](tvm-weaknesses.md)|See the list of common vulnerabilities and exposures (CVEs) in your organization.|

+|[**Event timeline**](threat-and-vuln-mgt-event-timeline.md)|View events that may impact your organization's risk.|

+|[**Baselines assessment**](tvm-security-baselines.md)|Monitor security baseline compliance and identify changes in real-time.|

+## APIs

+Run vulnerability management related API calls to automate vulnerability management workflows. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).

+See the following articles for related APIs:

+- [Supported Microsoft Defender for Endpoint APIs](../defender-endpoint/exposed-apis-list.md)

+- [Machine APIs](../defender-endpoint/machine.md)

+- [Recommendation APIs](../defender-endpoint/vulnerability.md)

+- [Score APIs](../defender-endpoint/score.md)

+- [Software APIs](../defender-endpoint/software.md)

+- [Vulnerability APIs](../defender-endpoint/vulnerability.md)

+- [List vulnerabilities by machine and software](../defender-endpoint/get-all-vulnerabilities-by-machines.md)

+## Next steps

+- [Compare security features in Microsoft Defender Vulnerability Management](defender-vulnerability-management-capabilities.md)

+- [Find out how to get Microsoft Defender Vulnerability Management](get-defender-vulnerability-management.md)

+## See also

+- [Defender Vulnerability management blog](https://go.microsoft.com/fwlink/?linkid=2195501)

+- [Supported operating systems and platforms](tvm-supported-os.md)

+- [Vulnerability management dashboard](tvm-dashboard-insights.md)

+ Title: Get Microsoft Defender Vulnerability Management

+description: Get Microsoft Defender Vulnerability Management

+search.appverid: MET150

+audience: Admin

+ms.technology: mdb

+ms.localizationpriority: medium

+f1.keywords: NOCSH

+- SMB

+- m365-security-compliance

+# Sign-up for Microsoft Defender Vulnerability Management public preview

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> [!IMPORTANT]

+> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.

+Microsoft Defender Vulnerability Management will be available as a standalone and as an add-on for Microsoft Defender for Endpoint Plan 2.

+To get Microsoft Defender Vulnerability Management, you can choose from these options:

+- [Trial the standalone version of Microsoft Defender Vulnerability Management](#defender-vulnerability-management-public-preview)

+- [Get the Microsoft Defender Vulnerability Management add-on](#defender-vulnerability-management-add-on-public-preview-for-defender-for-endpoint-plan-2-customers) as a Defender for Endpoint Plan 2 customer to gain additional Defender Vulnerability Management capabilities

+## Defender Vulnerability Management public preview

+To sign up for the Defender Vulnerability Management public preview or if you have any questions, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com).

+## Defender Vulnerability Management add-on public preview (for Defender for Endpoint Plan 2 customers)

+*If you're already a Defender for Endpoint Plan 2 customer, a Microsoft Defender Vulnerability Management Add-on is available and provides additional vulnerability management features.*

+1. Visit [https://aka.ms/AddonPreviewTrial](https://aka.ms/AddonPreviewTrial).

+2. If you already have a Microsoft 365 subscription, sign in using your account. If you don't already have a subscription, follow the prompts to create a new account.

+3. Select the **Try now** button to confirm your order of the 120 day subscription of the Microsoft Defender Vulnerability Management Public Preview Trial.

+4. Select **Continue**.

+5. When you sign in for the first time, you'll go to the Microsoft 365 admin center ([https://admin.microsoft.com/](https://admin.microsoft.com/)). See [Overview of the Microsoft 365 admin center](../../admin/admin-overview/admin-center-overview.md).

+6. Proceed to [Add users and assign licenses](mdvm-add-users.md).

+## Next steps

+- When you're ready to get started, visit the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) to start using Defender Vulnerability Management.

+- [Assign a device's value](tvm-assign-device-value.md) to helps you differentiate between asset priorities.

+- Use the Microsoft 365 admin center ([https://admin.microsoft.com/](https://admin.microsoft.com/)) to add or remove users and to assign user licenses for Microsoft Defender Vulnerability Management.

+ Title: Add users and assign licenses in Microsoft Defender Vulnerability Management

+description: Add users and assign Defender Vulnerability Management licenses to protect their devices

+search.appverid: MET150

+audience: Admin

+ms.technology: mdb

+ms.localizationpriority: medium

+f1.keywords: NOCSH

+# Add users and assign licenses for Microsoft Defender Vulnerability Management

+As soon as you have signed up for Microsoft Defender Vulnerability Management or the Microsoft Defender Vulnerability Management Add-on, your first step is to add users and assign licenses.

+> [!IMPORTANT]

+> You must be a global administrator to perform this task.

+1. Go to the Microsoft 365 admin center at [https://admin.microsoft.com](https://admin.microsoft.com) and sign in.

+2. Go to **Users** > **Active users**, and then select **Add a user**.

+3. In the **Set up the basics** pane, fill in the basic user information, and then select **Next**.

+ - **Name**: Fill in the first and last name, display name, and username.

+ - **Domain** Choose the domain for the user's account. For example, if the user's username is `Pat`, and the domain is `contoso.com`, they'll sign in by using `pat@contoso.com`.

+ - **Password settings**: Choose whether to use the autogenerated password or to create your own strong password for the user. The user must change their password after 90 days. Or you can choose the option to **Require this user to change their password when they first sign in**. You can also choose whether you want to send the user's password in email when the user is added.

+4. On the **Assign product licenses** page, select **Microsoft Defender Vulnerability Management** or **Microsoft Defender Vulnerability Management Add-on**. Then choose **Next**.

+ If you don't have any licenses available, you can still add a user and buy additional licenses. For more information about adding users, see [Add users and assign licenses at the same time](../../admin/add-users/add-users.md).

+5. On the **Optional settings** page, you can expand **Profile info** and fill in details, such as the user's jo title, department, location, and so forth. Then choose **Next**.

+6. On the **Review and finish** page, review the details, and then select **Finish adding** to add the user. If you need to make any changes, choose **Back** to go back to a previous page.

+## Next steps

+- [Assign a device value](tvm-assign-device-value.md)

+ Title: Event timeline

+description: Event timeline is a risk news feed that helps you interpret how risk is introduced into the organization, and which mitigations happened to reduce it.

+keywords: event timeline, Microsoft Defender for Endpoint event timeline, Microsoft Defender for Endpoint tvm event timeline, threat and vulnerability management, Microsoft Defender for Endpoint

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mde

+# Event timeline

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> To sign up for the Defender Vulnerability Management public preview or if you have any questions, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com).

+>

+> Already have Microsoft Defender for Endpoint P2? [Sign up for a free trial of the Defender Vulnerability Management Add-on.](https://signup.microsoft.com/get-started/signup?products=5908ecaa-b8a7-4a04-b6c0-d44fd934b6f2)

+Event timeline is a risk news feed that helps you interpret how risk is introduced into the organization through new vulnerabilities or exploits. You can view events that may impact your organization's risk. For example, you can find new vulnerabilities that were introduced, vulnerabilities that became exploitable, exploit that was added to an exploit kit, and more.

+Event timeline also tells the story of your [exposure score](tvm-exposure-score.md) and [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) so you can determine the cause of large changes. Events can impact your devices or your score for devices. Reduce you exposure by addressing what needs to be remediated based on the prioritized [security recommendations](tvm-security-recommendation.md).

+> [!TIP]

+> To get emails about new vulnerability events, see [Configure vulnerability email notifications in Microsoft Defender for Endpoint](../defender-endpoint/configure-email-notifications.md)

+## Navigate to the Event timeline page

+There are also three entry points from the [threat and vulnerability management dashboard](tvm-dashboard-insights.md):

+- **Organization exposure score card**: Hover over the event dots in the "Exposure Score over time" graph and select "See all events from this day." The events represent software vulnerabilities.

+- **Microsoft Secure Score for Devices**: Hover over the event dots in the "Your score for devices over time" graph and select "See all events from this day." The events represent new configuration assessments.

+- **Top events card**: Select "Show more" at the bottom of the top events table. The card displays the three most impactful events in the last 7 days. Impactful events can include if the event affects a large number of devices, or if it is a critical vulnerability.

+### Exposure score and Microsoft Secure Score for Devices graphs

+In the threat and vulnerability management dashboard, hover over the Exposure score graph to view top software vulnerability events from that day that impacted your devices. Hover over the Microsoft Secure Score for Devices graph to view new security configuration assessments that affect your score.

+If there are no events that affect your devices or your score for devices, then none will be shown.

+

+

+### Drill down to events from that day

+Selecting **Show all events from this day** takes you to the Event timeline page with a custom date range for that day.

+

+Select **Custom range** to change the date range to another custom one, or a pre-set time range.

+

+## Event timeline overview

+On the Event timeline page, you can view the all the necessary info related to an event.

+Features:

+- Customize columns

+- Filter by event type or percent of impacted devices

+- View 30, 50, or 100 items per page

+The two large numbers at the top of the page show the number of new vulnerabilities and exploitable vulnerabilities, not events. Some events can have multiple vulnerabilities, and some vulnerabilities can have multiple events.

+

+### Columns

+- **Date**: month, day, year

+- **Event**: impactful event, including component, type, and number of impacted devices

+- **Related component**: software

+- **Originally impacted devices**: the number, and percentage, of impacted devices when this event originally occurred. You can also filter by the percent of originally impacted devices, out of your total number of devices.

+- **Currently impacted devices**: the current number, and percentage, of devices that this event currently impacts. You can find this field by selecting **Customize columns**.

+- **Types**: reflect time-stamped events that impact the score. They can be filtered.

+ - Exploit added to an exploit kit

+ - Exploit was verified

+ - New public exploit

+ - New vulnerability

+ - New configuration assessment

+- **Score trend**: exposure score trend

+### Icons

+The following icons show up next to events:

+-  New public exploit

+-  New vulnerability was published

+-  Exploit found in exploit kit

+-  Exploit verified

+### Drill down to a specific event

+Once you select an event, a flyout will appear with a list of the details and current CVEs that affect your devices. You can show more CVEs or view the related recommendation.

+The arrow below "score trend" helps you determine whether this event potentially raised or lowered your organizational exposure score. Higher exposure score means devices are more vulnerable to exploitation.

+

+From there, select **Go to related security recommendation** view the recommendation that addresses the new software vulnerability in the [security recommendations page](tvm-security-recommendation.md). After reading the description and vulnerability details in the security recommendation, you can submit a remediation request, and track the request in the [remediation page](tvm-remediation.md).

+## View Event timelines in software pages

+To open a software page, select an event > select the hyperlinked software name (like Visual Studio 2017) in the section called "Related component" in the flyout. [Learn more about software pages](tvm-software-inventory.md#software-pages)

+A full page will appear with all the details of a specific software. Mouse over the graph to see the timeline of events for that specific software.

+

+Navigate to the event timeline tab to view all the events related to that software. You can also see security recommendations, discovered vulnerabilities, installed devices, and version distribution.

+

+## Related topics

+- [Dashboard](tvm-dashboard-insights.md)

+- [Exposure score](tvm-exposure-score.md)

+- [Security recommendations](tvm-security-recommendation.md)

+- [Remediate vulnerabilities](tvm-remediation.md)

+- [Software inventory](tvm-software-inventory.md)

+ Title: Assign device value

+description: Learn how to assign a low, normal, or high value to a device to help you differentiate between asset priorities.

+keywords: Microsoft Defender for Endpoint device value, threat and vulnerability management device value, high value devices, device value exposure score

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ - m365-security-compliance

+ - m365initiative-defender-endpoint

+ms.technology: mde

+# Assign device value

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> To sign up for the Defender Vulnerability Management public preview or if you have any questions, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com).

+>

+> Already have Microsoft Defender for Endpoint P2? [Sign up for a free trial of the Defender Vulnerability Management Add-on.](https://signup.microsoft.com/get-started/signup?products=5908ecaa-b8a7-4a04-b6c0-d44fd934b6f2)

+Defining a device's value helps you differentiate between asset priorities. The device value is used to incorporate the risk appetite of an individual asset into the threat and vulnerability management exposure score calculation. Devices assigned as "high value" will receive more weight.

