Apply Plan 2 premium MDVM capabilities

  • 7 minutes

After you configure vulnerability scanning and manage findings, you can shift from detecting vulnerabilities to measuring compliance and enforcing security standards. Contoso Manufacturing's internal auditors need evidence that production VMs meet CIS benchmark requirements. Also, the operations teams want to prevent vulnerable software versions from executing while patches are staged. Here, you learn how to create security baseline profiles for Windows Server device groups. Then you learn to interpret compliance results and create exceptions, and configure Block Vulnerable Applications using Defender for Servers Plan 2.

Assess security baseline compliance with CIS and STIG benchmarks

Defender for Servers Plan 2 unlocks premium MDVM capabilities that go beyond vulnerability detection. A security baseline profile is a customized profile that assesses and monitors endpoints against industry security benchmarks. When you create a profile, you establish a template of device configuration settings and a base benchmark to compare against. MDVM continuously monitors compliance and identifies changes in real time.

For Contoso's Windows Server VMs, you can create profiles based on Center for Internet Security (CIS) benchmarks or Security Technical Implementation Guides (STIG) benchmarks. CIS benchmarks are available for Windows 10, Windows 11, and Windows Server 2008 R2 and higher. STIG benchmarks support Windows 10 and Windows Server 2019. These profiles assess only Group Policy Object (GPO) configurations—not Microsoft Intune or Configuration Manager settings.

To create a baseline profile, navigate to the Microsoft Defender portal at https://security.microsoft.com. Select Exposure management > Vulnerability management > Baseline assessments (or Vulnerability management > Baselines assessment for existing non-preview customers). On the Profiles tab, select Create profile and follow these steps:

  1. Enter a name and description for the profile, then select Next
  2. On the Baseline profile scope page, configure the OS version (such as Windows Server 2019), base benchmark (CIS or STIG), and compliance level, then select Next
  3. Select the configurations you want to include in the profile—configurations marked "Manual check" require manual verification and can’t appear in the assessment results
  4. Select Customize to change a threshold configuration value for your organization, then select Next
  5. Choose device groups and device tags—the profile applies automatically to future devices added to these groups
  6. Select Next to review, then Submit to create the profile
  7. On the final page, select View profile page to see assessment results

Create multiple profiles for the same OS with different customizations. After you customize a configuration, an icon appears to indicate it no longer uses the recommended value. Select Reset to revert to the benchmark default.

After you create a profile, review results in two tabs. The Configurations tab shows each configuration and its compliance state. Select any configuration for a flyout that displays policy setting details, recommended value, and per-device compliance. The Devices tab shows all devices and their compliance state. Select any device for a flyout with compliance details, then select Open device page to see the device's Baseline compliance tab with granular per-configuration state.

The compliance overview page provides a device compliance summary, profile compliance summary, top failing devices, and top misconfigured devices. This view gives Contoso's auditors clear evidence of CIS compliance status and helps security teams prioritize remediation efforts.

Create baseline exceptions for known deviations

Some devices have deviations from the baseline—for example, a device under external control or with an alternate mitigation already in place. You can create exceptions to exclude specific configurations on specific devices without affecting your organization's metrics and score.

Exceptions improve score clarity by removing nonapplicable configurations from the compliance view. Exceptions remove the specified configurations from assessment for listed devices. For Contoso, removing exceptions is valuable when production automation VMs with vendor-required settings that conflict with CIS recommendations but are protected by compensating controls.

To create an exception, navigate to the Baseline assessments page and select the Exceptions tab, then select Create. Follow these steps:

  1. Fill in exception details, including justification reason and duration
  2. On the Configuration scope page, choose software, base benchmark, and compliance level
  3. Select the configurations to add to the exception
  4. Choose the devices to include—the exception applies automatically to listed devices
  5. Review and select Submit

Exceptions are time-limited, so you review and renew them periodically. Keeping exceptions up to date ensures that temporary deviations don't become permanent security gaps. When compensating controls are removed or vendors update their requirements, you can let exceptions expire and reassess the devices against the full baseline.

Block vulnerable applications to prevent exploitation

After you detect vulnerabilities and measure baseline compliance, you can enforce runtime security controls. Block Vulnerable Applications prevents the execution of specific known-vulnerable software on targeted device groups. The result is a shift from detecting vulnerabilities to actively blocking exploitation—vulnerable application versions can't run until a patch is applied or the block is lifted.

Note

Block Vulnerable Applications has three mandatory requirements: Microsoft Defender Antivirus must be in active mode, cloud-delivered protection must be enabled, and Allow or block file must be turned on (Settings > Endpoints > Advanced features). Blocking apps is relevant for application VMs such as production line automation, ERP, and supply chain software. For VMs where Defender Antivirus is in passive mode, this feature doesn't apply.

To configure Block Vulnerable Applications, navigate to the Microsoft Defender portal. If you're a preview customer, select Exposure management > Recommendations. If you're an existing customer, select Endpoints > Vulnerability management > Recommendations. Find a recommendation tied to a vulnerable application, then select the option to block the application for a device group.

MDVM identifies software with known vulnerabilities on your devices. When you configure Block Vulnerable Applications for specific device groups, Defender Antivirus enforces the block. For Contoso's production VMs, this means vulnerable versions of automation software or supply chain applications can't execute while patches are tested and staged for deployment. This enforcement-level control reduces the window of exploitability without requiring immediate patching—giving operations teams time to validate patches in nonproduction environments first.

Important

Block Vulnerable Applications is available only in Defender for Servers Plan 2. It's not available in Plan 1.