Microsoft Defender for Endpoint series – Defender Vulnerability Management – Part5
It is time for part 5 of the Microsoft Defender for Endpoint (MDE) series. All previous parts were focused on the Defender for Endpoint onboarding and configuration. Now it is time for the initial usage of the Defender for Endpoint components. One of the key functions is Defender Vulnerability Management (MDVM), which is powerful and enables lots of useful insights.
NOTE: The blog series focuses on features in Microsoft Defender for Endpoint P2 all Microsoft Defender for Endpoint P1 features are available in P2.
Specific question or content idea part of Defender for Endpoint? Use the contact submission form and share the post ideas.
Microsoft Defender Vulnerability Management (MDVM) is part of Microsoft Defender for Endpoint – there is no additional agent or configuration needed for getting data in MDE. MDVM is a built-in module in Microsoft Defender for Endpoint.
In Part 4/4A/4B of this series, we explained the configuration of the AV features, with the use of MDVM it is possible to validate the compliance of features.
Defender Vulnerability Management rapidly and continuously prioritizes vulnerabilities and provides security recommendations to mitigate the risk. This part of the series contains some useful insights into TVM.
Microsoft created really good documentation for all MDVM features for more in-depth information;
Microsoft Defender Vulnerability Management offerings
Microsoft Defender supports multiple offerings for Microsoft Defender Vulnerability Management:
Defender for Endpoint P2:
- Core TVM capabilities included
Add-on for Defender for Endpoint P2:
- Defender Vulnerability Management add-on
Defender Vulnerability Management Standalone
- Full vulnerability management capabilities
Comparison table between the core; add-on and standalone offering. The add-on enables more data for security baselines, extensions, certificates, and network share insights.
|November 20, 2022; currently it seems the add-on will be sold as an extra add-on on top of the MDE P2 license/ E5 license. |
Important: If you use Defender for Servers P2, it includes the Defender Vulnerability Management add-on capabilities.
|Feature/Capability||Core Vulnerability management (MDE P2)||Defender Vulnerability Management add-on for MDE P2||Defender Vulnerability Management Standalone|
|Device Discovery||✅||Included in core||✅|
|Device inventory||✅||Included in core||✅|
|Vulnerability assessment||✅||Included in core||✅|
|Risk-based prioritization||✅||Included in core||✅|
|Remediation tracking||✅||Included in core||✅|
|Continuous monitoring||✅||Included in core||✅|
|Software assessment||✅||Included in core||✅|
|Security baselines assessment||❌||✅||✅|
|Block vulnerable applications||❌||✅||✅|
|Digital certificate assessment||❌||✅||✅|
|Network share analysis||❌||✅||✅|
|Hardware and firmware assessment||❌||✅||✅|
|Authenticated scan for Windows||❌|
More information: What is Microsoft Defender Vulnerability Management
How works Microsoft Defender Vulnerability Management
Microsoft Defender Vulnerability Management is completely agentless and collects data based on the installed MDE sensor. Data is stored for up to 180 days in Defender and 30 days in Advanced Hunting.
MDVM helps to reduce the security posture and remediate risk by following security recommendations and checks near real-time the machines
Common organization challenges without MDE or other tools;
- Which devices are compliant and correctly configured
- Which devices are vulnerable against CVE-xxx
- Are devices active with zero-days?
- Which devices are not compliant and configured with failures
- Which devices are not correctly configured with AV
- Where is SMBV1 still allowed
- Devices without Tamper Protection
- Devices with an old version of .net framework
- Devices where the built-in administrator account is not disabled
Risk management is all about identifying weaknesses (vulnerabilities) and misconfiguration in the environment and reducing the attack factor. MDVM in Defender helps discover vulnerabilities using the MDE sensor; without the need of deploying additional collectors or agents. MDVM is based on continuous discovery. Microsoft Defender for Endpoint continuously collects and sends telemetry of the device to the cloud
During the initial onboarding, the Microsoft Defender for Endpoint sensor collects automatically the vulnerability and security data from the machine and publishes the data in the portal. Based on the continuous discovery, changes are visible without waiting for period scans.
Which data is visible in MDVM and how frequently?
Microsoft Defender Vulnerability Management shows devices that were in use up to 30 days ago – this generates sometimes duplicates when devices get reinstalled/ reimaged. Ideally in the feature MDVM supports more filters for inactive/active devices.
The exclude device button can help with removing devices directly from the MDVM data, so there is no wait for 30 days in case of duplicates, or inactive devices.