+You can also use the [set device value API](../defender-endpoint/set-device-value.md).

+Device value options:

+- Low

+- Normal (Default)

+- High

+Examples of devices that should be assigned a high value:

+- Domain controllers, Active Directory

+- Internet facing devices

+- VIP devices

+- Devices hosting internal/external production services

+## Choose device value

+1. Navigate to any device page, the easiest place is from the device inventory.

+2. Select **Device value** from three dots next to the actions bar at the top of the page.

+3. A flyout will appear with the current device value and what it means. Review the value of the device and choose the one that best fits your device.

+## How device value impacts your exposure score

+The exposure score is a weighted average across all devices. If you have device groups, you can also filter the score by device group.

+- Normal devices have a weight of 1

+- Low value devices have a weight of 0.75

+- High value devices have a weight of NumberOfAssets / 10.

+ - If you have 100 devices, each high value device will have a weight of 10 (100/10)

+## Related topics

+- [Exposure Score](tvm-exposure-score.md)

+ Title: Block vulnerable applications (beta)

+description: Block vulnerable applications

+keywords: Microsoft Defender for Endpoint security baselines, mdvm, threat & vulnerability management

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ - m365-security-compliance

+ - m365initiative-defender-endpoint

+ms.technology: mde

+# Block vulnerable applications (beta)

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> To sign up for the Defender Vulnerability Management public preview or if you have any questions, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com).

+>

+> Already have Microsoft Defender for Endpoint P2? [Sign up for a free trial of the Defender Vulnerability Management Add-on.](https://signup.microsoft.com/get-started/signup?products=5908ecaa-b8a7-4a04-b6c0-d44fd934b6f2)

+Remediating vulnerabilities takes time and can be dependent on the responsibilities and resources of the IT team. Security admins can temporarily reduce the risk of a vulnerability by taking immediate action to block all currently known vulnerable versions of an application, until the remediation request is completed. The block option gives IT teams time to patch the application without security admins worrying that the vulnerabilities will be exploited in the meantime.

+While taking the remediation steps suggested by a security recommendation, security admins with the proper permissions can perform a mitigation action and block vulnerable versions of an application. File indicators of compromise (IOC)s will be created for each of the executable files that belong to vulnerable versions of that application. Microsoft Defender Antivirus then enforces blocks on the devices that are in the specified scope.  

+## Block or warn mitigation action

+The **block action** is intended to block all installed vulnerable versions of the application in your organization from running. For example, if there is an active zero-day vulnerability you can block your users from running the affected software while you determine work-around options.

+The **warn action** is intended to send a warning to your users when they open vulnerable versions of the application. Users will can choose to bypass the warning and access the application.

+For both actions, you can customize the message the users will see. For example, you can encourage them to install the latest version.  

+> [!Note]

+> The block and warn actions are typically enforced within a couple of minutes but can take up to 3 hours.  

+## Minimum requirements  

+- **Microsoft Defender Antivirus (active mode)**: The detection of file execution events and blocking requires Microsoft Defender Antivirus to be enabled in active mode. By design, passive mode and EDR in block mode can't detect and block based on file execution. To learn more, see [deploy Microsoft Defender Antivirus](../defender-endpoint/deploy-manage-report-microsoft-defender-antivirus.md).

+- **Cloud–delivered protection (enabled)**: For more information, see [Manage cloud–based protection](../defender-endpoint/cloud-protection-microsoft-defender-antivirus.md).  

+- **Allow or block file (on)**: Go to **Settings** > **Advanced features** > **Allow or block file.** To learn more, see [Advanced features](../defender-endpoint/advanced-features.md).

+## Version requirements  

+- The Antimalware client version must be 4.18.1901.x or later.

+- The Engine version must be 1.1.16200.x or later.  

+- Supported on Windows 10 devices, version 1809 or later, with the latest windows updates installed.  

+## Permissions  

+- If you use [Role-based access control (RBAC)](../defender-endpoint/rbac.md), then you need to have the **Threat and vulnerability management - Application handling** permission assigned.  

+- If you haven't turned on RBAC, you must have one of the following Azure AD roles assigned: **security admin** or **global admin**. To learn more about permissions, go to [Basic permissions](../defender-endpoint/basic-permissions.md).  

+## How to block vulnerable applications  

+1. Go to **Vulnerability management** > **Recommendations** in the [Microsoft 365 Defender portal](https://security.microsoft.com).

+2. Select a security recommendation to see a flyout with more information.

+3. Select **Request remediation**.

+4. Select whether you want to apply the remediation and mitigation to all device groups or only a few.

+5. Select the remediation options on the **Remediation request** page. The remediation options are software update, software uninstall, and attention required.

+6. Pick a **Remediation due date** and select **Next**.

+7. Under **Mitigation action**, select **Block** or **Warn**. Once you submit a mitigation action, it will be immediately applied.  

+8. Review the selections you made and **Submit request**. On the final page you can choose to go directly to the remediation page to view the progress of remediation activities and see the list of blocked applications.

+> [!Important]

+> Based on the available data, the block action will take effect on endpoints in the organization that have Microsoft Defender Antivirus. Microsoft Defender for Endpoint will make a best attempt effort of blocking the applicable vulnerable application or version from running.  

+If additional vulnerabilities are found on a different version of an application, you'll get a new security recommendation, asking you to update the application, and you can choose to also block this different version.

+## When blocking is not supported

+If you don't see the mitigation option while requesting a remediation, it's because the ability to block the application is currently not supported. Recommendations that don't include mitigation actions include:  

+- Microsoft applications

+- Recommendations related to operating systems  

+- Recommendations related to apps for MacOS and Linux  

+- Apps where Microsoft does not have sufficient information or a high confidence to block  

+If you try to block an application and it doesn't work, you may have reached the maximum indicator capacity. If this is the case, you can delete old indicators [Learn more about indicators](../defender-endpoint/manage-indicators.md).  

+  

+## View remediation activities  

+After you've submitted the request, go to **Vulnerability management** > **Remediation** > **Activities** to see the newly created remediation activity.

+Filter by Mitigation type: Block and/or Warn to view all activities pertaining to block or warn actions.  

+This is an activity log, and not the current block status of the application. Select the relevant activity to see a flyout panel with details including the remediation description, mitigation description and the device remediation status:

+## View blocked applications  

+Find the list of blocked applications by going to **Remediation** > **Blocked applications** tab:

+Select a blocked application to view a flyout with details about the number of vulnerabilities, whether exploits are available, blocked versions, and remediation activities.  

+The option to **View details of blocked versions in the Indicator page** brings you to the **Settings > Indicators** page where you can view the file hashes and response actions.

+> [!Note]

+> If you use the Indicators API with programmatic indicator queries as part of your workflows, be aware that the block action will give additional results.ΓÇ»

+You can also **Unblock software** or **Open software page**:

+## Unblock applications  

+Select a blocked application to view the option to **Unblock software** in the flyout.  

+After you've unblocked an application, refresh the page to see it removed from the list. It can take up to 3 hours for an application to be unblocked and become accessible to your users again.

+## Users experience for blocked applications

+When users try to access a blocked application, they'll receive a message informing them that the application has been blocked by their organization. This message is customizable.

+For applications where the warn mitigation option was applied, users will receive a message informing them that the application has been blocked by their organization, but the user has the option to bypass the block for subsequent launches, by choosing ΓÇ£AllowΓÇ¥. This allow is only temporary, and the application will be blocked again after a while.

+> [!Note]

+> You may experience instances where the first launch of an application isn't blocked or the notification that the application was blocked doesn't display. This behavior will be fixed in an upcoming release.

+## End-user updating blocked applications  

+A commonly asked question is how does an end-user update a blocked application? The block is enforced by blocking the executable file. Some applications, such as Firefox, rely on a separate update executable which, will not be blocked by this feature.ΓÇ» In other cases when the application requires the main executable file to update, it is recommended to either implement the block in warn mode (so that the end-user can bypass the block) or the end-user can delete the application (if no vital information is stored on the client) and reinstalls the application.

+## Related articles

+- [Vulnerabilities in my organization](tvm-weaknesses.md)

+ Title: Browser extensions assessment

+description: Find out about the browsers extensions installed in your environment

+keywords: Microsoft Defender for Endpoint browser extensions, mdvm, threat & vulnerability management

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ - m365-security-compliance

+ - m365initiative-defender-endpoint

+ms.technology: mde

+# Browser extensions assessment

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> To sign up for the Defender Vulnerability Management public preview or if you have any questions, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com).

+>

+> Already have Microsoft Defender for Endpoint P2? [Sign up for a free trial of the Defender Vulnerability Management Add-on.](https://signup.microsoft.com/get-started/signup?products=5908ecaa-b8a7-4a04-b6c0-d44fd934b6f2)

+A browser extension is a small software application that adds functionality to a web browser. Visibility into the browser extensions installed can help you ensure the safe usage of extensions in your organization.

+The **Browser extensions** page displays a list of the browser extensions installed across different browsers in your organization. For each installed extension, you can see the devices itΓÇÖs installed on and if itΓÇÖs turned on or off on these devices. The information available will not only help you learn about the installed extensions, but it can help you make decisions on how you would like to manage the extensions.

+## View your browser extensions

+1. Go to **Vulnerability management** > **Software inventory** in the [Microsoft 365 Defender portal](https://security.microsoft.com).

+2. Select the **Browser extensions** tab.

+The **Browser extensions** page opens with a list of the browser extensions installed across your organization, including details on the extension name, browser, the number of devices the extension is installed on, and the number that have it turned on.

+ :::image type="content" source="../../media/defender-vulnerability-management/browser_extensions.png" alt-text="Screenshot of the Browser extensions page" lightbox="../../media/defender-vulnerability-management/browser_extensions.png":::

+You can use the Browser filter to view the relevant list of extensions for a particular browser.  

+The **Requested permissions** and **Permissions risk** columns provide more specific information on the number of permissions requested by the extension, and the permissions risk level based on the type of access to devices or sites it requested.  

+> [!Note]

+> Only extensions that exist in Edge, Chrome, and Firefox on Windows devices, will appear in browser extension list.

+Select a browser extension to open its flyout pane, where you can learn more about the extension:

+ :::image type="content" source="../../media/defender-vulnerability-management/browser_extensions_details.png" alt-text="Screenshot of the Browser extensions details pane" lightbox="../../media/defender-vulnerability-management/browser_extensions_details.png":::

+Where applicable, there will be a link available on this page to access the extension in the store it was installed from.

+### Browser extension permissions

+Browser extensions usually need different types of permission to run properly, for example, they may require permission to modify a webpage.

+Select the **Permissions** tab, from the browser extension flyout pane, to see information on the permissions the browser extension needs to run, and whether this permission is optional or not.  

+ :::image type="content" source="../../media/defender-vulnerability-management/browser_extensions_permissions.png" alt-text="Screenshot of the Browser extensions permissions page" lightbox="../../media/defender-vulnerability-management/browser_extensions_permissions.png":::

+The permission risk level generated is based on the type of access the permission is requesting. You can use this information to help make an informed decision on whether you want to allow or block this extension.

+> [!Note]

+>Risk is subjective, and itΓÇÖs up to each organization to determine the types of risk they are willing to take on.

+Select a permission to see a further flyout with more information.

+### View installed devices  

+To see the list of the devices the extension is installed on, choose the **Installed devices** tab from the browser extension flyout pane:

+ :::image type="content" source="../../media/defender-vulnerability-management/browser_extensions_devices.png" alt-text="Screenshot of the Browser extensions devices tab" lightbox="../../media/defender-vulnerability-management/browser_extensions_devices.png":::

+From here, you can search for a particular device the extension is installed on, and you can export a list of the devices to a csv file.

+### View installed versions

+Select the **Installed versions** tab, from the browser extension flyout pane, to see information on the versions of the extension installed in your organization.

