This chapter covers Microsoft Defender Vulnerability Management (MDVM), a key component of the Microsoft Defender for Endpoint (MDE) suite. Understanding MDVM is critical for the SC-900 exam, as it appears in approximately 15-20% of questions related to security solutions (Domain 3). The exam tests your knowledge of its capabilities, integration with Microsoft Defender for Endpoint, and how it differs from traditional vulnerability scanning. By the end of this chapter, you will be able to explain the core features, the risk-based prioritization model, and the remediation workflow.
Jump to a section
Imagine a large hospital with thousands of patients (devices). Each patient has a medical record (software inventory) listing all their organs (applications), known allergies (vulnerabilities), and past treatments (patches). The hospital runs a daily automated health screening (vulnerability scanning) that measures vital signs (OS version, installed software, open ports) and compares them against a global database of known diseases (CVE database). The screening doesn't just check for one disease—it checks for tens of thousands, and it also looks for lifestyle risks (misconfigurations, weak passwords). After the screening, the system generates a personalized health report (vulnerability assessment) with a severity score (CVSS score) for each issue. The report prioritizes treatments: a heart condition (critical vulnerability) gets immediate attention, while a minor vitamin deficiency (low-severity issue) is scheduled for the next checkup. The hospital also has a pharmacy (Microsoft Update Catalog) that automatically dispenses the correct medication (security patch) for each diagnosis. The key is that the system doesn't just identify problems—it also provides a treatment plan (remediation steps) and tracks whether the patient actually took the medicine (patch compliance). This is exactly how Microsoft Defender Vulnerability Management works: it continuously discovers, assesses, prioritizes, and remediates vulnerabilities across all connected devices, using a risk-based approach that goes beyond simple patch management.
What is Microsoft Defender Vulnerability Management?
Microsoft Defender Vulnerability Management (MDVM) is a built-in, post-breach vulnerability management capability within Microsoft Defender for Endpoint (MDE). It continuously identifies, assesses, prioritizes, and remediates vulnerabilities and misconfigurations on endpoints (Windows, macOS, Linux, Android, iOS) and cloud resources (Azure VMs, AWS EC2, GCP instances). Unlike traditional vulnerability scanners that run periodic scans, MDVM operates in real-time using the same sensors that power MDE's endpoint detection and response (EDR).
Why MDVM Exists
Traditional vulnerability management relies on scheduled scans that can miss transient vulnerabilities or fail to account for the dynamic nature of modern IT environments. MDVM solves this by leveraging the agent already deployed for MDE (the Microsoft Defender for Endpoint sensor) to continuously monitor the device's software inventory, configuration state, and threat intelligence feed. This allows for:
Real-time vulnerability discovery without separate scanning windows
Integration with threat analytics to prioritize vulnerabilities actively exploited in the wild
Automated remediation through Microsoft Intune or third-party patch management tools
A unified view of vulnerabilities across on-premises and cloud workloads
How It Works Internally
The MDVM process can be broken down into four phases: discovery, assessment, prioritization, and remediation.
#### Discovery
The MDE sensor collects a comprehensive list of installed software, operating system versions, open ports, and security configurations (e.g., firewall rules, registry keys) from each device. This data is sent to the Microsoft cloud backend, where it is compared against the Microsoft vulnerability database, which includes over 200,000 CVEs (Common Vulnerabilities and Exposures) and 150,000+ knowledge base (KB) articles. The sensor checks for:
Operating system vulnerabilities (e.g., missing Windows security updates)
Application vulnerabilities (e.g., outdated Adobe Reader, Java, browsers)
Configuration weaknesses (e.g., weak cipher suites, SMBv1 enabled)
Network exposure (e.g., open RDP ports)
The sensor reports this data every few minutes (default interval is 5 minutes for active changes, full inventory sent every 24 hours).
#### Assessment
Each discovered vulnerability is assigned a severity score using the Common Vulnerability Scoring System (CVSS) v3.1, typically ranging from 0.0 to 10.0. MDVM also calculates a custom risk score called the Threat Score, which combines CVSS with:
Exploit maturity (is there a public exploit available? has it been used in the wild?)
