This feature will be deprecated by the end of November 2025 and will not be supported beyond that date. More information about this change are in the Windows authenticated scan deprecation FAQs.
Authenticated scan for Windows provides the ability to run scans on unmanaged Windows devices. You can remotely target by IP ranges or hostnames and scan Windows services by providing Microsoft Defender Vulnerability Management with credentials to remotely access the devices. Once configured, the targeted unmanaged devices are scanned regularly for software vulnerabilities. By default, the scan runs every four hours with options to change this interval or have it only run once.
To use this feature, Microsoft Defender Vulnerability Management Standalone is required. If you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on is required.
Security administrators can then see the latest security recommendations and review recently discovered vulnerabilities for the targeted device in the Microsoft Defender portal.
Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to sign up for a free trial.
Scanner Installation
Similar to network device authenticated scan, you need a scanning device with the scanner installed. If you don't already have the scanner installed, see Install the scanner for steps on how to download and install it.
No changes are required for pre-existing installed scanners.
The following section lists the prerequisites you need to configure to use Authenticated scan for Windows.
gmsa1 stands for the name of the account you are creating, and scanner-win11-I$ stands for the machine name where the scanner agent runs. Only this machine is able to retrieve the account password. You can provide a comma separated list of machines.
Modifying an existing account can be done with Get-ADServiceAccount and Set-ADServiceAccount
To Install the AD Service Account, on the machine where the scanner agent runs using an elevated PowerShell window, run:
Install-ADServiceAccount -Identity gmsa1
If your PowerShell doesn't recognize those commands, it probably means you're missing a required PowerShell module. Instructions on how to install the module vary depending on your operating system. For more information, see Getting Started with Group Managed Service Accounts.
Devices to be scanned
Use the following table for guidance on the configurations required, along with the permissions needed for the scanning account, on each device to be scanned:
The below steps are only one recommended way to configure the permissions on each device to be scanned and uses the Performance Monitor Users group. You can also configure the permissions in the following ways:
Add the account to a different user group and give all the permissions required to that group.
Give these permissions explicitly to the scanning account.
Windows Management Instrumentation (WMI) is enabled
To enable remote Windows Management Instrumentation (WMI):
Verify the Windows Management Instrumentation service is running.
Go to Control Panel > All Control Panel Items > Windows Defender Firewall > Allowed applications and ensure Windows Management Instrumentation (WMI) is allowed through Windows Firewall.
Scanning account is a member of Performance Monitor Users group
The scanning account must be a member of the Performance Monitor Users group on the device to be scanned.
Performance Monitor Users group has 'Enable Account' and 'Remote Enable' permissions on Root/CIMV2 WMI namespace
To verify or enable these permissions:
Run wmimgmt.msc.
Right click WMI Control (Local) and select Properties.
Go to the Security tab.
Select the relevant WMI namespace and select Security.
Add the specified group and select to allow the specific permissions.
Select Advanced, choose the specified entry, and select Edit.
Set Applies To to "This namespace and subnamespaces".
Performance Monitor Users group should have permissions on DCOM operations
To verify or enable these permissions:
Run dcomcnfg.
Navigate to Component Services > Computers > My Computer.
Right click My Computer and choose Properties.
Go to the COM Security tab.
Go to Launch and Activation Permissions and select Edit Limits.
Add the specified group and select to allow Remote Activation.
Configure a group of devices with a group policy
A group policy lets you bulk apply the configurations required, and the permissions required for the scanning account, to a group of devices to be scanned.
Follow these steps on a domain controller to configure a group of devices at the same time:
Create a new Group Policy Object
On the domain controller, open the Group Policy Management Console.
Once your Group Policy Object (GPO) is created, right-click on your GPO and select Edit to open the Group Policy Management Editor console and complete the steps below.
Enable Windows Management Instrumentation (WMI)
To enable remote Windows Management Instrumentation (WMI):
Go to Computer Configuration > Policies > Windows Settings > Security Settings > System Services.
Right-click Windows Management Instrumentation.
Select the Define this policy setting box and choose Automatic.
Allow WMI through the firewall
To allow Windows Management Instrumentation (WMI) through the firewall:
Go to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Defender Firewall and Advanced Security > Inbound Rules.
Right-click and select New Rule.
Choose Predefined and select Windows Management Instrumentation (WMI) from the list. Then select Next.
Select the Windows Management Instrumentation (WMI-In) checkbox. Then select Next.
Select Allow the connection. Then select Finish.
Right-click the newly added rule and select Properties.
Go to the Advanced tab and uncheck the Private and Public options as only Domain is required.
Grant permissions to perform DCOM operations
To grant permissions to perform DCOM operations:
Go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Operations.
Right-click DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax and select Properties.
Select Define this policy setting box and select Edit Security.
Add the user or group you are granting permissions to and select Remote Activation.
Grant permissions to the Root\CIMV2 WMI namespace by running a PowerShell script via group policy:
Create a PowerShell script. See the Example PowerShell script later in this article for a recommended script you can modify according to your needs.
Go to Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown) > Startup
Go to the PowerShell Scripts tab.
Select Show Files and copy the script you created to this folder
Return to the scripts configuration windows and select Add.
Enter the script name.
Example PowerShell script
Use the following PowerShell script as a starting point to grant permissions to the Root\CIMV2 WMI namespace via group policy:
Select Add new scan and choose Windows authenticated scan and select Next.
Enter a Scan name.
Select the Scanning device: The onboarded device you use to scan the unmanaged devices.
Enter the Target (range): The IP address ranges or hostnames you want to scan. You can either enter the addresses or import a CSV file. Importing a file overrides any manually added addresses.
Select the Scan interval: By default, the scan runs every four hours. You can change the scan interval or have it only run once, by selecting 'Do not repeat'.
Choose your Authentication method - there are two options to choose from:
Kerberos (preferred)
Negotiate option will fallback to NTLM in cases where Kerberos fails. Using NTLM is not recommended as it is not a secure protocol.
Enter the credentials Microsoft Defender Vulnerability Management uses to remotely access the devices:
Use azure KeyVault: If you manage your credentials in Azure KeyVault, you can enter the Azure KeyVault URL and Azure KeyVault secret name to be accessed by the scanning device to provide credentials
For the Azure KeyVault secret value use gMSA account details in the format Domain;Username
Select Next to review the settings and then select Submit to create your new authenticated scan.
As the authenticated scanner currently uses an encryption algorithm that is not compliant with Federal Information Processing Standards (FIPS), the scanner can't operate when an organization enforces the use of FIPS compliant algorithms.
To allow algorithms that are not compliant with FIPS, set the following value in the registry for the devices where the scanner runs: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy with a DWORD value named Enabled and value of 0x0
FIPS compliant algorithms are only used in relation to departments and agencies of the United States federal government.
Authenticated scan for Windows APIs
You can use APIs to create a new scan and view all existing configured scans in your organization. For more information, see:
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.
Microsoft Defender Vulnerability Management uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
Compare Defender Vulnerability Management Offerings. Learn about the differences between the plans and select the plan that suits your organization's needs.