Microsoft Defender Vulnerability Management data
The MDVM data is part of the Microsoft 365 Defender portal (security.microsoft.com). The section Vulnerability Management contains all available data.
The dashboard shows a critical overview of the exposure score, configuration score, and distribution for each exposure level. Based on the top priorities the list of top-ranked security recommendations are visible. The top recommendations are based on their impact (Exposure threats and impact).
1: Organization exposure score: Score of all associated resources in the organization. Filters can be used for filtering specific devices groups
2: Top security recommendations: Top recommendations based on the largest impact of all associated resources
3: Microsoft Secure Score: View of the security configuration posture of all devices. A higher score is giving a stronger baseline. For each component, the improvements are directly visible.
4: Top events (7 days): Top events in the organization for new vulnerabilities based on impact.
5: Expiring certificates: Data is part of the add-on and shows all expired certificates on the devices.
6: Exposure distribution: Exposure distribution is based on Low, Medium, and High against the organization’s scope.
7: Top remediation activities: Remediation activities that are created from specific items
8: Top vulnerable software: Software in the organization which the highest weakness ( count of CVEs) and threats.
9: Top exposed devices: Top list in the organization with a top list of devices with the highest security recommendations/ discovered vulnerabilities and exposure level.
|Recommendation: As explained in the first part, a proper device group structure is important. With the device group filter, it is possible to filter specific events. Interesting use case; show only tier 0/ domain controllers or windows 10/11 endpoints. Think carefully about the groups and base them on the management teams, so each team can view TVM data based on their own scope.|
What is the Exposure score?
The Exposure Score reflects the overall exposure of all machines. The score is continuously calculated based on all data in the Defender instance. A high value indicates that your machines are more vulnerable to exploitation; while a low means a less vulnerable surface.
The available statuses are low, medium, and high exposure:
- 0–29: low exposure score.
- 30–69: medium exposure score.
- 70–100: high exposure score.
In the crap the exposure score trend over time is visible, so you can track how the score is changing. Due to newly released CVEs and new security recommendations, the score is always changing. The Event timeline gives more visibility into why the score is increasing/ decreasing.
Visibility in the cybersecurity weaknesses is more and more important against new upcoming modern threats. Security recommendations show all recommendations are prioritized based on the risk to your organization.
Security recommendations are the actionable items for reducing the total exposure score and improving the configuration/ protection surface of the devices.
|Important: One thing to remember about security recommendations is that these are general recommendations based on best practices coming from the vendor. Always test before applying security recommendations.|
Security recommendation is visible with the following information:
|Security recommendation||Name of the recommendation|
|OS platform||The platform where the recommendation is applicable|
|Weaknesses||Total count of known vulnerabilities|
|Related component||The component where the recommendation is applicable|
|Exposed devices||Total count of exposed devices in the organization.|
|Remediation type||Which remediation type is needed ( update or configuration change)|
|Remediation activities||Created remediation activities in Defender for Endpoint|
|Impact||The business impact of each recommendation on the organizational exposure and secure scores.|
|Tags||Related tags; Examples; Zero-day/ Human operated ransomware, EOS software, EOS versions|
All data is visible in the blade security recommendations. Open each item for more in-depth information and the breakdown of all associated CVEs summarized by severity.
The column threats contain two important threat icons:
(1) Breach insights: Possible active threats/alerts
(2) Threat insights: Associated public exploits
When opening the item more information is visible for each item. The overview page shows the associated CVEs breakdown and additional information for publicly available exploits.
Based on the above screenshot; Windows Server 2019 is vulnerable to 269 known vulnerabilities and there is a verified remote code execution exploit publicly available. Related threats are visible when there is a threat analytics report available, for Server 2019 the threat: CVE-2022-30190 ( remote code execution) is active and part of the detected CVEs.
- Exposed devices: overview of all devices which are applicable/ vulnerable
- Install devices: overview of all devices where the software is installed
- Associated CVEs: overview of all associated CVEs
Use open software page for the complete overview of the software. The detailed software page contains all information related to the software; including security recommendations, discovered vulnerabilities, devices where software is installed, version distribution, and a detailed timeline.
For Chrome we can see the recommendations part of the Chrome software: For example; Disable ‘Password Manager’ and Enable ‘Block third-party cookies.
Event timeline is useful for viewing all new vulnerabilities and device impact. The column originally impacted devices % shows the originally impacted devices (since the release of vulnerability) currently impacted devices % shows the actual impacted score (recent data)
The exposure score is dynamic and changes each time. The general event timeline is a risk news feed that helps how the risk is introduced. With the use of the timeline, it is easy to check the originally impacted devices and the current impact. With the use of filters, there is an option for filtering based on types, originally impacted devices, and specific dates.