Threat intelligence (is the vulnerability being actively exploited by ransomware groups?)
Device risk level (is the device exposed to the internet? has it been compromised before?)
Business criticality (is the device a domain controller, SQL server, or executive workstation?)
#### Prioritization
MDVM uses a risk-based prioritization model. Instead of simply listing vulnerabilities by CVSS score, it generates a Security Recommendation for each vulnerability with a priority level (Critical, High, Medium, Low). The priority is determined by:
The Threat Score (0-100)
The number of devices affected
Whether the vulnerability is part of an active attack chain
The availability of a patch or mitigation
The exam focuses on understanding that MDVM prioritizes based on risk, not just severity. For example, a CVSS 9.0 vulnerability with no known exploit and limited exposure might be prioritized lower than a CVSS 7.5 vulnerability that is actively being exploited in ransomware campaigns.
#### Remediation
MDVM provides two primary remediation paths: - Manual remediation: The security team receives a list of recommended actions (e.g., "Update Windows to KB5021234") and can deploy the patch via Intune, Configuration Manager, or third-party tools. - Automated remediation: Using the Microsoft Intune integration, MDVM can create a deployment request that automatically updates affected devices. The admin can approve or schedule the deployment. - Blocking capabilities: For vulnerabilities that cannot be patched immediately, MDVM can apply a virtual patch through Microsoft Defender for Endpoint's attack surface reduction (ASR) rules or network protection to block exploitation attempts.
Key Components, Values, and Defaults
Vulnerability Management dashboard: Accessible from Microsoft 365 Defender portal (security.microsoft.com) under "Vulnerability management."
Security recommendations: A prioritized list of actions to reduce the attack surface. Each recommendation includes the affected device count, exposure level, threat score, and remediation steps.
Software inventory: A complete list of all software installed across the organization, with version numbers and vulnerability counts.
Weaknesses: A list of all known vulnerabilities (CVEs) detected, with details on affected devices and exploit maturity.
Exposure score: A metric (0-100) that represents the organization's overall exposure to vulnerabilities. Lower is better.
Configuration score: A metric (0-100) that represents the organization's security posture based on configuration best practices. Higher is better.
Default scan frequency: Continuous for changes; full inventory every 24 hours.
Retention period: Security recommendations and inventory data are retained for 180 days.
Configuration and Verification Commands
While MDVM is largely a cloud service, you can verify its operation using PowerShell cmdlets on managed devices:
# Check if MDE sensor is running
Get-Service -Name "Sense"
# Check sensor version
Get-MpComputerStatus | Select-Object AMProductVersion, AMEngineVersion
# Force a full inventory submission (requires admin)
Start-MpScan -ScanType FullScanIn the Microsoft 365 Defender portal, you can verify MDVM activity by navigating to Vulnerability management > Dashboard and checking the "Last inventory report" column for each device.
Integration with Related Technologies
MDVM integrates tightly with: - Microsoft Defender for Endpoint (MDE): MDVM is a component of MDE; the sensor is the same. - Microsoft Intune: For automated patch deployment and configuration remediation. - Microsoft Defender for Cloud: Extends vulnerability assessment to Azure, AWS, and GCP VMs. - Microsoft 365 Defender: Provides a unified view of threats and vulnerabilities across identities, endpoints, and cloud apps. - Microsoft Threat Analytics: Feeds exploit maturity and active threat data into the prioritization engine.
The exam expects you to know that MDVM is not a standalone product; it requires MDE licenses (Plan 1 or Plan 2). It is also available as a standalone offering (Microsoft Defender Vulnerability Management Standalone) for organizations that want vulnerability management without full EDR capabilities.
Exam-Relevant Details
MDVM uses the same sensor as MDE — no additional agent required.
It supports Windows, macOS, Linux, Android, and iOS (mobile support is limited to app inventory).
Vulnerability discovery is continuous, not scheduled.
Prioritization uses a risk-based model combining CVSS, exploit maturity, and threat intelligence.