+ :::image type="content" source="../../media/defender-vulnerability-management/browser_extensions_versions.png" alt-text="Screenshot of the Browser extensions versions tab" lightbox="../../media/defender-vulnerability-management/browser_extensions_versions.png":::

+### Browser extensions on devices

+You can also view a list of extensions installed on a device:

+1. Select the device from the **Installed devices** tab in the flyout panel and select **Open device page** or select the device directly from the **Device inventory** page.

+2. Select the **Browser extensions** tab to see a list of extensions installed on that device.

+ :::image type="content" source="../../media/defender-vulnerability-management/browser_extensions_devicepage.png" alt-text="Screenshot of the Browser extensions in the devices page" lightbox="../../media/defender-vulnerability-management/browser_extensions_devicepage.png":::

+### Use advanced hunting

+You can use advanced hunting queries to gain visibility on browser extensions in your organization. Find details about the browser extensions installed per device in the **DeviceTVMBrowserExtensions** table, or browser extension related information, including extensions permission information in the **DeviceTVMBrowserExtensionsKB** table.

+## Related articles

+- [Vulnerabilities in my organization](tvm-weaknesses.md)

+- [Advanced hunting schema reference](../defender-endpoint/advanced-hunting-schema-reference.md)

+ Title: Certificate inventory

+description: Find out about the certificates installed in your environment

+keywords: Microsoft Defender for Endpoint browser extensions, mdvm, vulnerability management

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ - m365-security-compliance

+ - m365initiative-defender-endpoint

+ms.technology: mde

+# Certificate inventory

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> To sign up for the Defender Vulnerability Management public preview or if you have any questions, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com).

+>

+> Already have Microsoft Defender for Endpoint P2? [Sign up for a free trial of the Defender Vulnerability Management Add-on.](https://signup.microsoft.com/get-started/signup?products=5908ecaa-b8a7-4a04-b6c0-d44fd934b6f2)

+Certificates can be used in multiple ways, this includes:

+- being part of the TLS\SSL protocol

+- user certificates being used for VPN client authentication, document signing, email encryption and email signing

+- providing data encryption and authentication to ensure the secure transfer of information within your network and over the internet

+If there is an issue with a certificate, for example, it has expired or is misconfigured, it could leave your organization vulnerable, cause an outage, and have an impact on day-to-day business operations.

+The **Certificate inventory** allows you view a list of the certificates installed across your organization in a single central certificate inventory page. This can help you:  

+- Identify certificates that are about to expire so you can update them and prevent service disruption

+- Detect potential vulnerabilities ΓÇïdue to the use of weak signature algorithm (e.g. SHA-1-RSA), short key size (e.g. RSA 512bit), or weak signature hash algorithm (e.g. MD5)

+- Ensure compliance with regulatory guidelines and organizational policy

+## View your certificates

+1. Go to **Vulnerability management** > **Software inventory** in the [Microsoft 365 Defender portal](https://security.microsoft.com).

+2. Select the **Certificates** tab.

+The **Certificate inventory** page opens with a list of the certificates installed across your organization, including details on the expiration date, key size, who issued the certificate, and the number of instances.

+> [!Note]

+> Only certificates found on Windows devices (in the local machine certificate store) will be displayed in certificate inventory list.

+ :::image type="content" source="../../media/defender-vulnerability-management/certificate_inventory.png" alt-text="Screenshot of the certificate inventory list" lightbox="../../media/defender-vulnerability-management/certificate_inventory.png":::::::::

+## Gain insights into potentially vulnerable certificates

+At the top of the page, you can view the number of certificates that have been identified as potentially less secure and introduce risk into your organization. This includes the number of certificates that:  

+- have already expired

+- will expire in 60 days or less

+- have a key size with fewer than 2048 bits, as they are considered less secure

+- have a weak signature algorithm, like SHA-1 and MD5

+- are considered vulnerable since they are self-signed

+## Use filters on the certificate inventory page

+You can use filters to view the inventory based on:

+- **Certificate status:** view the certificates that have expired, are expiring soon, are issued with a future date, or are current

+- **Self-signed:** view certificates that are self-signed

+- **Key size:** view certificates that have a short key size or valid key size

+- **Signature hash:** view certificates that have a weak signature hash or valid signature hash

+- **Key usage:** view certificates with key usage values, such as digital signature, repudiation, and certificate signing

+## Get more information on a discovered certificate

+When you select the certificate that you want to investigate, a flyout panel will open with the certificate details page:

+ :::image type="content" source="../../media/defender-vulnerability-management/certificate_details.png" alt-text="Screenshot of the certificate details page" lightbox="../../media/defender-vulnerability-management/certificate_details.png":::

+You can select the **Issuing details** tab to see information on who the certificate was issued to and who it was issued by.  

+### Certificates on devices

+To see the list of the devices the certificate is installed on, choose the **Installed devices** tab from the certificate flyout pane. From here, you can search for a particular device the certificate is installed on, and you can export a list of the devices to a csv file.

+You can also view a list of certificates installed on a device:

+1. Select the device from the **Installed devices** tab in the flyout panel or select the device directly from the **Device inventory** page.

+2. Select the **Certificate inventory** tab to see a list of certificates installed on that device.

+ :::image type="content" source="../../media/defender-vulnerability-management/certificate_inventory_page.png" alt-text="Screenshot of the certificate inventory page" lightbox="../../media/defender-vulnerability-management/certificate_inventory_page.png":::

+3. Select a certificate to open the flyout with more information.

+## Vulnerability management dashboard widget

+See how many certificates have expired or are due to expire in the next 30, 60 or 90 days from the **Expiring certificates** widget available in the vulnerability management dashboard.  

+Select **View all** to go to the certificate inventory page.

+  :::image type="content" source="../../media/defender-vulnerability-management/certificate_dashboard.png" alt-text="Screenshot of the certificate dashboard widget" lightbox="../../media/defender-vulnerability-management/certificate_dashboard.png":::

+## Use advanced hunting

+You can use advanced hunting queries to gain visibility on certificates in your organization. For example, using the **DeviceTvmCertificateInfo** table, you can query to show all expired certificates.

+## Related articles

+- [Vulnerabilities in my organization](tvm-weaknesses.md)

+- [Advanced hunting schema reference](../defender-endpoint/advanced-hunting-schema-reference.md)

+ Title: Dashboard insights

+description: The threat and vulnerability management dashboard can help SecOps and security admins address cybersecurity threats and build their organization's security resilience.

+keywords: Microsoft Defender for Endpoint-tvm, Microsoft Defender for Endpoint-tvm dashboard, threat & vulnerability management, threat and vulnerability management, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ - m365-security-compliance

+ - m365initiative-defender-endpoint

+ms.technology: mde

+# Dashboard insights

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> To sign up for the Defender Vulnerability Management public preview or if you have any questions, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com).

+>

+> Already have Microsoft Defender for Endpoint P2? [Sign up for a free trial of the Defender Vulnerability Management Add-on.](https://signup.microsoft.com/get-started/signup?products=5908ecaa-b8a7-4a04-b6c0-d44fd934b6f2)

+Defender vulnerability management provides both security administrators and security operations teams with unique value, including:

+- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities

+- Invaluable device vulnerability context during incident investigations

+- Built-in remediation processes through Microsoft Intune and Microsoft Endpoint Configuration Manager

+You can use the vulnerability management capability in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> to:

+- View your exposure score and Microsoft Secure Score for Devices, along with top security recommendations, software vulnerability, remediation activities, and exposed devices

+- Correlate EDR insights with endpoint vulnerabilities and process them

+- Select remediation options to triage and track the remediation tasks

+- Select exception options and track active exceptions

+> [!NOTE]

+> Devices that are not active in the last 30 days are not factored in on the data that reflects your organization's vulnerability management exposure score and Microsoft Secure Score for Devices.

+Watch this video for a quick overview of what is in the Defender Vulnerability Management dashboard.

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4r1nv]

+## Vulnerability management dashboard

+<br>

+****

+|Area|Description|

+|||

+|**Selected device groups (#/#)**|Filter the vulnerability management data you want to see in the dashboard and cards by device groups. What you select in the filter applies throughout the vulnerability management pages.|

+|[**Exposure score**](tvm-exposure-score.md)|See the current state of your organization's device exposure to threats and vulnerabilities. Several factors affect your organization's exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations.|

+|[**Microsoft Secure Score for Devices**](tvm-microsoft-secure-score-devices.md)|See the security posture of the operating system, applications, network, accounts, and security controls of your organization. The goal is to remediate the related security configuration issues to increase your score for devices. Selecting the bars will take you to the **Security recommendation** page.|

+|**Device exposure distribution**|See how many devices are exposed based on their exposure level. Select a section in the doughnut chart to go to the **Devices list** page and view the affected device names, exposure level, risk level, and other details such as domain, operating system platform, its health state, when it was last seen, and its tags.|

+|**Expiring certificates**|See how many certificates have expired or are due to expire in the next 30, 60 or 90 days.|

+|**Top security recommendations**|See the collated security recommendations that are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Select **Show more** to see the rest of the security recommendations in the list. Select **Show exceptions** for the list of recommendations that have an exception.|

+|**Top vulnerable software**|Get real-time visibility into your organization's software inventory with a stack-ranked list of vulnerable software installed on your network's devices and how they impact your organizational exposure score. Select an item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page.|

+|**Top remediation activities**|Track the remediation activities generated from the security recommendations. You can select each item on the list to see the details in the **Remediation** page or select **Show more** to view the rest of the remediation activities, and active exceptions.|

+|**Top exposed devices**|View exposed device names and their exposure level. Select a device name from the list to go to the device page where you can view the alerts, risks, incidents, security recommendations, installed software, and discovered vulnerabilities associated with the exposed devices. Select **Show more** to see the rest of the exposed devices list. From the devices list, you can manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate device.|

+|

+## Related topics

+- [Exposure score](tvm-exposure-score.md)

+- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)

+- [Security recommendations](tvm-security-recommendation.md)

+- [Software inventory](tvm-software-inventory.md)

+- [Event timeline](threat-and-vuln-mgt-event-timeline.md)

+ Title: Plan for end-of-support software and software versions

+description: Discover and plan for software and software versions that are no longer supported and won't receive security updates.

+keywords: threat and vulnerability management, Microsoft Defender for Endpoint tvm security recommendation, cybersecurity recommendation, actionable security recommendation

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ - m365-security-compliance

+ - m365initiative-defender-endpoint

+ms.technology: mde

+# Plan for end-of-support software and software versions

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> To sign up for the Defender Vulnerability Management public preview or if you have any questions, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com).

+>

+> Already have Microsoft Defender for Endpoint P2? [Sign up for a free trial of the Defender Vulnerability Management Add-on.](https://signup.microsoft.com/get-started/signup?products=5908ecaa-b8a7-4a04-b6c0-d44fd934b6f2)

+End-of-support (EOS), otherwise known as end-of-life (EOL), for software or software versions means that they will no longer be supported or serviced, and will not receive security updates. When you use software or software versions with ended support, you're exposing your organization to security vulnerabilities, legal, and financial risks.

+It's crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. They should examine the options to remove or replace apps that have reached end-of-support and update versions that are no longer supported. It's best to create and implement a plan **before** the end of support dates.

+> [!NOTE]

+> End-of-support capability is currently available only for Windows products.

+## Find software or software versions that are no longer supported

+1. From the vulnerability management menu, navigate to [**Recommendations**](tvm-security-recommendation.md).

+2. Go to the **Filters** panel and look for the tags section. Select one or more of the EOS tag options. Then **Apply**.

+3. You'll see a list of recommendations related to software with ended support, software versions that are end of support, or versions with upcoming end of support. These tags are also visible in the [software inventory](tvm-software-inventory.md) page.

+## List of versions and dates

+To view a list of versions that have reached end of support, or end or support soon, and those dates, follow the below steps:

+1. A message will appear in the security recommendation flyout for software with versions that have reached end of support, or will reach end of support soon.