More information: Event timeline | Microsoft Learn
Checking MDE configuration via UI
The first step in enrolling MDE is confirming of all configurations are compliant. Using MDVM it is possible to check the configured security controls for Antivirus, Application Guard, ASR, Bitlocker, Credential Guard, EDR, Exploit Guard, Firewall, SmartScreen, and the general onboarding state of MDE.
View via UI: Go to recommendations and filter on the related component “Security controls” for viewing the compliance of all security controls policies.
For Attack Surface Reduction Rules – the recommendation insights are visible based on user impact information. User impact calculation is collected in the past 45 days and based on collected sensor telemetry.
Data using advanced hunting
MDVM data is available in advanced hunting. With the use of advanced hunting MDVM data can be used for creating more advanced queries for getting direct results based on the dataset. For example;
- Overview of all ASR rules
- Overview of all devices with a specific platform version of Defender
- Overview of engine/ signature version
The following schema tables are part of the MDVM component:
Extract recommendation data
Each recommendation contains more information. SCID-2011 is the recommendation for “Update Microsoft Defender Antivirus definition”. With the use of KQL, there is the option for reading the body context.
Full configuration assessment data KQL for SCID-2011 – Data set visible. Additional data is part of the “Context” field:
DeviceTvmSecureConfigurationAssessment | where ConfigurationId == "scid-2011"
Parsed_json KQL query for SCID-2011 – Query with extracted/ parsed “context” field:
DeviceTvmSecureConfigurationAssessment | where ConfigurationId == "scid-2011" | mv-expand body = parse_json(Context) | project DeviceName,DeviceId, OSPlatform, SignatureVersion=tostring(body), SignatureDate=todatetime(body), EngineVersion=body, ProductVersion=body
Example: All devices where Defender AV is disabled
All devices where Defender AV is disabled (SCID-2010 is applicable and not compliant)
DeviceInfo | summarize arg_max(Timestamp, *) by DeviceId | project DeviceId,Timestamp,DeviceName,ClientVersion,OnboardingStatus,DeviceType,MachineGroup | project-rename LatestDeviceData = Timestamp | join kind = inner ( DeviceTvmSecureConfigurationAssessment | where ConfigurationId == "scid-2010" | project DeviceId,Timestamp,ConfigurationId,ConfigurationSubcategory, IsApplicable,IsCompliant,Context | project-rename TimeStampTVMEval = Timestamp | join kind = inner ( DeviceTvmSecureConfigurationAssessmentKB | project ConfigurationId,ConfigurationName, ConfigurationDescription ) on ConfigurationId ) on DeviceId | where IsApplicable == 1 and IsCompliant == 0
Example: All devices where MAPS/ Cloud Protection is disabled
All devices where MAPS/ Cloud Protection is disabled (SCID-2016 is applicable and not compliant)
DeviceInfo | summarize arg_max(Timestamp, *) by DeviceId | project DeviceId,Timestamp,DeviceName,ClientVersion,OnboardingStatus,DeviceType,MachineGroup | project-rename LatestDeviceData = Timestamp | join kind = inner ( DeviceTvmSecureConfigurationAssessment | where ConfigurationId == "scid-2016" | project DeviceId,Timestamp,ConfigurationId,ConfigurationSubcategory, IsApplicable,IsCompliant,Context | project-rename TimeStampTVMEval = Timestamp | join kind = inner ( DeviceTvmSecureConfigurationAssessmentKB | project ConfigurationId,ConfigurationName, ConfigurationDescription ) on ConfigurationId ) on DeviceId | where IsApplicable == 1 and IsCompliant == 0
Example: AV mode (Active, Passive, EDR block)
Overview of all devices and detected AV mode (Active, Passive, EDR block)
let avmodetable = DeviceTvmSecureConfigurationAssessment | where ConfigurationId == "scid-2010" and isnotnull(Context) | extend avdata=parsejson(Context) | extend AVMode = iif(tostring(avdata) == '0', 'Active' , iif(tostring(avdata) == '1', 'Passive' ,iif(tostring(avdata) == '4', 'EDR Blocked' ,'Unknown'))) | project DeviceId, AVMode; DeviceTvmSecureConfigurationAssessment | where ConfigurationId == "scid-2011" and isnotnull(Context) | extend avdata=parsejson(Context) | extend AVSigVersion = tostring(avdata) | extend AVEngineVersion = tostring(avdata) | extend AVSigLastUpdateTime = tostring(avdata) | project DeviceId, DeviceName, OSPlatform, AVSigVersion, AVEngineVersion, AVSigLastUpdateTime, IsCompliant, IsApplicable | join avmodetable on DeviceId | project-away DeviceId1
Example: Overview ASR enablement status
Overview of all ASR rules and the enablement status. KQL shows all devices and configured status (Enabled, Audit, Block, off).
