Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
The Vulnerability Management section in the Microsoft Defender portal is now located under Exposure management. With this change, you can now consume and manage security exposure data and vulnerability data in a unified location, to enhance your existing Vulnerability Management features. Learn more.
These changes are relevant for Preview customers (Microsoft Defender XDR + Microsoft Defender for Identity preview option).
Find answers to frequently asked questions (FAQs) about Microsoft Defender Vulnerability Management. Use the following links to help find answer to your questions:
- Defender Vulnerability Management licensing FAQs
- Defender Vulnerability Management trial FAQs
- Block vulnerable applications FAQs
- Security baselines FAQs
- Defender Vulnerability Management general FAQs
- Windows authenticated scan deprecation FAQs
Defender Vulnerability Management licensing FAQs
What license does the user need to benefit from Defender Vulnerability Management capabilities?
Microsoft Defender Vulnerability Management is available via two services:
Microsoft Defender for Endpoint Plan 2 customers can seamlessly enhance their existing generally available vulnerability management capabilities with the Defender Vulnerability Management add-on. This service provides consolidated inventories, expanded asset coverage, cross-platform support, and new assessment and mitigation tools. To sign up for the free 90-day trial, see Defender Vulnerability Management Add-on.
Defender Vulnerability Management Standalone helps you efficiently discover, assess, and remediate vulnerabilities and misconfigurations in one place. This is recommended for new customers or existing Defender for Endpoint P1 or Microsoft 365 E3 customers. To sign up for the free 90-day trial, see Defender Vulnerability Management Standalone.
Do I need to assign Defender Vulnerability Management licenses to users in my organization as instructed in the admin center?
Currently, there's no need to assign the new Defender Vulnerability Management license to users. Licenses will be applied automatically after a customer signs up for the free trial.
Is Defender Vulnerability Management available as part of Defender for Endpoint Plan 2?
If the customer has Defender for Endpoint Plan 2 they have the core vulnerability management capabilities. Defender Vulnerability Management is a separate solution from Defender for Endpoint (not included in Defender for Endpoint Plan 2) and is available as an add-on.
Defender Vulnerability Management trial FAQs
How do customers sign up for a trial?
We recommend working with a Microsoft reseller. If you're not already working with a reseller, see Microsoft Security partners.
For existing Defender for Endpoint Plan 2 customers who want to evaluate the experience first-hand, we encourage directly onboarding onto the Microsoft Defender Vulnerability Management add-on free 90-day trial. For more information, see Defender Vulnerability Management Add-on.
For new customers or existing Defender for Endpoint P1 or Microsoft 365 E3 customers, see Defender Vulnerability Management Standalone to sign up for the free 90-day trial.
Note
Customers need to have the Global Administrator role assigned in Microsoft Entra ID to onboard the trial.
How is the service provisioned/deployed?
Defender Vulnerability Management features are turned on by default at the tenant level for all users within the organization once a customer is onboarded to the free-trial experience.
If a customer is in public preview, what happens to their premium capabilities if they don't sign up for a free trial?
The new capabilities are available only to customers who onboard a trial. Customers who aren't onboarded lose access to these capabilities. Blocked applications are immediately unblocked. Security baseline profiles may be stored for a short period before being deleted.
How long does the trial last and what happens at the end of my trial?
- The Defender Vulnerability Management add-on trial lasts for 90 days.
- The Defender Vulnerability Management Standalone trial lasts for 90 days.
After your trial ends, you have a 30 day grace period of active trial before the license becomes suspended. When the trial is suspended, you retain your security baselines, but you may lose access to your portal and your blocked applications may become unblocked.
After 180 days, your license will be deactivated and your profiles will be deleted.
You can request one extension of your current trial for 30 days within the last 15 days of the trial period. For any questions, please contact your field seller.
Block vulnerable applications FAQs
I want to block a vulnerable application but it's not showing up as available to block?
Examples of recommendations where you might not see a mitigation action (such as block) includes:
- Recommendations related to applications where Microsoft doesn't have sufficient information to block
- Recommendations related to Microsoft applications
- Recommendations related to operating systems
- Recommendations related to apps for macOS and Linux
It's also possible that your organization reached the maximum indicator capacity of 15,000. If so, you need to free up space by deleting old indicators. To learn more, see Manage indicators.
Does blocking vulnerable apps work on all devices?
This feature is supported on Windows devices (1809 or later) with the latest Windows updates installed. Each device must have a minimum antimalware client version of 4.18.1901.x or later. The Engine version must be 1.1.16200.x or later.
Security baselines FAQs
What is the full list of baseline benchmarks I can use as part of security baselines assessment?
There's currently support for:
- Center for Internet Security (CIS) benchmarks for Windows 10, Windows 11, and Windows Server 2008R2 and later.
- Security Technical Implementation Guides (STIG) benchmarks for Windows 10 and Windows Server 2019.
Upcoming support:
- Microsoft benchmarks for Windows 10, Windows 11, and Windows Server 2008R2 and later will be available in an upcoming release.
What operating systems can I measure using security baseline assessments?
Currently Windows is supported, but coverage will be expanded to more operating systems like Mac and Linux.
Defender Vulnerability Management general FAQs
Where can I find the full list of capabilities across different plans?
For details on the full list of capabilities across Microsoft Defender Vulnerability Management and Defender for Endpoint, see Defender Vulnerability Management Capabilities.
What happens to CVEs that are marked as "won't fix"?
Defender Vulnerability Management currently filters out CVEs marked as "Won't Fix", particularly on Linux platforms, from vulnerability recommendations and security score calculations. This design choice was implemented to reduce noise from non-actionable issues and improve signal-to-noise ratio for security teams.
Certain Linux distributions, such as RHEL, include large numbers of CVEs labeled as "Won't Fix" due to platform-specific or architectural decisions. These CVEs were previously displayed in the Microsoft Defender portal, but they caused confusion and inflated the recommendations list and exposure score. As a result, these were intentionally removed following internal review and Data Subject Rights (DSR) requests.
Here's what to expect:
- "Won't Fix" CVEs are not shown in the Microsoft Defender portal.
- These CVEs are excluded from vulnerability recommendations and scoring.
- There is no current workaround to view them in the product experience.
Can customers buy only one capability?
Microsoft Defender Vulnerability Management is available as a vulnerability management solution comprised of multiple premium capabilities.
Can I turn on Defender Vulnerability Management capabilities on a subset of devices in my organization?
Capabilities like blocking vulnerable applications, browser extension, certificate inventory, and network share assessment can't be selectively turned on for a subset of devices in a given tenant.
Windows authenticated scan deprecation FAQs
Why is this feature deprecated?
The Windows authenticated scan deprecation allows our teams to allocate resources to other product innovations. We understand transitions can be challenging, and we're here to support you throughout the process. Let us know if you have any questions or need assistance with this change.
When is the official deprecation date?
Windows authenticated scan is deprecated from December 18, 2025. After this date, the capability is no longer supported or available to customers.
What happens to my data after the product is deprecated?
All user data is handled according to our Data storage and privacy.
Will the product be replaced?
There is no direct replacement for the Windows authenticated scan at this time. However, we are continuously evaluating our offerings and exploring opportunities for future development. We appreciate your understanding. Stay tuned for updates on new features and capabilities.
Is support still available?
Support is no longer available for Windows authenticated scan after the deprecation date. We recommend exploring alternative solutions to meet your vulnerability management needs.
How can I provide feedback about this change?
You can send your feedback through the relevant channels. We value your input and your feedback helps us improve our future products.