Microsoft Defender Vulnerability Management frequently asked questions
Find answers to frequently asked questions (FAQs) about Microsoft Defender Vulnerability Management. Use the following links to help find answer to your questions:
- Defender Vulnerability Management licensing FAQs
- Defender Vulnerability Management trial FAQs
- Block vulnerable applications FAQs
- Security baselines FAQs
- Defender Vulnerability Management general FAQs
- Windows authenticated scan deprecation FAQs
Defender Vulnerability Management licensing FAQs
What license does the user need to benefit from Defender Vulnerability Management capabilities?
Microsoft Defender Vulnerability Management is available via two services:
Microsoft Defender for Endpoint Plan 2 customers can seamlessly enhance their existing generally available vulnerability management capabilities with the Defender Vulnerability Management add-on. This service provides consolidated inventories, expanded asset coverage, cross-platform support, and new assessment and mitigation tools. To sign up for the free 90-day trial, see Defender Vulnerability Management Add-on.
Defender Vulnerability Management Standalone helps you efficiently discover, assess, and remediate vulnerabilities and misconfigurations in one place. This is recommended for new customers or existing Defender for Endpoint P1 or Microsoft 365 E3 customers. To sign up for the free 90-day trial, see Defender Vulnerability Management Standalone.
Do I need to assign Defender Vulnerability Management licenses to users in my organization as instructed in the admin center?
Currently, there's no need to assign the new Defender Vulnerability Management license to users. Licenses will be applied automatically after a customer signs up for the free trial.
Is Defender Vulnerability Management available as part of Defender for Endpoint Plan 2?
If the customer has Defender for Endpoint Plan 2 they have the core vulnerability management capabilities. Defender Vulnerability Management is a separate solution from Defender for Endpoint (not included in Defender for Endpoint Plan 2) and is available as an add-on.
Defender Vulnerability Management trial FAQs
How do customers sign up for a trial?
For existing Defender for Endpoint Plan 2 customers who want to evaluate the experience first-hand, we encourage directly onboarding onto the Microsoft Defender Vulnerability Management add-on free 90-day trial. For more information, see Defender Vulnerability Management Add-on.
For new customers or existing Defender for Endpoint P1 or Microsoft 365 E3 customers, see Defender Vulnerability Management Standalone to sign up for the free 90-day trial.
Note
Customers need to have the Global Administrator role assigned in Microsoft Entra ID to onboard the trial.
How is the service provisioned/deployed?
Defender Vulnerability Management features are turned on by default at the tenant level for all users within the organization once a customer is onboarded to the free-trial experience.
If a customer is in public preview, what happens to their premium capabilities if they don't sign up for a free trial?
The new capabilities are available only to customers who onboard a trial. Customers who aren't onboarded lose access to these capabilities. Blocked applications are immediately unblocked. Security baseline profiles may be stored for a short period before being deleted.
How long does the trial last and what happens at the end of my trial?
- The Defender Vulnerability Management add-on trial lasts for 90 days.
- The Defender Vulnerability Management Standalone trial lasts for 90 days.
After your trial ends, you have a 30 day grace period of active trial before the license becomes suspended. When the trial is suspended, you retain your security baselines, but you may lose access to your portal and your blocked applications may become unblocked.
After 180 days, your license will be deactivated and your profiles will be deleted.
Block vulnerable applications FAQs
I want to block a vulnerable application but it's not showing up as available to block?
Examples of recommendations where you might not see a mitigation action (such as block) includes:
- Recommendations related to applications where Microsoft doesn't have sufficient information to block
- Recommendations related to Microsoft applications
- Recommendations related to operating systems
- Recommendations related to apps for macOS and Linux
It's also possible that your organization reached the maximum indicator capacity of 15,000. If so, you need to free up space by deleting old indicators. To learn more, see Manage indicators.
Does blocking vulnerable apps work on all devices?
This feature is supported on Windows devices (1809 or later) with the latest Windows updates installed. Each device must have a minimum antimalware client version of 4.18.1901.x or later. The Engine version must be 1.1.16200.x or later.
Security baselines FAQs
What is the full list of baseline benchmarks I can use as part of security baselines assessment?
There's currently support for:
- Center for Internet Security (CIS) benchmarks for Windows 10, Windows 11, and Windows Server 2008R2 and later.
- Security Technical Implementation Guides (STIG) benchmarks for Windows 10 and Windows Server 2019.
Upcoming support:
- Microsoft benchmarks for Windows 10, Windows 11, and Windows Server 2008R2 and later will be available in an upcoming release.
What operating systems can I measure using security baseline assessments?
Currently Windows is supported, but coverage will be expanded to more operating systems like Mac and Linux.
Defender Vulnerability Management general FAQs
Where can I find the full list of capabilities across different plans?
For details on the full list of capabilities across Microsoft Defender Vulnerability Management and Defender for Endpoint, see Defender Vulnerability Management Capabilities.
Can customers buy only one capability?
Microsoft Defender Vulnerability Management is available as a vulnerability management solution comprised of multiple premium capabilities.
Can I turn on Defender Vulnerability Management capabilities on a subset of devices in my organization?
Capabilities like blocking vulnerable applications, browser extension, certificate inventory, and network share assessment can't be selectively turned on for a subset of devices in a given tenant.
Windows authenticated scan deprecation FAQs
When does the deprecation process begin and end?
The Windows authenticated scan deprecation process begins on November 2024 and will last for 12 months, concluding on November 30, 2025. During this period, support is limited to existing customers only. New customers will not have access to this capability.
Why is this product being deprecated?
We're deprecating Windows authenticated scan to allow our teams to allocate resources to other product innovations. We understand transitions can be challenging, and we're here to support you throughout the process. Let us know if you have any questions or need assistance with this change.
When will the product be officially deprecated?
Windows authenticated scan will officially be deprecated on November 30, 2025. After this date, the capability will no longer be supported nor be available to customers.
What happens to my data after the product is deprecated?
All user data is handled according to our data storage and privacy policy. We recommend that you export any important data before the deprecation date.
Will the product be replaced?
There is no direct replacement for the Windows authenticated scan at this time. However, we are continuously evaluating our offerings and exploring opportunities for future development. We appreciate your understanding. Stay tuned for updates on new features and capabilities.
Will support still be available after the deprecation date?
The development team will assist with any support tickets regarding Windows authenticated scan until the end of November 2025. However, no new features will be deployed. Support for the deprecated product ends on November 30, 2025. We encourage you to reach out with any questions before this date.
What steps should I take to prepare for the deprecation?
We recommend reviewing your current usage of the Windows authenticated scan and identifying any critical data you rely on. Ensure that you export any important data before the deprecation date.
Will I receive notifications about the deprecation process?
Yes. We will send out regular updates and reminders via the Message Center to all affected customers as the deprecation date approaches. Ensure your contact information is up to date in our system to receive these notifications.
Can I still access the product during the deprecation period?
Yes. You can continue to access the Windows authenticated scan and use its features until the deprecation date of November 30, 2025. However, note that new customers will not be able to gain access during this time.
How can I provide feedback about this change?
You can send your feedback through the relevant channels. We value your input and your feedback helps us improve our future products.