Premium features are part of the add-on
As already explained there are premium features as part of the add-on or standalone solution. The Vulnerability Management add-on includes the following features:
- Security baseline assessment
- Block vulnerable applications (included in this post)
- Browser extensions
- Digital certificate assessment
- Network share analysis
If you use Defender for Servers P2, it includes the Defender Vulnerability Management add-on.
One of the new features is the Baseline assessment. With the baseline assessment, it is possible to scan the security baseline (CIS/ STIG) compliance in real-time and continuously monitor the baselines.
A security baseline profile is a customized profile based on the organization for specific settings. Currently, the following baselines are supported:
- Windows 10, Windows 11
- Windows Server 2008 R2 and above
- Windows 10
- Windows Server 2019
- Go to Vulnerability management > Baselines assessment and select the Profiles tab
- Select the Create button and enter a name/ description for the baseline profiles
- Select the software, benchmark, and compliance level and configure the additional settings
During the profile creation, it is needed to specify the baseline profile. First, we need to select the OS under the Software item. Select a Benchmark profile that applies to the OS version ( It shows only applicable baselines)
In the same menu select the Compliance level (Level 1, level 2). Most CIS Benchmarks include multiple configuration profiles. A profile definition describes the configurations assigned to benchmark recommendations.
CIS explanation for Level 1, Level 2
Level 1: The Level 1 profile is considered a base recommendation that can be implemented fairly promptly and is designed to not have an extensive performance impact.
Level 2: The Level 2 profile is considered to be “defense in depth” and is intended for environments where security is paramount. The recommendations associated with the Level 2 profile can have an adverse effect on your organization if not implemented appropriately or without due care.
More information: CIS Benchmark FAQ
Select configuration settings
Add Configuration settings (object access, defender antivirus, network sharing, user rights assignment, real-time protection, etc)
Now deploy the profile to all device groups or selected device groups and use additional the device tag filter.
After the profile creation, the Overview page provides an overview of the device compliance, top failing devices, top misconfigured settings, profile compliance, and compliance over time. When opening the created profile under Profiles more in-depth data is visible for each created profile.
Click on Settings for viewing all related settings part of the profiles. Additional filters and device group filters can be used for filtering the results.
More information: Security baselines assessment | Microsoft Docs
Track changes with remediation task
After identifying weaknesses remediation tasks can be used for creating a security recommendation in the portal.
There are two options:
- Create remediation
- Create remediation and task in Intune for AAD joined devices (not for all items)
Configure the due date for the remediation, priority, and additional device. When available; the checkbox: Open a ticket in Microsoft Endpoint Manager (for AAD joined devices) can be used.
As result, the remediation item is visible in Vulnerability management -> remediation. In this view the device remediation progress is visible.
Tips for MDVM
Based on experience some common tips for starting/ using the MDVM component in Defender for Endpoint:
- Use a good structure of device groups in MDE. When using device groups, specific teams in the organization can only focus on devices in their visibility.
- Download each week/ month the complete inventory list as CSV (export button) and view unwanted/unknown software. Verify and uninstall all unwanted/ unknown software
- Use Advanced Hunting for getting additional data (signature version, platform version, AV mode) for viewing patterns and misconfigured devices.
- Create notifications for high/critical CVSS 7.0+ with new public exploit for all devices
- Use End-of-support (EOS)/ end-of-life (EOL) tag for filtering software that is no longer supported
- Inform teams for checking MDVM data and make a good process for patching/ remediation.
- Creating new images/ baselines? Validate always with MDVM for recommended configuration/ remediations.
- Check devices with the highest exposure score from the device inventory
Vulnerability Management add-on and block vulnerable applications
Now the common question is; how can we block specific vulnerable versions of Google Chrome and allow only the recent non-vulnerable versions? In this situation, the new feature part of the Vulnerability Management add-on adds value for blocking specific versions based on the discovered inventory data.
