Microsoft Defender Vulnerability Management
Microsoft Defender Vulnerability Management (MDVM)is a standalone product or add-on to Microsoft Defender for Endpoint P2 (Microsoft 365 E5 ‘Security’) Threat and Vulnerability Management (TVM).
This document describes the Microsoft Defender Vulnerability Management add-on features (future Microsoft 365 E7 license ?? :-))
After onboarding it can take up to 4 hours for the features to be available.
The first difference is Baseline assessment in the Vulnerability Management section of Microsoft 365 Defender (Endpoints section).
Security baseline assessment
Security baseline assessment is a continues (identify changes in real time) scan of the security baseline (CIS and/or STIG) compliance.
Open the Microsoft 365 Defender portal
- Go to Baseline assessment
- Go to Profiles
- Select Create
- Name & description
- Software (Windows version), Base benchmark (CIS or STIG), Compliance level (e.g. level 1, level 2, etc.)
- Add configuration settings (password policy, account lockout policy, etc.)
- Devices (all device groups or selected device group(s) including tags option)
- Review and submit
After the profile creation the Overview page provides an overview of (1) device compliance, (2) top failing devices, (3) top misconfigured devices, (4) profile compliance and (5) compliance over time.
Block vulnerable applications
Block vulnerable applications (currently in beta) can block an application or warn a user that the application is vulnerable.
Requirements: (1) Microsoft Defender Antivirus, (2) cloud-delivered protection enabled and (3) Allow or block (on) in the advanced settings of Microsoft 365 Defender -Endpoints.
Open the Microsoft 365 Defender portal
- Go to Vulnerability management > Recommendations
- Select a security recommendations (type update non-Microsoft software) and select Request remediation.
If remediation request & remediation action is not available: (1) Microsoft application, (2) Operating systems, (3) apps for MacOS or Linux and (4) not enough information available.
- Device scope (all device groups or selected device groups)
- Remediation request (software update (recommended), software uninstall, remediation due date, etc.)
- Remediation action (None, Warn or Block)
- Review and finish
Remediation activities and blocked applications overview via Vulnerability management > Remediation
It is also possible to unblock applications from this page.
Browser extensions
Browser extensions are (small) applications installed in a web browser, the feature provides insights in all installed browsers (e.g. Microsoft Edge, Google Chrome, etc.) and the installed extensions including the risk.
Open the Microsoft 365 Defender portal
- Go to Vulnerability management > Software inventory
- Select Browser extensions
The browser extensions dashboard provides an overview of (1) extension details, (2) permissions, (3) installed devices and (4) extension versions.
Digital certificate assessment
Digital certificate assessment is a certificate inventory and assessment feature to provide insights in certificate issues like expiration, misconfiguration, etc.
Open the Microsoft 365 Defender portal
- Go to Vulnerability management > Software inventory
- Select Certificates
The certificate dashboard provides an overview of all certificate vulnerabilities including (1) certificate details, (2) issuing details and (3) installed devices.
Network share analysis
Network share analysis is a configuration assessment of network share vulnerabilities. Open the Microsoft 365 Defender portal
- Go to Vulnerability management > Recommendations
- Select Filters and choose Related component > OS > Shares
The security recommendations dashboard provides an overview of vulnerable network shares
- Disallow offline access to shares
- Remove share write permissions set to ‘Everyone’
- Remove shares from the root folder
Each security recommendation provides (1) remediation options, (2) exposed devices and (3) exposed shares.