MDVM can block exploitation via ASR rules and network protection even before a patch is applied.
The exposure score and configuration score are key metrics for tracking security posture over time.
MDVM is part of the Microsoft 365 Defender portal, not a separate console.
Onboarding Devices to MDVM
Devices must be onboarded to Microsoft Defender for Endpoint (MDE) first. This involves deploying the MDE sensor (Sense) via Group Policy, Intune, or a script. Once the sensor is installed and communicating with the cloud, MDVM automatically starts collecting software inventory and configuration data. No additional configuration is needed. The sensor sends an initial full inventory within 1-2 hours of onboarding, then continuous updates for changes and a full inventory every 24 hours. You can verify onboarding in the Microsoft 365 Defender portal under Assets > Devices.
Continuous Discovery and Inventory
The MDE sensor monitors the device for software installations, updates, uninstalls, and configuration changes. It uses Windows Update API, registry scanning, and file system monitoring to detect changes. For Linux, it uses dpkg/rpm databases; for macOS, it uses the Launch Services database. The sensor sends delta changes every 5 minutes and a full inventory once daily. The inventory includes application names, versions, publishers, and installation paths. This data is stored in the Microsoft cloud and correlated with the CVE database.
Vulnerability Assessment and Scoring
For each detected software, the cloud service checks for known CVEs. It uses the Microsoft vulnerability database, which is updated continuously from Microsoft Security Response Center (MSRC) and third-party feeds. Each CVE is assigned a CVSS v3.1 base score. MDVM then calculates a Threat Score by adding exploit maturity (None, Proof of Concept, Functional, Weaponized) and threat intelligence (e.g., is it used by ransomware?). The Threat Score ranges from 0 to 100. The Exposure Score is the percentage of devices with at least one critical vulnerability.
Risk-Based Prioritization
MDVM generates Security Recommendations ranked by priority (Critical, High, Medium, Low). The priority is determined by a combination of Threat Score, number of affected devices, device exposure (e.g., internet-facing), and business criticality (e.g., domain controller). For example, a vulnerability with a Weaponized exploit affecting 100 domain controllers gets Critical priority, while a Proof of Concept exploit affecting 2 non-critical workstations gets Low. The exam tests that you understand this is risk-based, not just CVSS-based.
Remediation and Verification
For each Security Recommendation, MDVM provides remediation steps (e.g., update to version X, disable SMBv1). The admin can create a remediation request in Intune or Configuration Manager. MDVM tracks the deployment status (Pending, In Progress, Completed, Failed). After remediation, the sensor reports the change, and MDVM updates the inventory—typically within 5-15 minutes. The Exposure Score and Security Recommendations list update accordingly. The admin can verify by checking the device's software inventory or running a manual scan.
Enterprise Scenario 1: Global Retail Chain
A multinational retailer with 50,000 endpoints (Windows workstations, POS systems, Linux servers) needed to reduce its exposure to ransomware. They deployed MDE Plan 2, which includes MDVM. The security team used the Vulnerability Management dashboard to identify all devices running an outdated version of a widely used point-of-sale (POS) software that had a critical remote code execution vulnerability (CVE-2023-1234) with a Weaponized exploit. MDVM prioritized this as Critical because the POS systems were internet-facing and the exploit was actively used in the wild. The team created an Intune remediation request to update the POS software across all stores. Within 3 days, 98% of devices were patched. The Exposure Score dropped from 85 to 45. The key lesson: MDVM's risk-based prioritization helped them focus on the most dangerous vulnerability, not just the highest CVSS.
Enterprise Scenario 2: Financial Services Firm
A bank with 10,000 devices and strict compliance requirements (PCI DSS, SOX) used MDVM to generate reports for auditors. The bank leveraged the Software Inventory feature to prove that all devices had approved software versions. They also used the Security Recommendations list to track remediation of critical vulnerabilities. One challenge: the bank had many legacy applications that could not be patched immediately. MDVM allowed them to apply virtual patches via ASR rules to block exploitation attempts, buying time for the upgrade. The Configuration Score helped them track progress on hardening configurations (e.g., disabling SMBv1, enabling BitLocker). Common misconfiguration: the bank initially ignored the 'Exposure Score' metric, focusing only on CVSS scores, which led to misprioritization. After training, they used the Threat Score to reorder their patching queue.
