Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Defender Vulnerability Management continuously prioritizes vulnerabilities across devices and provides security recommendations to mitigate risk in the Microsoft Defender portal. Defender Vulnerability Management recommendations use different retention periods to determine when to stop flagging vulnerabilities based on event reporting activity.
This article describes how retention works for two common scenarios: inactive devices and uninstalled software.
Inactive devices
In the Microsoft Defender portal, a device can be listed as inactive for any of the following reasons:
- The device stopped sending sensor data at least seven days ago
- The device was offboarded from Defender for Endpoint at least seven days ago
- The device has network connectivity issues, such as impaired communications, blocked URLs, or blocked ports, and sends some (but not all) events
If a device stops reporting to Defender for Endpoint, Defender Vulnerability Management continues to display the latest vulnerability snapshot for 30 days. After that, the device is marked as inactive, and its vulnerabilities are no longer shown in the Microsoft Defender portal. Data for inactive devices is retained for 180 days (see Microsoft Defender for Endpoint data storage and privacy).
To prevent confusion in your vulnerability data, you can exclude a device manually in the device inventory, as shown in the following screenshot:
For more information, see Exclude devices.
Uninstalled or inactive software
A device can continue reporting some telemetry but stop sending signals for specific software. If no events are received for the software for 30 consecutive days, Defender Vulnerability Management assumes the software was removed and automatically stops flagging its vulnerabilities.
For more information, see Software inventory.