+2. Select the **version distribution** link to go to the software drill-down page. There, you can see a filtered list of versions with tags identifying them as end of support, or upcoming end of support.

+3. Select one of the versions in the table to open. For example, version 10.0.18362.1. A flyout will appear with the end of support date.

+Once you identify which software and software versions are vulnerable due to their end-of-support status, you must decide whether to update or remove them from your organization. Doing so will lower your organizations exposure to vulnerabilities and advanced persistent threats.

+## Related topics

+- [Threat and vulnerability management overview](defender-vulnerability-management.md)

+- [Security recommendations](tvm-security-recommendation.md)

+- [Software inventory](tvm-software-inventory.md)

+ Title: Create and view exceptions for security recommendations

+description: Create and monitor exceptions for security recommendations in threat and vulnerability management.

+keywords: Microsoft Defender for Endpoint tvm remediation, Microsoft Defender for Endpoint tvm, threat and vulnerability management, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ - m365-security-compliance

+ - m365initiative-defender-endpoint

+ms.technology: mde

+# Create and view exceptions for security recommendations

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> To sign up for the Defender Vulnerability Management public preview or if you have any questions, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com).

+>

+> Already have Microsoft Defender for Endpoint P2? [Sign up for a free trial of the Defender Vulnerability Management Add-on.](https://signup.microsoft.com/get-started/signup?products=5908ecaa-b8a7-4a04-b6c0-d44fd934b6f2)

+As an alternative to a remediation request when a recommendation is not relevant at the moment, you can create exceptions for recommendations. If your organization has device groups, you will be able to scope the exception to specific device groups. Exceptions can either be created for selected device groups, or for all device groups past and present.

+When an exception is created for a recommendation, the recommendation will not be active until the end of the exception duration. The recommendation state will change to **Full exception** or **Partial exception** (by device group).

+## Permissions

+Only users with "exceptions handling" permissions can manage exceptions (including creating or canceling). [Learn more about RBAC roles](../defender-endpoint/user-roles.md).

+

+## Create an exception

+Select a security recommendation you would like create an exception for, and then select **Exception options** and fill out the form.

+

+### Exception by device group

+Apply the exception to all current device groups or choose specific device groups. Future device groups won't be included in the exception. Device groups that already have an exception will not be displayed in the list. If you only select certain device groups, the recommendation state will change from "active" to "partial exception." The state will change to "full exception" if you select all the device groups.

+

+#### Filtered views

+If you have filtered by device group on any of the vulnerability management pages, only your filtered device groups will appear as options.

+This is the button to filter by device group on any of the vulnerability management pages:

+

+Exception view with filtered device groups:

+

+#### Large number of device groups

+If your organization has more than 20 device groups, select **Edit** next to the filtered device group option.

+

+A flyout will appear where you can search and choose device groups you want included. Select the check mark icon below Search to check/uncheck all.

+

+### Global exceptions

+If you have global administrator permissions, you will be able to create and cancel a global exception. It affects **all** current and future device groups in your organization, and only a user with similar permission would be able to change it. The recommendation state will change from "active" to "full exception."

+

+Some things to keep in mind:

+- If a recommendation is under global exception, then newly created exceptions for device groups will be suspended until the global exception has expired or been canceled. After that point, the new device group exceptions will go into effect until they expire.

+- If a recommendation already has exceptions for specific device groups and a global exception is created, then the device group exception will be suspended until it expires or the global exception is canceled before it expires.

+### Justification

+Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.

+The following list details the justifications behind the exception options:

+- **Third party control** - A third party product or software already addresses this recommendation

+ - Choosing this justification type will lower your exposure score and increase your secure score because your risk is reduced

+- **Alternate mitigation** - An internal tool already addresses this recommendation

+ - Choosing this justification type will lower your exposure score and increase your secure score because your risk is reduced

+- **Risk accepted** - Poses low risk and/or implementing the recommendation is too expensive

+- **Planned remediation (grace)** - Already planned but is awaiting execution or authorization

+## View all exceptions

+Navigate to the **Exceptions** tab in the **Remediation** page. You can filter by justification, type, and status.

+ Select an exception to open a flyout with more details. Exceptions per devices group will have a list of every device group the exception covers, which you can export. You can also view the related recommendation or cancel the exception.

+

+## How to cancel an exception

+To cancel an exception, navigate to the **Exceptions** tab in the **Remediation** page. Select the exception.

+To cancel the exception for all device groups or for a global exception, select the **Cancel exception for all device groups** button. You will only be able to cancel exceptions for device groups you have permissions for.

+

+### Cancel the exception for a specific device group

+Select the specific device group to cancel the exception for it. A flyout will appear for the device group, and you can select **Cancel exception**.

+

+## View impact after exceptions are applied

+In the Security Recommendations page, select **Customize columns** and check the boxes for **Exposed devices (after exceptions)** and **Impact (after exceptions)**.

+

+The exposed devices (after exceptions) column shows the remaining devices that are still exposed to vulnerabilities after exceptions are applied. Exception justifications that affect the exposure include 'third party control' and 'alternate mitigation'. Other justifications do not reduce the exposure of a device, and they are still considered exposed.

+The impact (after exceptions) shows remaining impact to exposure score or secure score after exceptions are applied. Exception justifications that affect the scores include 'third party control' and 'alternate mitigation.' Other justifications do not reduce the exposure of a device, and so the exposure score and secure score do not change.

+

+## Related topics

+- [Remediate vulnerabilities](tvm-remediation.md)

+- [Security recommendations](tvm-security-recommendation.md)

+- [Exposure score](tvm-exposure-score.md)

+- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)

+ Title: Exposure score in Defender Vulnerability Management

+description: The threat and vulnerability management exposure score reflects how vulnerable your organization is to cybersecurity threats.

+keywords: exposure score, Microsoft Defender for Endpoint exposure score, Microsoft Defender for Endpoint tvm exposure score, organization exposure score, tvm organization exposure score, threat and vulnerability management, Microsoft Defender for Endpoint

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ - m365-security-compliance

+ - m365initiative-defender-endpoint

+ms.technology: mde

+# Exposure score in Defender Vulnerability Management

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> To sign up for the Defender Vulnerability Management public preview or if you have any questions, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com).

+>

+> Already have Microsoft Defender for Endpoint P2? [Sign up for a free trial of the Defender Vulnerability Management Add-on.](https://signup.microsoft.com/get-started/signup?products=5908ecaa-b8a7-4a04-b6c0-d44fd934b6f2)

+Your exposure score is visible in the [Defender Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft 365 Defender portal. It reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your devices are less vulnerable from exploitation.

+- Quickly understand and identify high-level takeaways about the state of security in your organization.

+- Detect and respond to areas that require investigation or action to improve the current state.

+- Communicate with peers and management about the impact of security efforts.

+The card gives you a high-level view of your exposure score trend over time. Any spikes in the chart give you a visual indication of a high cybersecurity threat exposure that you can investigate further.

+## How it works

+The exposure score is broken down into the following levels:

+- 0-29: low exposure score

+- 30-69: medium exposure score

+- 70-100: high exposure score

+You can remediate the issues based on prioritized [security recommendations](tvm-security-recommendation.md) to reduce the exposure score. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization.

+## Reduce your vulnerability exposure

+Lower your vulnerability exposure by remediating [security recommendations](tvm-security-recommendation.md). Make the most impact to your exposure score by remediating the top security recommendations, which can be viewed in the [Defender Vulnerability Management dashboard](tvm-dashboard-insights.md).

+## Related topics

+- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)

+- [Security recommendations](tvm-security-recommendation.md)

+- [Event timeline](threat-and-vuln-mgt-event-timeline.md)

+ Title: Hunt for exposed devices

+description: Learn how threat and vulnerability management can be used to help security admins, IT admins, and SecOps collaborate.

+keywords: Microsoft Defender for Endpoint-tvm scenarios, Microsoft Defender for Endpoint, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase Microsoft Secure Score for Devices, increase threat & vulnerability Microsoft Secure Score for Devices, Microsoft Secure Score for Devices, exposure score, security controls

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ - m365-security-compliance

+ - m365initiative-defender-endpoint

+ms.technology: mde

+# Hunt for exposed devices

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> To sign up for the Defender Vulnerability Management public preview or if you have any questions, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com).

+>

+> Already have Microsoft Defender for Endpoint P2? [Sign up for a free trial of the Defender Vulnerability Management Add-on.](https://signup.microsoft.com/get-started/signup?products=5908ecaa-b8a7-4a04-b6c0-d44fd934b6f2)

+## Use advanced hunting to find devices with vulnerabilities

+Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats. [Learn more about advanced hunting](../defender-endpoint/advanced-hunting-overview.md)

+### Schema tables

+- [DeviceTvmSoftwareInventory](../defender-endpoint/advanced-hunting-devicetvmsoftwareinventory-table.md) - Inventory of software installed on devices, including their version information and end-of-support status.

+- [DeviceTvmSoftwareVulnerabilities](../defender-endpoint/advanced-hunting-devicetvmsoftwarevulnerabilities-table.md) - Software vulnerabilities found on devices and the list of available security updates that address each vulnerability.

+-

+- [DeviceTvmSoftwareVulnerabilitiesKB](../defender-endpoint/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md) - Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available.

+- [DeviceTvmSecureConfigurationAssessment](../defender-endpoint/advanced-hunting-devicetvmsecureconfigurationassessment-table.md) - Threat and vulnerability management assessment events, indicating the status of various security configurations on devices.

+- [DeviceTvmSecureConfigurationAssessmentKB](../defender-endpoint/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md) - Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks

+## Check which devices are involved in high severity alerts

+1. Go to **Hunting** \> **Advanced hunting** from the left-hand navigation pane of the Microsoft 365 Defender portal.

+2. Scroll down to the TVM advanced hunting schemas to familiarize yourself with the column names.

+3. Enter the following queries:

+ ```kusto

+ // Search for devices with High active alerts or Critical CVE public exploit

+ let DeviceWithHighAlerts = AlertInfo

+ | where Severity == "High"

+ | project Timestamp, AlertId, Title, ServiceSource, Severity

+ | join kind=inner (AlertEvidence | where EntityType == "Machine" | project AlertId, DeviceId, DeviceName) on AlertId

+ | summarize HighSevAlerts = dcount(AlertId) by DeviceId;

+ let DeviceWithCriticalCve = DeviceTvmSoftwareVulnerabilities

+ | join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId

+ | where IsExploitAvailable == 1 and CvssScore >= 7

+ | summarize NumOfVulnerabilities=dcount(CveId),

+ DeviceName=any(DeviceName) by DeviceId;

+ DeviceWithCriticalCve

+ | join kind=inner DeviceWithHighAlerts on DeviceId

+ | project DeviceId, DeviceName, NumOfVulnerabilities, HighSevAlerts

+ ```

+## Related topics

+- [Security recommendations](tvm-security-recommendation.md)

+- [Configure data access for threat and vulnerability management roles](../defender-endpoint/user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

+- [Advanced hunting overview](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview)

+- [All advanced hunting tables](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md)

+ Title: Microsoft Secure Score for Devices

+description: Your score for devices shows the collective security configuration state of your devices across application, operating system, network, accounts, and security controls.

+keywords: Microsoft Secure Score for Devices, Microsoft Defender for Endpoint Microsoft Secure Score for Devices, secure score, configuration score, threat and vulnerability management, security controls, improvement opportunities, security configuration score over time, security posture, baseline

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ - m365-security-compliance

+ - m365initiative-defender-endpoint

+ms.technology: mde

+# Microsoft Secure Score for Devices

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> To sign up for the Defender Vulnerability Management public preview or if you have any questions, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com).

+>

+> Already have Microsoft Defender for Endpoint P2? [Sign up for a free trial of the Defender Vulnerability Management Add-on.](https://signup.microsoft.com/get-started/signup?products=5908ecaa-b8a7-4a04-b6c0-d44fd934b6f2)

+> [!NOTE]

+> Configuration score is now part of vulnerability management as Microsoft Secure Score for Devices.

