Microsoft Defender Vulnerability Management

DVM takes a fundamentally different approach from traditional scanners like Nessus, Qualys, or Rapid7:

• No scanning infrastructure: DVM uses the existing MDE sensor on endpoints. No dedicated scanning servers, network scan windows, or agent deployments needed.
• Continuous assessment: Traditional scanners run periodic scans (weekly/monthly). DVM continuously monitors software inventory and matches against vulnerability databases in real time.
• Threat-informed prioritisation: Instead of relying solely on CVSS scores, DVM factors in exploit availability, active threat campaigns, internet exposure, and business criticality. Only ~5% of CVEs are ever exploited; DVM helps you focus on those.
• Built-in remediation: Create remediation tasks directly from vulnerability findings, assign to IT teams with deadlines, and track progress. all within the same portal.
• Security baselines: Assess device configurations against CIS and Microsoft benchmarks, identifying misconfiguration risks alongside software vulnerabilities.

Result: traditional scanners might report 15,000 CVEs ranked by CVSS. DVM identifies the 200 that attackers are actually exploiting and are on internet-facing assets.

DVM dashboard

Security baselines are configuration standards that define the minimum security settings for your endpoints. DVM continuously assesses devices against these benchmarks:

• CIS Benchmarks: Center for Internet Security Level 1 and Level 2 benchmarks for Windows 10/11 and Windows Server. Covers account policies, audit settings, security options, service configurations, and network settings.
• Microsoft Security Baselines: Microsoft's recommended security configuration for Windows, Office, Edge, and server roles. Updated with each OS release.
• Custom baselines: Create organisation-specific baselines by selecting checks from CIS and Microsoft benchmarks, adding custom requirements, and excluding checks not applicable to your environment.
• Assessment results: Each device shows compliant/non-compliant status per check, with the current value vs. the recommended value. Results are aggregated into a compliance percentage.

Misconfigurations cause a significant percentage of breaches. Security baselines catch things vulnerability scanners miss: disabled firewalls, weak password policies, missing encryption, and legacy protocol enablement.

Security baselines

Yes. DVM provides browser extension inventory and risk assessment across your endpoint fleet:

• Discovery: Inventories all browser extensions installed on onboarded devices across Chrome, Edge, and Firefox
• Permission analysis: Flags extensions with high-risk permissions (read/modify all website data, access browsing history, manage downloads, intercept network requests)
• Publisher verification: Identifies extensions from unverified or unknown publishers
• Deployment scope: Shows how many devices have each extension, helping prioritise remediation for widely deployed risky extensions
• Policy recommendations: Recommends blocking specific extensions via Intune browser extension management policies

Browser extensions are an often-overlooked attack vector. A single malicious extension can read all web traffic, steal credentials from banking sites, and exfiltrate browsing data. all while appearing as a legitimate productivity tool.

Browser extension assessment

The exposure score is a dynamic metric that represents your organisation's overall vulnerability to exploitation:

• Range: 0–100, where lower is better. The score decreases as you remediate exposures.
• Factors: Calculated from the number of vulnerable devices, severity of vulnerabilities, exploit availability, internet exposure of affected devices, and asset criticality (domain controllers score higher than workstations)
• Trend tracking: Monitor your exposure score over time to measure the effectiveness of your vulnerability management program. Track the impact of patch cycles and configuration changes.
• Benchmarking: Compare your score against industry averages and Microsoft's recommended targets
• Goal: Most organisations target a sustained reduction of 5–10 points per quarter through systematic remediation

Use the exposure score as a KPI for executive reporting: it translates complex vulnerability data into a single trend line that demonstrates security improvement over time.

Exposure score

DVM provides a built-in remediation workflow that bridges the gap between security findings and IT remediation:

1. Create activity: From any vulnerability recommendation, click "Request remediation" to create a remediation task
2. Assign: Assign the task to an IT team or individual with a target completion date
3. Track: Monitor remediation progress on the Remediation page: pending, in progress, completed
4. Verify: DVM automatically detects when the vulnerability is patched and marks the remediation as completed
5. Report: Generate reports showing remediation SLA compliance, average time to patch, and team performance

DVM also integrates with Microsoft Intune to push software update deployments directly from vulnerability recommendations, and with ServiceNow for organisations that use ITSM ticketing.

This closed-loop workflow ensures vulnerabilities don't just get reported. they get fixed, tracked, and verified.

Remediation activities

DVM is available in two tiers:

• Core capabilities (included with MDE P2): Software inventory, vulnerability assessment, security recommendations, remediation tracking, and exposure score. These are available to all MDE P2 customers at no additional cost.
• DVM Add-on ($2/device/month): Premium capabilities including security baseline assessments (CIS, Microsoft baselines), browser extension assessment, digital certificate inventory, network share analysis, and blocking of vulnerable applications.

For most organisations, the core capabilities included with MDE P2 provide substantial value. The add-on is recommended for environments with regulatory baseline requirements (PCI-DSS, HIPAA) or large browser extension estates.

DVM capabilities