Vulnerability Management add-on
Add-ons for Defender for Endpoint? Yes… The core Vulnerability features are included in MDE P2. For additional features, there is the add-on offering for Vulnerability Management. The Defender Vulnerability Management add-on for MDE P2 adds the following features:
- Security baselines assessment
- Block vulnerable applications
- Browser Extensions
- Digital certificate assessment
- Network share analysis
- Hardware and firmware assessment
- Authenticated scan for Windows
Microsoft Defender for Servers Plan 2 includes access to the premium vulnerability management capabilities. The Vulnerability Management add-on is part of the Defender for Servers Plan 2 plan, no additional licensing/ cost is needed when servers are part of Defender for Servers Plan 2.
Block vulnerable applications
With the use of Defender Vulnerability Management functionality, it is possible to block all known vulnerable versions of the application. Before we use the feature it is important to validate the minimal requirements.
The blocking vulnerable application feature requires the following key components in Defender for Endpoint:
- Defender Antivirus in active mode. (EDR in block/ Passive is not working)
- Cloud-delivered protection enabled and configured
- Advanced Features allow or block file enabled
Make sure the version of the Defender Antivirus is up-to-date with one of the latest supported versions. The TVM blocking capability requires 4.18.1901.x or later – where the latest version is always recommended. Tip: Validate the version using the PowerShell command; Get-MpComputerStatus
|Important: Defender AV must be enabled and running in active mode. Blocking vulnerable versions is only working when the AV is running in active mode.|
Where to block specific apps?
When blocking apps it all starts in the security recommendations view for mitigating vulnerabilities. Use the remediation type filter “Software update/ Software upgrade“
In the above view the recommendation “Update Google Chrome to version 111.0.5563.65” is visible. Open the recommendation and click Request remediation.
In this situation, the vulnerable version 110.0.5481.180 is blocked.
When needed the remediation can be scoped to all device groups or specific groups. The remediation request is important for tracking the remediation process and improvement.
For software updates, the remediation option is “Software update” and configure the remediation due date, priority, and notes.
For supported software, there is the Mitigation action screen. With the mitigation action, it is possible to mitigate the risk and block/ warn all vulnerable versions of the applications from running.
When using the warn/ block action it is possible to inform the users. The message will appear when users open the vulnerable version of the application. By default Microsoft adds the following information link; aka.ms/TvmApplicationBlockSupport custom URLs can be configured in the notification.
After creating the remediation request all indicators of the known vulnerable applications are automatically configured in the indicator list as file hash. For Chrome the title contains “Blocked vulnerable Chrome versions”. Good to know the indicators are only added for the specific – the description field contains all information including the related software and version.
For each configured URL the title and description are automatically filled in with application details.
Remediation actions are not visible for all apps
This is correct – the remediation block/warn options are not visible for all apps. When the mitigation option is not visible the app is currently not supported. The following apps are not supported:
- Microsoft Applications
- Recommendations related to operating systems
- macOS/ Linux apps
- Apps where Microsoft does not have sufficient information or high confidence to block
View all blocked applications
Via the remediation page in Microsoft 365 Defender, it is possible to view all created remediations and blocked applications.
When opening the software page more detailed information is visible; including the number of blocked vulnerabilities, available exploits/ blocked versions and activities.
In the same view, it is possible to unblock the software and remove all affected indicators. Recommended is to keep the indicator list healthy and clean.
Blocked versions contain the actually blocked versions:
After creating the remediation it takes up to 30 minutes before the policy has to be applied to all devices. Defender for Endpoint adds all indicators automatically as part of the file hashes.
When attempting to launch an application part of the blocked hashes; the end user will see a notification that this specific application was blocked. When “warn” is configured the user is able to bypass the block after the warning. The toast notification is visible with the block explanation – admins are able to add custom messages.
With the use of hunting/ Advanced Hunting, it is possible to view the policy results. Depending on the policy the ActionType is AntivirusDetection with the AdditionalField TVMBlock or TVMWarn.
DeviceEvents | where ActionType == "AntivirusDetection" | where AdditionalFields contains "TVMBlock" DeviceEvents | where ActionType == "AntivirusDetection" | where AdditionalFields contains "TVMWarn"
Part 5 of the Microsoft Defender for Endpoint series is completed – focussed on the explanation of the Defender Vulnerability Management (MDVM) component. Don’t forget to read the official Microsoft Docs; MDVM is a large component.
Searching for specific Defender for Endpoint information? Use the contact submission form and share the post ideas or contact using Linkedin or Twitter. I will take all suggestions into the Defender for Endpoint series and help the community as far as possible.