+Your score for devices is visible in the [Defender Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft 365 Defender portal. A higher Microsoft Secure Score for Devices means your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your devices across the following categories:

+- Application

+- Operating system

+- Network

+- Accounts

+- Security controls

+Select a category to go to the [**Security recommendations**](tvm-security-recommendation.md) page and view the relevant recommendations.

+## Turn on the Microsoft Secure Score connector

+Forward Microsoft Defender for Endpoint signals, giving Microsoft Secure Score visibility into the device security posture. Forwarded data is stored and processed in the same location as your Microsoft Secure Score data.

+Changes might take up to a few hours to reflect in the dashboard.

+1. In the navigation pane, go to **Settings** \> **Endpoints** \> **General** \> **Advanced features**

+2. Scroll down to **Microsoft Secure Score** and toggle the setting to **On**.

+3. Select **Save preferences**.

+## How it works

+> [!NOTE]

+> Microsoft Secure Score for Devices currently supports configurations set via Group Policy. Due to the current partial Intune support, configurations which might have been set through Intune might show up as misconfigured. Contact your IT Administrator to verify the actual configuration status in case your organization is using Intune for secure configuration management.

+The data in the Microsoft Secure Score for Devices card is the product of meticulous and ongoing vulnerability discovery process. It is aggregated with configuration discovery assessments that continuously:

+- Compare collected configurations to the collected benchmarks to discover misconfigured assets

+- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction)

+- Collect and maintain best practice configuration benchmarks (vendors, security feeds, internal research teams)

+- Collect and monitor changes of security control configuration state from all assets

+## Improve your security configuration

+Improve your security configuration by remediating issues from the security recommendations list. As you do so, your Microsoft Secure Score for Devices improves and your organization becomes more resilient against cybersecurity threats and vulnerabilities.

+1. From the Microsoft Secure Score for Devices card in the Defender Vulnerability Management dashboard, select one of the categories. You'll view the list of recommendations related to that category. It will take you to the [**Security recommendations**](tvm-security-recommendation.md) page. If you want to see all security recommendations, once you get to the Security recommendations page, clear the search field.

+2. Select an item on the list. The flyout panel will open with details related to the recommendation. Select **Remediation options**.

+ :::image type="content" alt-text="Security controls related security recommendations." source="../../media/defender-vulnerability-management/security-controls.png":::

+3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to an email for follow-up.

+4. **Submit request**. You'll see a confirmation message that the remediation task has been created.

+ :::image type="content" alt-text="Remediation task creation confirmation." source="../../media/defender-vulnerability-management/remediation-task-created.png":::

+5. Send a follow-up email to your IT Administrator and allow the time that you've allotted for the remediation to propagate in the system.

+6. Review the **Microsoft Secure Score for Devices** card again on the dashboard. The number of security controls recommendations will decrease. When you select **Security controls** to go back to the **Security recommendations** page, the item that you've addressed won't be listed there anymore. Your Microsoft Secure Score for Devices should increase.

+> [!IMPORTANT]

+>To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy them in your network:

+>

+> - 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)

+> - RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)

+> - RS4 customers | [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)

+> - RS3 customers | [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)

+>

+> To download the security updates:

+>

+> 1. Go to [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/home.aspx).

+> 2. Key-in the security update KB number that you need to download, then click **Search**.

+## Related topics

+- [Dashboard](tvm-dashboard-insights.md)

+- [Exposure score](tvm-exposure-score.md)

+- [Security recommendations](tvm-security-recommendation.md)

+ Title: Network share configuration assessment

+description: Learn review recommendations related to network shares in your environment through vulnerability management.

+keywords: Microsoft Defender for Endpoint tvm, assessment tvm, threat & vulnerability management, vulnerable CVE

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ - m365-security-compliance

+ - m365initiative-defender-endpoint

+ms.technology: mde

+# Network share configuration assessment

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> To sign up for the Defender Vulnerability Management public preview or if you have any questions, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com).

+>

+> Already have Microsoft Defender for Endpoint P2? [Sign up for a free trial of the Defender Vulnerability Management Add-on.](https://signup.microsoft.com/get-started/signup?products=5908ecaa-b8a7-4a04-b6c0-d44fd934b6f2)

+The ability to share files and folders over a network allows users to provide access to resources like files, documents, and media to other people on the network. As network shares can be easily accessed by network users, some common weaknesses exist that can cause network shares to be vulnerable.

+When vulnerable network share configurations are identified, they're mapped to actionable security recommendations in the Security recommendations page. The following recommendations can help protect against vulnerabilities in network shares that could be exploited by attackers:

+- Disallow offline access to shares

+- Remove shares from the root folder

+- Remove share write permission set to ΓÇÿEveryoneΓÇÖ

+- Set folder enumeration for shares

+## Find information about exposed network shares

+To see security recommendations addressing network share configurations:

+1. Go to **Vulnerability management** > **Recommendations**.

+2. Select **Filters** and choose **Related component** > **OS > Shares**.

+3. Select **Apply**.

+If there are network shares with vulnerabilities to address, they'll appear in the list of recommendations

+Select a recommendation to see a flyout with information on the vulnerable network share configuration:

+Explore the **Exposed devices** and **Exposed shares** tabs for details of the exposed entities in your organization.

+## Request remediation for the network share configuration

+You can view and submit a remediation request from the remediation options tab:

+## View configuration remediation activities

+Go to **Vulnerability management** > **Remediation** and filter by the remediation type, "configuration change" to see the activity item related to this change.

+## Related articles

+- [Security recommendations](tvm-security-recommendation.md)

+- [Vulnerabilities in my organization](tvm-weaknesses.md)

+ Title: Prerequisites & permissions for Microsoft Defender Vulnerability Management

+description: Before you begin using threat and vulnerability management, make sure you have the relevant configurations and permissions.

+keywords: threat & vulnerability management permissions prerequisites, threat and vulnerability management permissions prerequisites, Microsoft Defender for Endpoint TVM permissions prerequisites, vulnerability management

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mde

+# Prerequisites & permissions for Microsoft Defender Vulnerability Management

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> To sign up for the Defender Vulnerability Management public preview or if you have any questions, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com).

+>

+> Already have Microsoft Defender for Endpoint P2? [Sign up for a free trial of the Defender Vulnerability Management Add-on.](https://signup.microsoft.com/get-started/signup?products=5908ecaa-b8a7-4a04-b6c0-d44fd934b6f2)

+>[!NOTE]

+>The same minimum requirements as Microsoft Defender for Endpoint apply to Microsoft Defender Vulnerability Management, for more information, see [Minimum requirements](../defender-endpoint/minimum-requirements.md).

+Ensure that your devices:

+- Are onboarded to Microsoft Defender for Endpoint Plan 2 or Microsoft Defender Vulnerability Management

+- Run [supported operating systems and platforms](tvm-supported-os.md)

+- Have the following mandatory updates installed and deployed in your network to boost your vulnerability assessment detection rates:

+ > Release | Security update KB number and link

+ > :|:

+ > Windows 10 Version 1709 | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) and [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)

+ > Windows 10 Version 1803 | [KB4493464](https://support.microsoft.com/help/4493464) and [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)

+ > Windows 10 Version 1809 | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)

+ > Windows 10 Version 1903 | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)

+- Are onboarded to [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](/mem/configmgr/protect/deploy-use/endpoint-protection-configure) to help remediate threats found by threat and vulnerability management. If you're using Configuration Manager, update your console to the latest version.

+ > [!NOTE]

+ > If you have the Intune connection enabled, you get an option to create an Intune security task when creating a remediation request. This option does not appear if the connection is not set.

+- Have at least one security recommendation that can be viewed in the device page

+- Are tagged or marked as co-managed

+## Relevant permission options

+1. Log in to Microsoft 365 Defender portal using account with a Security administrator or Global administrator role assigned.

+2. In the navigation pane, select **Settings > Endpoints > Roles**.

+For more information, see [Create and manage roles for role-based access control](../defender-endpoint/user-roles.md).

+### View data

+- **Security operations** - View all security operations data in the portal

+- **Threat and vulnerability management** - View threat and vulnerability management data in the portal

+### Active remediation actions

+- **Security operations** - Take response actions, approve or dismiss pending remediation actions, manage allowed/blocked lists for automation and indicators

+- **Threat and vulnerability management - Exception handling** - Create new exceptions and manage active exceptions

+- **Threat and vulnerability management - Remediation handling** - Submit new remediation requests, create tickets, and manage existing remediation activities

+For more information, see [RBAC permission options](../defender-endpoint/user-roles.md#permission-options)

+## Related articles

+- [Supported operating systems and platforms](tvm-supported-os.md)

+- [Assign device value](tvm-assign-device-value.md)

+- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md)

+ Title: Remediate vulnerabilities

+description: Remediate security weaknesses discovered through security recommendations, and create exceptions if needed, in defender vulnerability management.

+keywords: Microsoft Defender for Endpoint tvm remediation, Microsoft Defender for Endpoint tvm, threat and vulnerability management, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ - m365-security-compliance

+ - m365initiative-defender-endpoint

+ms.technology: mde

+# Remediate vulnerabilities

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> To sign up for the Defender Vulnerability Management public preview or if you have any questions, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com).

+>

+> Already have Microsoft Defender for Endpoint P2? [Sign up for a free trial of the Defender Vulnerability Management Add-on.](https://signup.microsoft.com/get-started/signup?products=5908ecaa-b8a7-4a04-b6c0-d44fd934b6f2)

+## Request remediation

+Vulnerability management capabilities bridges the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Recommendation** pages to Intune.

+### Enable Microsoft Intune connection

+To use this capability, enable your Microsoft Intune connections. In the Microsoft 365 Defender portal, navigate to **Settings** \> **General** \> **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle **On**.

+**Note**: If you have the Intune connection enabled, you get an option to create an Intune security task when creating a remediation request. This option does not appear if the connection is not set.

+See [Use Intune to remediate vulnerabilities identified by Microsoft Defender for Endpoint](/intune/atp-manage-vulnerabilities) for details.

+### Remediation request steps

+1. Go to the **Vulnerability management** navigation menu in the Microsoft 365 Defender portal, and select [**Recommendations**](tvm-security-recommendation.md).

+2. Select a security recommendation you would like to request remediation for, and then select **Remediation options**.

+3. Fill out the form, including what you are requesting remediation for, applicable device groups, priority, due date, and optional notes.

+ 1. If you choose the "attention required" remediation option, selecting a due date will not be available since there is no specific action.

+4. Select **Submit request**. Submitting a remediation request creates a remediation activity item within vulnerability management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to devices.

+5. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment.

+6. Go to the [**Remediation**](tvm-remediation.md) page to view the status of your remediation request.

+If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender for Endpoint](/intune/atp-manage-vulnerabilities) for details.

+> [!NOTE]

+> If your request involves remediating more than 10,000 devices, we can only send 10,000 devices for remediation to Intune.

+After your organization's cybersecurity weaknesses are identified and mapped to actionable [security recommendations](tvm-security-recommendation.md), start creating security tasks. You can create tasks through the integration with Microsoft Intune where remediation tickets are created.

+Lower your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations.

+## View your remediation activities

+When you submit a remediation request from the Security recommendations page, it kicks-off a remediation activity. A security task is created that can be tracked **Remediation** page, and a remediation ticket is created in Microsoft Intune.

+If you chose the "attention required" remediation option, there will be no progress bar, ticket status, or due date since there is no actual action we can monitor.

+Once you are in the Remediation page, select the remediation activity that you want to view. You can follow the remediation steps, track progress, view the related recommendation, export to CSV, or mark as complete.

+> [!NOTE]

+> There is a 180 day retention period for completed remediation activities. To keep the Remediation page performing optimally, the remediation activity will be removed 6 months after its completion.

+### Completed by column

+Track who closed the remediation activity with the "Completed by" column on the Remediation page.

