Microsoft Defender Vulnerability Management frequently asked questions
Find answers to frequently asked questions (FAQs) about Microsoft Defender Vulnerability Management. Use the following links to help find answer to your questions:
- Defender Vulnerability Management licensing FAQs
- Defender Vulnerability Management trial FAQs
- Block vulnerable applications FAQs
- Security baselines FAQs
- Defender Vulnerability Management general FAQs
Defender Vulnerability Management licensing FAQs
What license does the user need to benefit from Defender Vulnerability Management capabilities?
Microsoft Defender Vulnerability Management is available via two services:
Microsoft Defender for Endpoint Plan 2 customers can seamlessly enhance their existing generally available vulnerability management capabilities with the Microsoft Defender Vulnerability Management add-on. This service provides consolidated inventories, expanded asset coverage, cross-platform support, and new assessment and mitigation tools. To sign up for the free 90-day trial, see Defender Vulnerability Management Add-on.
For new customers or existing Defender for Endpoint P1 or Microsoft 365 E3 customers looking for a risk-based vulnerability management solution, Microsoft Defender Vulnerability Management Standalone helps you efficiently discover, assess, and remediate vulnerabilities and misconfigurations in one place. To sign up for the free 90-day trial, see Defender Vulnerability Management Standalone.
Is Defender Vulnerability Management available as part of Defender for Endpoint Plan 2?
If the customer has Defender for Endpoint Plan 2 they have the core vulnerability management capabilities. Defender Vulnerability Management is a separate solution from Defender for Endpoint (not included in Defender for Endpoint Plan 2) and is available as an add-on.
Defender Vulnerability Management trial FAQs
How do customers sign up for a trial?
For existing Defender for Endpoint Plan 2 customers who want to evaluate the experience first-hand, we encourage directly onboarding onto the Microsoft Defender Vulnerability Management add-on free 90-day trial. For more information, see Defender Vulnerability Management Add-on.
For new customers or existing Defender for Endpoint P1 or Microsoft 365 E3 customers, see Defender Vulnerability Management Standalone to sign up for the free 90-day trial.
Customers need to have the global admin role defined in Microsoft Entra ID to onboard the trial.
How is the service provisioned/deployed?
Once a customer is onboarded on to the free-trial experience, Defender Vulnerability Management features are turned on by default at the tenant level for all users within the organization.
Do I need to assign Defender Vulnerability Management trial licenses to users in my organization as instructed in the admin center?
Currently, there's no need to assign the new Defender Vulnerability Management license to users. Licenses will be applied automatically after a customer signs up for the free trial.
If a customer is in public preview, what will happen to their premium capabilities if I don't sign up for a free trial?
The new capabilities will be available only to customers who onboard a trial. Customers who haven't onboarded will lose access to these capabilities. Blocked applications will be immediately unblocked. Security baseline profiles may be stored for a short additional time before being deleted.
How long does the trial last and what happens at the end of my trial?
- The Defender Vulnerability Management add-on trial lasts for 90 days.
- The Defender Vulnerability Management Standalone trial lasts for 90 days.
After your trial ends, you'll have a 30 day grace period of active trial before the license becomes suspended. When the trial is suspended, you'll retain your security baselines, but you may lose access to your portal and your blocked applications may become unblocked.
After 180 days, your license will be deactivated and your profiles will be deleted.
Block vulnerable applications FAQs
I want to block a vulnerable application but it's not showing up as available to block?
Examples of recommendations where you might not see a mitigation action (such as block) includes:
- Recommendations related to applications where Microsoft doesn't have sufficient information to block
- Recommendations related to Microsoft applications
- Recommendations related to operating systems
- Recommendations related to apps for macOS and Linux
It's also possible that your organization has reached the maximum indicator capacity of 15,000. If this is the case, you will need to free up space by deleting old indicators. To learn more, see Manage indicators.
Does blocking vulnerable apps work on all devices?
This feature is supported on Windows devices (1809 or later) with the latest Windows updates installed. Each device must have a minimum antimalware client version of 4.18.1901.x or later. The Engine version must be 1.1.16200.x or later.
Security baselines FAQs
What is the full list of baseline benchmarks I can use as part of security baselines assessment?
There's currently support for:
- Center for Internet Security (CIS) benchmarks for Windows 10, Windows 11, and Windows Server 2008R2 and above.
- Security Technical Implementation Guides (STIG) benchmarks for Windows 10 and Windows Server 2019.
- Microsoft benchmarks for Windows 10, Windows 11, and Windows Server 2008R2 and above will be available in an upcoming release.
What operating systems can I measure using security baseline assessments?
Currently Windows is supported, but coverage will be expanded to cover more operating systems such as Mac and Linux.
Defender Vulnerability Management general FAQs
Where can I find the full list of capabilities across different plans?
For details on the full list of capabilities across Microsoft Defender Vulnerability Management and Defender for Endpoint, see Defender Vulnerability Management Capabilities.
Can customers buy only one capability?
Microsoft Defender Vulnerability Management is available as a vulnerability management solution comprised of multiple premium capabilities.
Can I turn on Defender Vulnerability Management capabilities on a subset of devices in my organization?
There isn't a way to selectively light up the Defender Vulnerability Management assessment capabilities (block vulnerable applications, browser extension, certificate inventory, and network share assessment) on a subset of devices in a given tenant.