Performance and Scaling Considerations
MDVM is a cloud service, so scaling is handled by Microsoft. However, organizations with over 100,000 devices may experience slight delays in inventory updates (up to 2 hours for full inventory). The sensor itself uses minimal resources (CPU: <5% idle, memory: ~50 MB). Network bandwidth is negligible (delta changes are small, typically <1 KB per change). The main bottleneck is the admin's ability to process Security Recommendations—the dashboard can show thousands of recommendations. MDVM helps by grouping recommendations by software and providing filters (e.g., show only Critical, show only internet-facing devices).
What SC-900 Tests on MDVM
The SC-900 exam (Objective 3.3: Describe the capabilities of Microsoft Defender for Endpoint) includes questions about MDVM. Specifically, you must know:
MDVM is a component of Microsoft Defender for Endpoint (not a standalone product unless licensed separately).
It provides continuous vulnerability discovery (not scheduled).
It uses risk-based prioritization (Threat Score) combining CVSS, exploit maturity, and threat intelligence.
It can block exploitation via attack surface reduction (ASR) rules and network protection.
It integrates with Microsoft Intune for automated remediation.
The Exposure Score and Configuration Score are key metrics.
Common Wrong Answers and Why Candidates Choose Them
"MDVM requires a separate agent" – Wrong. Candidates often think vulnerability scanning needs a dedicated scanner. Reality: MDVM uses the same MDE sensor. The exam tests this by offering a choice between 'uses the same agent' and 'needs a separate agent.'
"Vulnerability scans run weekly" – Wrong. Traditional scanners run weekly, but MDVM is continuous. Candidates may confuse it with Qualys or Nessus. The exam will have a distractor like 'scans are performed every Sunday at 2 AM.'
"Prioritization is based solely on CVSS score" – Wrong. MDVM uses a risk-based model. The exam may present a scenario where a CVSS 9.0 vulnerability with no exploit is listed alongside a CVSS 7.5 vulnerability with active exploitation, and ask which should be prioritized first. The correct answer is the CVSS 7.5 if it is actively exploited.
"MDVM only works on Windows" – Wrong. It supports Windows, macOS, Linux, Android, and iOS. The exam may have a question about supporting macOS or Linux.
Specific Numbers and Terms That Appear on the Exam
CVSS v3.1 – The scoring system used.
Threat Score – The risk score combining CVSS and exploit maturity.
Exposure Score – Percentage of devices with critical vulnerabilities.
Configuration Score – How well devices follow security best practices.
Security Recommendations – The prioritized list of actions.
Attack surface reduction (ASR) rules – Used to block exploitation.
Microsoft Intune – The integration for patch deployment.
Continuous scanning – The key differentiator from traditional VM.
Edge Cases and Exceptions
If a device is offline for more than 7 days, its inventory is considered stale and may not be included in reports.
MDVM does not support network devices (routers, switches) or IoT devices.
For mobile devices (Android, iOS), only app inventory is supported, not OS vulnerabilities.
Linux and macOS sensors have limited configuration assessment compared to Windows.
How to Eliminate Wrong Answers
If a question mentions 'scheduled scans' or 'weekly scans,' eliminate that answer because MDVM is continuous.
If a question mentions 'CVSS only,' it is likely wrong because MDVM uses risk-based prioritization.
If a question mentions a separate agent, it is wrong because MDVM uses the MDE sensor.
If a question mentions 'only Windows,' it is wrong because MDVM supports multiple OSes.
MDVM is a component of Microsoft Defender for Endpoint (MDE) and uses the same sensor.
Vulnerability discovery is continuous, not scheduled.
Prioritization is risk-based using Threat Score (CVSS + exploit maturity + threat intelligence).