+- **Email address**: The email of the person who manually completed the task

+- **System confirmation**: The task was automatically completed (all devices remediated)

+- **N/A**: Information is not available because we don't know how this older task was completed

+### Top remediation activities in the dashboard

+View **Top remediation activities** in the [**Vulnerability management** dashboard](tvm-dashboard-insights.md). Select any of the entries to go to the **Remediation** page. You can mark the remediation activity as completed after the IT admin team remediates the task.

+

+## Related articles

+- [Dashboard](tvm-dashboard-insights.md)

+- [Security recommendations](tvm-security-recommendation.md)

+ Title: Security baselines assessment

+description: Find out about the security baselines in your environment

+keywords: Microsoft Defender for Endpoint security baselines, mdvm, threat & vulnerability management

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ - m365-security-compliance

+ - m365initiative-defender-endpoint

+ms.technology: mde

+# Security baselines assessment

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> To sign up for the Defender Vulnerability Management public preview or if you have any questions, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com).

+>

+> Already have Microsoft Defender for Endpoint P2? [Sign up for a free trial of the Defender Vulnerability Management Add-on.](https://signup.microsoft.com/get-started/signup?products=5908ecaa-b8a7-4a04-b6c0-d44fd934b6f2)

+Instead of running never-ending compliance scans, security baselines assessment helps you to continuously and effortlessly monitor your organization's security baselines compliance and identify changes in real time.

+A security baseline profile is a customized profile that you can create to assess and monitor endpoints in your organization against industry security benchmarks. When you create a security baseline profile, you're creating a template that consists of multiple device configuration settings and a base benchmark to compare against.

+Security baselines provide support for Center for Internet Security (**CIS)** benchmarks for Windows 10, Windows 11, and Windows Server 2008 R2 and above, as well as Security Technical Implementation Guides (**STIG)** benchmarks for Windows 10 and Windows Server 2019.

+## Get started with security baselines assessment

+1. Go to **Vulnerability management** > **Baselines assessment** in the [Microsoft 365 Defender portal](https://security.microsoft.com).

+2. Select the **Profiles** tab at the top, then select the **Create profile** button.

+3. Enter a name and description for your security baselines profile and select **Next**.

+4. On the **Baseline profile scope** page set the profile settings such as software, base benchmark (CIS or STIG), and the compliance level and select **Next**.

+5. Select the configurations you want to include in the profile.

+ :::image type="content" source="../../media/defender-vulnerability-management/add_configuration_settings.png" alt-text="Screenshot of the add configuration settings page" lightbox="../../media/defender-vulnerability-management/add_configuration_settings.png":::

+ Select **Customize** if you want to change the threshold configuration value for your organization.

+ :::image type="content" source="../../media/defender-vulnerability-management/baselines_customize_configuration.png" alt-text="Screenshot of the customize configuration settings page" lightbox="../../media/defender-vulnerability-management/baselines_customize_configuration.png":::

+6. Select **Next** to choose the device groups and device tags you want to include in the baseline profile. The profile will be automatically applied to devices added to these groups in the future.

+7. Select **Next** to review the profile.

+8. Select **Submit** to create your profile.

+9. On the final page, select **View profile page** to see the assessment results.

+> [!Note]

+> You can create multiple profiles for the same operating system with various customizations.

+ When you customize a configuration an icon will appear beside it to indicate that it has been customized and is no longer using the recommended value. Select the **reset** button to revert to the recommended value.

+Useful icons to be aware of:

+ - This configuration has been customized before. When creating a new profile if you select **Customize**, you'll see the available variations you can choose from.

+ - This configuration has been customized and is not using the default value.

+## Security baselines assessment overview

+On the security baselines assessment overview page you can view device compliance, profile compliance, top failing devices and top misconfigured devices.

+## Review security baseline profile assessment results

+1. In the **Profiles** page, select any of your profiles to open a flyout with additional information.

+ :::image type="content" source="../../media/defender-vulnerability-management/baseline_profile.png" alt-text="Screenshot of the baseline profile page" lightbox="../../media/defender-vulnerability-management/baseline_profile.png":::

+2. Select **Open profile page**. The profile page contains two tabs **Configurations** and **Devices**.

+### View by configuration

+In the **Configurations** tab, you can review the list of configurations and assess their reported compliance state.

+By selecting a configuration in the list, youΓÇÖll see a flyout with details for the policy setting, including the recommended value (the expected value range for a device to be considered compliant) and the source used to determine the current device settings.

+The **Devices** tab shows a list of all applicable devices and their compliance state against this specific configuration. For each device, you can use the current value detected to see why it's compliant or non compliant.

+ :::image type="content" source="../../media/defender-vulnerability-management/security-baselines-compliance.png" alt-text="Screenshot of the baseline compliance page" lightbox="../../media/defender-vulnerability-management/security-baselines-compliance.png":::

+### View by device

+In the main **Devices** tab, you can review the list of devices and assess their reported compliance state.

+By selecting a device in the list, you’ll see a flyout with additional details.  

+Select the **Configuration** tab to view the compliance of this specific device against all the profile configurations.

+At the top of the device side panel, select **Open device page** to go to the device page in the device inventory. The device page displays the **Baseline compliance** tab that provides granular visibility into the compliance of the device.

+By selecting a configuration in the list, youΓÇÖll see a flyout with compliance details for the policy setting on this device.

+## Use advanced hunting

+You can run advanced hunting queries on the following tables to gain visibility on security baselines in your organization:

+- **DeviceBaselineComplianceProfiles**: provides details on created profiles.

+- **DeviceBaselineComplianceAssessment**: device compliance related information.

+- **DeviceBaselineComplianceAssessmentKB**: general settings for CIS and STIG benchmarks (not related to any device).

+## Related articles

+- [Vulnerabilities in my organization](tvm-weaknesses.md)

+- [Advanced hunting schema reference](../defender-endpoint/advanced-hunting-schema-reference.md)

+ Title: Security recommendations

+description: Get actionable security recommendations prioritized by threat, likelihood to be breached, and value, in vulnerability management.

+keywords: threat and vulnerability management, Microsoft Defender for Endpoint tvm security recommendation, cybersecurity recommendation, actionable security recommendation

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ - m365-security-compliance

+ - m365initiative-defender-endpoint

+ms.technology: mde

+# Security recommendations

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> To sign up for the Defender Vulnerability Management public preview or if you have any questions, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com).

+>

+> Already have Microsoft Defender for Endpoint P2? [Sign up for a free trial of the Defender Vulnerability Management Add-on.](https://signup.microsoft.com/get-started/signup?products=5908ecaa-b8a7-4a04-b6c0-d44fd934b6f2)

+Cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact. Prioritized recommendations help shorten the time to mitigate or remediate vulnerabilities and drive compliance.

+Each security recommendation includes actionable remediation steps. To help with task management, the recommendation can also be sent using Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment.

+> [!TIP]

+> To get emails about new vulnerability events, see [Configure vulnerability email notifications in Microsoft Defender for Endpoint](../defender-endpoint/configure-vulnerability-email-notifications.md)

+## How it works

+Each device in the organization is scored based on three important factors to help customers to focus on the right things at the right time.

+- **Threat**: Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations show the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports.

+- **Breach likelihood**: Your organization's security posture and resilience against threats.

+- **Business value**: Your organization's assets, critical processes, and intellectual properties.

+## Navigate to the Security recommendations page

+Access the Security recommendations page a few different ways:

+- Vulnerability management navigation menu in the Microsoft 365 Defender portal

+- Top security recommendations in the [vulnerability management dashboard](tvm-dashboard-insights.md)

+View related security recommendations in the following places:

+- Software page

+- Device page

+### Navigation menu

+Go to the **Vulnerability management** navigation menu and select **Recommendations**. The page contains a list of security recommendations for the threats and vulnerabilities found in your organization.

+### Top security recommendations in the vulnerability management dashboard

+In a given day as a Security Administrator, you can take a look at the [vulnerability management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side by side with your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). The goal is to **lower** your organization's exposure from vulnerabilities, and **increase** your organization's device security to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal.

+

+The top security recommendations list the improvement opportunities prioritized based on the important factors mentioned in the previous section - threat, likelihood to be breached, and value. Selecting a recommendation will take you to the security recommendations page with more details.

+## Security recommendations overview

+View recommendations, the number of weaknesses found, related components, threat insights, number of exposed devices, status, remediation type, remediation activities, impact to your exposure score and Microsoft Secure Score for Devices, and associated tags.

+The color of the **Exposed devices** graph changes as the trend changes. If the number of exposed devices is on the rise, the color changes into red. If there's a decrease in the number of exposed devices, the color of the graph will change into green.

+> [!NOTE]

+> Vulnerability management shows devices that were in use up to **30 days** ago. This is different from the rest of Microsoft Defender for Endpoint, where if a device has not been in use for more than 7 days it has in an 'Inactive' status.

+

+### Icons

+Useful icons also quickly call your attention to:

+-  possible active alerts

+-  associated public exploits

+-  recommendation insights

+### Explore security recommendation options

+Select the security recommendation that you want to investigate or process.

+From the flyout, you can choose any of the following options:

+- **Open software page** - Open the software page to get more context on the software and how it's distributed. The information can include threat context, associated recommendations, weaknesses discovered, number of exposed devices, discovered vulnerabilities, names and detailed of devices with the software installed, and version distribution.

+- [**Remediation options**](tvm-remediation.md) - Submit a remediation request to open a ticket in Microsoft Intune for your IT administrator to pick up and address. Track the remediation activity in the Remediation page.

+- [**Exception options**](tvm-exception.md) - Submit an exception, provide justification, and set exception duration if you can't remediate the issue yet.

+> [!NOTE]

+> When a software change is made on a device, it typically takes 2 hours for the data to be reflected in the security portal. However, it may sometimes take longer. Configuration changes can take anywhere from 4 to 24 hours.

+### Investigate changes in device exposure or impact

+If there is a large jump in the number of exposed devices, or a sharp increase in the impact on your organization exposure score and Microsoft Secure Score for Devices, then that security recommendation is worth investigating.

+1. Select the recommendation and **Open software page**

+2. Select the **Event timeline** tab to view all the impactful events related to that software, such as new vulnerabilities or new public exploits. [Learn more about event timeline](threat-and-vuln-mgt-event-timeline.md)

+3. Decide how to address the increase or your organization's exposure, such as submitting a remediation request

+## Request remediation

+The vulnerability management remediation capability bridges the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** page to Intune. [Learn more about remediation options](tvm-remediation.md)

+### How to request remediation

+Select a security recommendation you would like to request remediation for, and then select **Remediation options**. Fill out the form and select **Submit request**. Go to the [**Remediation**](tvm-remediation.md) page to view the status of your remediation request. [Learn more about how to request remediation](tvm-remediation.md#request-remediation)

+## File for exception

+As an alternative to a remediation request when a recommendation is not relevant at the moment, you can create exceptions for recommendations. [Learn more about exceptions](tvm-exception.md)

+Only users with "exceptions handling" permissions can add exception. [Learn more about RBAC roles](../defender-endpoint/user-roles.md).

+When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state will change to **Full exception** or **Partial exception** (by device group).

+### How to create an exception

+Select a security recommendation you would like create an exception for, and then select **Exception options**.

+

+Fill out the form and submit. To view all your exceptions (current and past), navigate to the [Remediation](tvm-remediation.md) page under the **Threat & Vulnerability Management** menu and select the **Exceptions** tab. [Learn more about how to create an exception](tvm-exception.md#create-an-exception)

+## Report inaccuracy

+You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security recommendation information.

+1. Open the Security recommendation.

+2. Select the three dots beside the security recommendation that you want to report, then select **Report inaccuracy**.

+3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy.

+4. Select **Submit**. Your feedback is immediately sent to the vulnerability management experts.

