Browse all topics
All guidesGlossary
Microsoft Defender (Security)

Defender Vulnerability Management

How Defender for Endpoint's vulnerability management surfaces CVEs, misconfigurations, and prioritises remediation.

Microsoft Defender Vulnerability Management (DVM) is the part of Defender for Endpoint that discovers software vulnerabilities, misconfigurations, and weaknesses across managed endpoints, and prioritises remediation by exposure to real-world threats. It exists in two flavours: capabilities included with Defender for Endpoint Plan 2, and a more advanced Defender Vulnerability Management add-on with extra features.

What's discovered

DVM continuously inventories every onboarded endpoint and reports:

  • Software inventory — every installed application and its version.
  • Known vulnerabilities (CVEs) — matched against current threat intelligence.
  • Misconfigurations — security weaknesses (insecure protocols enabled, weak Windows settings, missing security controls).
  • Certificate inventory and weaknesses — expired certs, weak cryptography.
  • Browser extension inventory — extensions installed across the fleet, with risk ratings.
  • Firmware vulnerabilities for supported hardware.

The discovery happens without separate scanning — it uses Defender for Endpoint's agent telemetry, so no additional scanning infrastructure is needed.

Prioritisation

The most important DVM capability isn't discovery — most enterprise environments have thousands of CVEs at any moment — but prioritisation. DVM scores each finding by:

  • Exploit availability — is there a known public exploit?
  • Active exploitation — is the vulnerability being actively exploited in the wild?
  • Threat intelligence — is it targeted by APT groups, ransomware, malware families?
  • Asset exposure — is the affected device internet-facing or behind defences?
  • Asset criticality — is the device a high-value target (executive, admin, sensitive role)?

The result is an Exposure Score at the tenant level and per-device, plus a prioritised remediation list. Instead of "patch everything," you get "these 12 things explain 80% of your risk."

Integration with the rest of Microsoft 365

  • Defender XDR surfaces vulnerability data alongside threat detections.
  • Intune receives remediation requests as configuration profiles or app updates.
  • ServiceNow / Jira / Azure DevOps connectors push findings as tickets.
  • Power Automate triggers on findings for custom workflows.

For organisations using Intune, DVM-to-Intune remediation is the fastest path: identify the bad version, push the good version via Intune, done.

Advanced DVM add-on

The standalone Defender Vulnerability Management add-on extends Plan 2 with:

  • Authenticated scanning for unmanaged Windows / Linux servers.
  • Network device assessment for routers, switches, firewalls via SNMP-based scanning.
  • Browser extension assessment with security ratings.
  • Digital certificate assessment depth and reporting.
  • Hardware and firmware assessment.
  • Block vulnerable applications by integration with Intune App Control.

The add-on is most valuable for organisations with significant non-Windows or network infrastructure where Defender for Endpoint alone doesn't reach.

Operational model

A typical DVM-driven patching cadence:

  1. Weekly review of Exposure Score and new high-priority findings.
  2. Per-finding remediation — ticket to the responsible team via the integration of choice.
  3. Track remediation in DVM dashboards — close out as devices comply.
  4. Quarterly review of long-tail findings that haven't been remediated.

The shift from "we patched everything" to "we patched the right things first" is the main operational change.