MDVM supports Windows, macOS, Linux, Android, and iOS.
Exposure Score (0-100) measures the percentage of devices with critical vulnerabilities.
Configuration Score (0-100) measures compliance with security best practices.
MDVM integrates with Microsoft Intune for automated patch deployment.
ASR rules and network protection can block exploitation before a patch is applied.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Defender Vulnerability Management (MDVM)
Continuous, agent-based discovery using MDE sensor
Risk-based prioritization using Threat Score (CVSS + exploit maturity + threat intel)
Integrated with Microsoft Intune for automated remediation
Part of Microsoft 365 Defender portal
No additional licensing if MDE Plan 2 is licensed
Traditional Vulnerability Scanners (e.g., Qualys, Nessus)
Scheduled scans (weekly/monthly) using network scanner or agent
Prioritization typically based on CVSS score only
Remediation often manual or via third-party integrations
Separate console or integration with SIEM
Requires separate license per scanner/asset
Mistake
MDVM requires a separate vulnerability scanner agent.
Correct
MDVM uses the same Microsoft Defender for Endpoint (MDE) sensor that already collects endpoint detection and response (EDR) data. No additional agent is needed.
Mistake
Vulnerability scans in MDVM run on a scheduled basis (e.g., weekly).
Correct
MDVM performs continuous vulnerability discovery. The sensor reports changes in real-time and sends a full inventory every 24 hours. There is no schedule-based scanning.
Mistake
Prioritization is based solely on the CVSS score.
Correct
MDVM uses a risk-based model that combines CVSS, exploit maturity, threat intelligence, device exposure, and business criticality to generate a Threat Score and priority.
Mistake
MDVM only works on Windows devices.
Correct
MDVM supports Windows, macOS, Linux, Android, and iOS. However, mobile support is limited to app inventory.
Mistake
MDVM can only identify vulnerabilities, not remediate them.
Correct
MDVM provides remediation steps and integrates with Microsoft Intune for automated patch deployment. It can also block exploitation via ASR rules.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, if you have Microsoft Defender for Endpoint Plan 2, MDVM is included. There is also a standalone Microsoft Defender Vulnerability Management add-on license for organizations that want vulnerability management without full EDR capabilities. The SC-900 exam expects you to know that MDVM is a component of MDE.
MDVM performs continuous scanning. The sensor reports changes in software and configuration in near real-time (every 5 minutes). A full inventory is sent every 24 hours. This is a key differentiator from traditional scanners that run on a schedule (e.g., weekly).
Exposure Score (0-100) reflects the organization's susceptibility to vulnerabilities—lower is better. It is calculated based on the percentage of devices with critical vulnerabilities. Configuration Score (0-100) reflects how well devices follow security best practices—higher is better. Both are available in the Vulnerability Management dashboard.
Yes, MDVM can block exploitation through attack surface reduction (ASR) rules and network protection. For example, if a critical vulnerability in a browser cannot be patched immediately, an ASR rule can block the specific exploitation technique (e.g., blocking Office applications from creating child processes). This is a key capability tested on the exam.
Yes, MDVM supports Linux (Ubuntu, RHEL, CentOS, etc.) and macOS (Catalina and later) for vulnerability discovery. However, the configuration assessment is more limited than on Windows. Mobile devices (Android, iOS) are supported for app inventory only.
MDVM uses a risk-based model. Each vulnerability is assigned a Threat Score that combines the CVSS v3.1 score, exploit maturity (None, Proof of Concept, Functional, Weaponized), threat intelligence (e.g., active exploitation in the wild), device exposure (e.g., internet-facing), and business criticality. The result is a Security Recommendation with a priority level (Critical, High, Medium, Low). This ensures that the most dangerous vulnerabilities are addressed first.
Yes, MDVM provides manual remediation steps that can be executed via Configuration Manager, third-party patch management tools, or manually. However, automated remediation is only available through integration with Microsoft Intune. The exam may test that Intune is the primary integration for automated patching.
You've just covered Defender Vulnerability Management Basics — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?