+## Related articles

+- [Dashboard](tvm-dashboard-insights.md)

+- [Exposure score](tvm-exposure-score.md)

+- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)

+- [Remediate vulnerabilities](tvm-remediation.md)

+- [Create and view exceptions for security recommendations](tvm-exception.md)

+- [Event timeline](threat-and-vuln-mgt-event-timeline.md)

+ Title: Software inventory in Defender Vulnerability Management

+description: The software inventory page for Microsoft Defender for Endpoint's threat and vulnerability management shows how many weaknesses and vulnerabilities have been detected in software.

+keywords: threat and vulnerability management, Microsoft Defender for Endpoint, Microsoft Defender for Endpoint software inventory, Microsoft Defender for Endpoint threat & vulnerability management, Microsoft Defender for Endpoint threat & vulnerability management software inventory, Microsoft Defender for Endpoint tvm software inventory, tvm software inventory

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ - m365-security-compliance

+ - m365initiative-defender-endpoint

+ms.technology: mde

+# Software inventory in Defender Vulnerability Management

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> To sign up for the Defender Vulnerability Management public preview or if you have any questions, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com).

+>

+> Already have Microsoft Defender for Endpoint P2? [Sign up for a free trial of the Defender Vulnerability Management Add-on.](https://signup.microsoft.com/get-started/signup?products=5908ecaa-b8a7-4a04-b6c0-d44fd934b6f2)

+The software inventory in Defender Vulnerability Management is a list of known software in your organization. The default filter on the software inventory page displays all software with official [Common Platform Enumerations (CPE)](https://nvd.nist.gov/products/cpe). The view includes details such as the name of the vendor, number of weaknesses, threats, and number of exposed devices.

+You can remove the **CPE Available** filter, to gain further visibility and increase your search scope across all installed software in your organization. This means all software, including software without a CPE, will now display in the software inventory list.

+> [!NOTE]

+> As CPEs are used by vulnerability management to identify the software and any vulnerabilities, even though software products without a CPE will be shown in the software inventory page, they will not be supported by vulnerability management and information like, exploits, number of exposed devices, and weaknesses won't be available for them.

+## How it works

+In the field of discovery, we're leveraging the same set of signals that is responsible for detection and vulnerability assessment in [Microsoft Defender for Endpoint detection and response capabilities](../defender-endpoint/overview-endpoint-detection-response.md).

+Since it's real time, in a matter of minutes, you'll see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll see if a particular software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's available.

+## Navigate to the Software inventory page

+Access the software inventory page by selecting **Software inventory** from the Vulnerability management navigation menu in the [Microsoft 365 Defender portal](../defender/microsoft-365-security-center-mde.md).

+> [!NOTE]

+> If you search for software using the Microsoft Defender for Endpoint global search, make sure to put an underscore instead of a space. For example, for the best search results you'd write "windows_10" or "windows_11" instead of "Windows 10" or "Windows 11".

+## Software inventory overview

+The **Software inventory** page opens with a list of software installed in your network, including the vendor name, weaknesses found, threats associated with them, exposed devices, impact to exposure score, and tags.

+By default, the view is filtered by **Product Code (CPE): Available**. You can also filter the list view based on weaknesses found in the software, threats associated with them, and tags like whether the software has reached end-of-support.

+Select the software that you want to investigate. A flyout panel will open with a more compact view of the information on the page. You can either dive deeper into the investigation and select **Open software page**, or flag any technical inconsistencies by selecting **Report inaccuracy**.

+### Software that isn't supported

+Software that isn't currently supported by vulnerability management may be present in the software inventory page. Because it is not supported, only limited data will be available. Filter by unsupported software with the "Not available" option in the "Weakness" section.

+The following indicates that software is not supported:

+- Weaknesses field shows "Not available"

+- Exposed devices field shows a dash

+- Informational text added in side panel and in software page

+- The software page won't have the security recommendations, discovered vulnerabilities, or event timeline sections

+## Software inventory on devices

+From the Microsoft 365 Defender portal navigation panel, go to the **[Device inventory](../defender-endpoint/machines-view-overview.md)**. Select the name of a device to open the device page (like Computer1), then select the **Software inventory** tab to see a list of all the known software present on the device. Select a specific software entry to open the flyout with more information.

+Software may be visible at the device level even if it's currently not supported by vulnerability management. However, only limited data will be available. You'll know if software is unsupported because it will say "Not available" in the "Weakness" column.

+Software with no CPE can also show up under this device-specific software inventory.

+### Software evidence

+See evidence of where we detected a specific software on a device from the registry, disk, or both. You can find it on any device in the device software inventory.

+Select a software name to open the flyout, and look for the section called "Software Evidence."

+## Software pages

+You can view software pages a few different ways:

+- Software inventory page > Select a software name > Select **Open software page** in the flyout

+- [Security recommendations page](tvm-security-recommendation.md) > Select a recommendation > Select **Open software page** in the flyout

+- [Event timeline page](threat-and-vuln-mgt-event-timeline.md) > Select an event > Select the hyperlinked software name (like Visual Studio 2017) in the section called "Related component" in the flyout

+ A full page will appear with all the details of a specific software and the following information:

+- Side panel with vendor information, prevalence of the software in the organization (including number of devices it's installed on, and exposed devices that aren't patched), whether and exploit is available, and impact to exposure score.

+- Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also, graphs with the number of exposed devices.

+- Tabs showing information such as:

+ - Corresponding security recommendations for the weaknesses and vulnerabilities identified.

+ - Named CVEs of discovered vulnerabilities.

+ - Devices that have the software installed (along with device name, domain, OS, and more).

+ - Software version list (including number of devices the version is installed on, the number of discovered vulnerabilities, and the names of the installed devices).

+ :::image type="content" alt-text="Software example page for Visual Studio 2017 with the software details, weaknesses, exposed devices, and more." source="../../media/defender-vulnerability-management/tvm-software-page-example.png" lightbox="../../media/defender-vulnerability-management/tvm-software-page-example.png":::

+## Report inaccuracy

+Report an inaccuracy when you see vulnerability information and assessment results that are incorrect.

+1. Open the software flyout on the Software inventory page.

+2. Select **Report inaccuracy**.

+3. From the flyout pane, choose an issue to report from:

+ - a software detail is wrong

+ - the software is not installed on any device in my org

+ - the number of installed or exposed devices is wrong

+4. Fill in the requested details about the inaccuracy. This will vary depending on the issue you're reporting.

+

+5. Select **Submit**. Your feedback is immediately sent to the vulnerability management experts.

+## Related articles

+- [Security recommendations](tvm-security-recommendation.md)

+- [Event timeline](threat-and-vuln-mgt-event-timeline.md)

+- [View and organize the Microsoft Defender for Endpoint Devices list](../defender-endpoint/machines-view-overview.md)

+ Title: Supported operating systems platforms and capabilities

+description: Ensure that you meet the operating system or platform requisites for threat and vulnerability management, so the activities in your all devices are properly accounted for.

+keywords: threat & vulnerability management, threat and vulnerability management, operating system, platform requirements, prerequisites, Microsoft Defender for Endpoint-tvm supported os, Microsoft Defender for Endpoint-tvm, supported operating systems, supported platforms, linux support, mac support

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ - m365-security-compliance

+ - m365initiative-defender-endpoint

+ms.technology: mde

+# Supported operating systems, platforms and capabilities

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> To sign up for the Defender Vulnerability Management public preview or if you have any questions, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com).

+>

+> Already have Microsoft Defender for Endpoint P2? [Sign up for a free trial of the Defender Vulnerability Management Add-on.](https://signup.microsoft.com/get-started/signup?products=5908ecaa-b8a7-4a04-b6c0-d44fd934b6f2)

+Before you begin, ensure that you meet the following operating system or platform requisites for vulnerability management so the activities in your devices are properly accounted for.

+> [!NOTE]

+> The supported systems and platforms for vulnerability management may be different from the [Minimum requirements for Microsoft Defender for Endpoint](../defender-endpoint/minimum-requirements.md) list.

+## Capabilities per supported operating systems (OS) and platforms

+In the following table, "Yes" indicates that a vulnerability management capability is supported for the OS or platform on that row.

+Supported OS or platform|OS vulnerabilities|Software product vulnerabilities|OS configuration assessment|Security controls configuration assessment|Software product configuration assessment

+:|:|:|:|:|:

+Windows 7|Yes|Not supported|Not supported|Not supported|Not supported

+Windows 8.1|Yes|Yes|Yes|Yes|Yes

+Windows 10, versions 1607-1703|Yes|Not supported|Not supported|Not supported|Not supported

+Windows 10, version 1709 or later|Yes|Yes|Yes|Yes|Yes

+Windows 11|Yes|Yes|Yes|Yes|Yes

+Windows Server 2008 R2|Yes|Yes|Yes|Yes|Yes

+Windows Server 2012 R2|Yes|Yes|Yes|Yes|Yes

+Windows Server 2016|Yes|Yes|Yes|Yes|Yes

+Windows Server 2019|Yes|Yes|Yes|Yes|Yes

+Windows Server 2022|Yes|Yes|Yes|Yes|Yes

+macOS 10.14 "Mojave" and above|Yes|Yes|Yes|Yes|Yes

+Red Hat Enterprise Linux 7.2 or higher including matching EUS releases (\* See "Important" notice below)|Yes|Yes|Yes|Yes|Yes

+CentOS 7.2 or higher|Yes|Yes|Yes|Yes|Yes

+Ubuntu 16.04 LTS or higher LTS|Yes|Yes|Yes|Yes|Yes

+Oracle Linux 7.2 or higher|Yes|Yes|Yes|Yes|Yes

+SUSE Linux Enterprise Server 12 or higher|Yes|Yes|Yes|Yes|Yes

+Linux Debian 9 or higher|Yes|Yes|Yes|Yes|Yes

+Android 6.0 or higher|Yes|Yes|Not supported|Not supported|Not supported

+iOS 12.0 or higher|Yes|Not supported|Not supported|Not supported|Not supported

+> [!NOTE]

+> Some features are not available for down-level Operating System, check the Microsoft 365 Defender Portal for more details on supported OS.

+> [!IMPORTANT]

+> \* Red Hat Enterprise Linux:

+> "The vulnerability data provided and shown as part of your Microsoft Defender for Endpoint services is made available to you in its raw form, "AS IS", from Red Hat, Inc., and might not be up to date. The data that is accessible in the Red Hat Security Data API is licensed under the Creative Commons Attribution 4.0 International License. You bear the risk in using this data. Microsoft and its third-party suppliers disclaim any and all liability for consequential and other indirect damages and implied warranties, including implied warranties of non-infringement, merchantability and fitness for a particular purpose. © 2020 Red Hat. All rights reserved. © 2020 Microsoft. All rights reserved."

+## Related articles

+- [Prerequisites & permissions](tvm-prerequisites.md)

+ Title: Vulnerable devices report

+description: A report showing vulnerable device trends and current statistics so you can understand the breath and scope of your device exposure.

+keywords: Microsoft Defender for Endpoint-tvm vulnerable devices, Microsoft Defender for Endpoint, tvm, reduce threat & vulnerability exposure, reduce threat and vulnerability, monitor security configuration

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ - m365-security-compliance

+ - m365initiative-defender-endpoint

+ms.technology: mde

+# Vulnerable devices report

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> To sign up for the Defender Vulnerability Management public preview or if you have any questions, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com).

+>

+> Already have Microsoft Defender for Endpoint P2? [Sign up for a free trial of the Defender Vulnerability Management Add-on.](https://signup.microsoft.com/get-started/signup?products=5908ecaa-b8a7-4a04-b6c0-d44fd934b6f2)

+The report shows graphs and bar charts with vulnerable device trends and current statistics. The goal is for you to understand the breath and scope of your device exposure.

+Access the report in the Microsoft 365 Defender portal by going to **Reports > Vulnerable devices**

+There are two columns:

+- Trends (over time). Can show the past 30 days, 3 months, 6 months, or a custom date range.

+- Status (current information)

+**Filter**: You can filter the data by vulnerability severity levels, exploit availability, vulnerability age, operating system platform, Windows 10 or Windows 11 version, or device group.

+**Drill down**: If there is an insight you want to explore further, select the relevant bar chart to view a filtered list of devices in the Device inventory page. From there, you can export the list.

+## Severity level graphs

+Each device is counted only once according to the most severe vulnerability found on that device.

+## Exploit availability graphs

+Each device is counted only once based on the highest level of known exploit.

+## Vulnerability age graphs

+Each device is counted only once under the oldest vulnerability publication date. Older vulnerabilities have a higher chance of being exploited.

+## Vulnerable devices by operating system platform graphs

+The number of devices on each operating system that are exposed due to software vulnerabilities.

+## Vulnerable devices by Windows version graphs

+The number of devices on each Windows 10 or Windows 11 version that are exposed due to vulnerable applications or OS.

+## Related topics

+- [Security recommendations](tvm-security-recommendation.md)

+ Title: Vulnerabilities in my organization

+description: Lists the common vulnerabilities and exposures (CVE) ID of weaknesses found in the software running in your organization. Discovered by the Microsoft Defender vulnerability management capabilities.

+keywords: Microsoft Defender for Endpoint threat & vulnerability management, threat and vulnerability management, Microsoft Defender for Endpoint tvm weaknesses page, finding weaknesses through tvm, tvm vulnerability list, vulnerability details in tvm

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ - m365-security-compliance

+ - m365initiative-defender-endpoint

+ms.technology: mde

+# Vulnerabilities in my organization

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> To sign up for the Defender Vulnerability Management public preview or if you have any questions, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com).

+>

+> Already have Microsoft Defender for Endpoint P2? [Sign up for a free trial of the Defender Vulnerability Management Add-on.](https://signup.microsoft.com/get-started/signup?products=5908ecaa-b8a7-4a04-b6c0-d44fd934b6f2)

+> [!IMPORTANT]

+> Defender Vulnerability Management can help identify Log4j vulnerabilities in applications and components. [Learn more](../defender-endpoint/tvm-manage-Log4shell-guidance.md).

+Microsoft Defender Vulnerability Management uses the same signals in Defender for Endpoint's endpoint protection to scan and detect vulnerabilities.

+The **Weaknesses** page lists the software vulnerabilities your devices are exposed to by listing the Common Vulnerabilities and Exposures (CVE) ID. You can also view the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, threat insights, and more.

+> [!NOTE]

+> If there is no official CVE-ID assigned to a vulnerability, the vulnerability name is assigned by threat and vulnerability management.

+> [!TIP]

+> To get emails about new vulnerability events, see [Configure vulnerability email notifications in Microsoft Defender for Endpoint](../defender-endpoint/configure-vulnerability-email-notifications.md)

+## Navigate to the Weaknesses page

+Access the Weaknesses page a few different ways:

+- Selecting **Weaknesses** from the **Vulnerability management** navigation menu in the [Microsoft 365 Defender portal](https://security.microsoft.com).

+### Navigation menu

+Go to the **Vulnerability management** navigation menu and select **Weaknesses** to open the list of CVEs.

+### Vulnerabilities in global search

+1. Go to the global search drop-down menu.

+2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you're looking for, for example "CVE-2018-5568", then select the search icon. The **Weaknesses** page opens with the CVE information that you're looking for.

+3. Select the CVE to open a flyout panel with more information, including the vulnerability description, details, threat insights, and exposed devices.

+To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then select search.

+## Weaknesses overview

+Remediate the vulnerabilities in exposed devices to reduce the risk to your assets and organization. If the **Exposed Devices** column shows 0, that means you aren't at risk.

+ :::image type="content" source="../../media/defender-vulnerability-management/tvm-weaknesses-overview.png" alt-text="Screenshot of the weaknesses landing page" lightbox="../../media/defender-vulnerability-management/tvm-weaknesses-overview.png":::

+### Breach and threat insights

+View any related breach and threat insights in the **Threat** column when the icons are colored red.

+ > [!NOTE]

+ > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight icon  and breach insight icon .

+The breach insights icon is highlighted if there's a vulnerability found in your organization.

+

+The threat insights icon is highlighted if there are associated exploits in the vulnerability found in your organization. Hovering over the icon shows whether the threat is a part of an exploit kit, or connected to specific advanced persistent campaigns or activity groups. When available, there's a link to a Threat Analytics report with zero-day exploitation news, disclosures, or related security advisories.

+

+### Gain vulnerability insights

+If you select a CVE, a flyout panel will open with more information such as the vulnerability description, details, threat insights, and exposed devices.

+- The "OS Feature" category is shown in relevant scenarios

+- You can go to the related security recommendation for every CVE with exposed device

+ 

+### Software that isn't supported

+CVEs for software that isn't currently supported by threat & vulnerability management is still present in the Weaknesses page. Because the software is not supported, only limited data will be available.

+Exposed device information will not be available for CVEs with unsupported software. Filter by unsupported software by selecting the "Not available" option in the "Exposed devices" section.

+## View Common Vulnerabilities and Exposures (CVE) entries in other places

+### Top vulnerable software in the dashboard

+1. Go to the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software, along with threat information and a high-level view of device exposure over time.

+ 

+2. Select the software you want to investigate to go to a drilldown page.

+3. Select the **Discovered vulnerabilities** tab.

+4. Select the vulnerability you want to investigate for more information on vulnerability details

+### Discover vulnerabilities in the device page

+View related weaknesses information in the device page.

+1. Go to the Microsoft 365 Defender navigation menu bar, then select the device icon. The **Device inventory** page opens.

+2. In the **Device inventory** page, select the device name that you want to investigate.

+ 

+3. The device page will open with details and response options for the device you want to investigate.

+4. Select **Discovered vulnerabilities**.

+ :::image type="content" alt-text="Device page with details and response options." source="../../media/defender-vulnerability-management/tvm-discovered-vulnerabilities.png" lightbox="../../media/defender-vulnerability-management/tvm-discovered-vulnerabilities.png":::

+5. Select the vulnerability that you want to investigate to open up a flyout panel with the CVE details, such as: vulnerability description, threat insights, and detection logic.

+#### CVE Detection logic

+Similar to the software evidence, we now show the detection logic we applied on a device in order to state that it's vulnerable. The new section is called "Detection Logic" (in any discovered vulnerability in the device page) and shows the detection logic and source.

+The "OS Feature" category is also shown in relevant scenarios. A CVE would affect devices that run a vulnerable OS only if a specific OS component is enabled. Let's say Windows Server 2019 or Windows Server 2022 has vulnerability in its DNS component. With this new capability, we'll only attach this CVE to the Windows Server 2019 and Windows Server 2022 devices with the DNS capability enabled in their OS.

+## Report inaccuracy

+Report a false positive when you see any vague, inaccurate, or incomplete information. You can also report on security recommendations that have already been remediated.

+1. Open the CVE on the Weaknesses page.

+2. Select **Report inaccuracy** and a flyout pane will open.

+3. Select the inaccuracy category from the drop-down menu and fill in your email address and inaccuracy details.

+4. Select **Submit**. Your feedback is immediately sent to the threat and vulnerability management experts.

+## Related articles

+- [Security recommendations](tvm-security-recommendation.md)

+- [Software inventory](tvm-software-inventory.md)

+- [Dashboard insights](tvm-dashboard-insights.md)

+ Title: Mitigate zero-day vulnerabilities

+description: Learn how to find and mitigate zero-day vulnerabilities in your environment through threat and vulnerability management.

+keywords: Microsoft Defender for Endpoint tvm zero day vulnerabilities, tvm, threat & vulnerability management, zero day, 0-day, mitigate 0 day vulnerabilities, vulnerable CVE

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ - m365-security-compliance

+ - m365initiative-defender-endpoint

+ms.technology: mde

+# Mitigate zero-day vulnerabilities

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> To sign up for the Defender Vulnerability Management public preview or if you have any questions, [contact us](mailto:mdvmtrial@microsoft.com) (mdvmtrial@microsoft.com).

+>

+> Already have Microsoft Defender for Endpoint P2? [Sign up for a free trial of the Defender Vulnerability Management Add-on.](https://signup.microsoft.com/get-started/signup?products=5908ecaa-b8a7-4a04-b6c0-d44fd934b6f2)

+A zero-day vulnerability is a flaw in software for which no official patch or security update has been released. A software vendor may or may not be aware of the vulnerability, and no public information about this risk is available. Zero-day vulnerabilities often have high severity levels and are actively exploited.

+Vulnerability management will only display zero-day vulnerabilities it has information about.

+## Find information about zero-day vulnerabilities

+Once a zero-day vulnerability has been found, information about it will be conveyed through the following experiences in the Microsoft 365 Defender portal.

+> [!NOTE]

+> 0-day vulnerability capability is currently available only for Windows products.

+### Defender Vulnerability Management dashboard

+Look for recommendations with a zero-day tag in the "Top security recommendations" card.

+Find top software with the zero-day tag in the "Top vulnerable software" card.

+### Weaknesses page

+Look for the named zero-day vulnerability along with a description and details.

+- If this vulnerability has a CVE-ID assigned, you'll see the zero-day label next to the CVE name.

+- If this vulnerability has no CVE-ID assigned, you'll find it under an internal, temporary name that looks like "TVM-XXXX-XXXX". The name will be updated once an official CVE-ID has been assigned, but the previous internal name will still be searchable and found in the side-panel.

+### Software inventory page

+Look for software with the zero-day tag. Filter by the "zero day" tag to only see software with zero-day vulnerabilities.

+### Software page

+Look for a zero-day tag for each software that has been affected by the zero-day vulnerability.

+### Security recommendations page

+View clear suggestions about remediation and mitigation options, including workarounds if they exist. Filter by the "zero day" tag to only see security recommendations addressing zero-day vulnerabilities.

+If there's software with a zero-day vulnerability and additional vulnerabilities to address, you'll get one recommendation about all vulnerabilities.

+## Addressing zero-day vulnerabilities

+Go to the security recommendation page and select a recommendation with a zero-day. A flyout will open with information about the zero-day and other vulnerabilities for that software.

+There will be a link to mitigation options and workarounds if they are available. Workarounds may help reduce the risk posed by this zero-day vulnerability until a patch or security update can be deployed.

+Open remediation options and choose the attention type. An "attention required" remediation option is recommended for the zero-day vulnerabilities, since an update hasn't been released yet. You won't be able to select a due date, since there's no specific action to perform. If there are older vulnerabilities for this software you wish to remediation, you can override the "attention required" remediation option and choose "update."

+## Track zero-day remediation activities

+Go to the [Remediation](tvm-remediation.md) page to view the remediation activity item. If you chose the "attention required" remediation option, there will be no progress bar, ticket status, or due date since there's no actual action we can monitor. You can filter by remediation type, such as "software update" or "attention required," to see all activity items in the same category.

+## Patching zero-day vulnerabilities

+When a patch is released for the zero-day, the recommendation will be changed to "Update" and a blue label next to it that says "New security update for zero day." It will no longer consider as a zero-day, the zero-day tag will be removed from all pages.

+## Related articles

+- [Dashboard](tvm-dashboard-insights.md)

+- [Security recommendations](tvm-security-recommendation.md)

+- [Software inventory](tvm-software-inventory.md)

+- [Vulnerabilities in my organization](tvm-weaknesses.md)

+<td><center><b><a href="/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management"><b>Microsoft Defender Vulnerability Management</b></center></a></td>

+- **Assets with Defender Vulnerability Management** - Microsoft Defender Vulnerability Management delivers continuous asset visibility, intelligent risk-based assessments, and built-in remediation tools to help your security and IT teams prioritize and address critical vulnerabilities and misconfigurations across your organization.

+f1.keywords:

+search.appverid:

+> Currently, quarantine notifications are not supported for groups.

+ Title: "Configure a team with security isolation by using a unique sensitivity label"

+# Configure a team with security isolation by using a unique sensitivity label

+- Quickly address team member feedback and fine tune policies and configurations.

+[Azure AD Privileged Identity Management](/azure/active-directory/privileged-identity-management/pim-configure)