Edit

Share via

Security recommendations

  • Article

Applies to:

Tip

Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to sign up for a free trial.

Cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact. Prioritized recommendations help shorten the time to mitigate or remediate vulnerabilities and drive compliance.

Each security recommendation includes actionable remediation steps. To help with task management, the recommendation can also be sent using Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment.

Tip

To get email notifications about new vulnerability events, see Configure vulnerability email notifications in Microsoft Defender for Endpoint.

How it works

Each device in the organization is scored based on three important factors to help customers to focus on the right things at the right time.

  • Threat: Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations show the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports.
  • Breach likelihood: Your organization's security posture and resilience against threats.
  • Business value: Your organization's assets, critical processes, and intellectual properties.

Navigate to the Security recommendations page

Access the Security recommendations page a few different ways:

In the Microsoft Defender portal, go to Endpoints > Vulnerability management navigation menu and select Recommendations.

The page contains a list of security recommendations for the threats and vulnerabilities found in your organization.

Top security recommendations in the vulnerability management dashboard

As a Security Administrator, you can take a look at the vulnerability management dashboard to see your exposure score side by side with your Microsoft Secure Score for Devices. The goal is to lower your organization's exposure from vulnerabilities and increase your organization's device security to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal.

Screenshot of the vulnerability management dashboard with security recommendations highlighted.

The top security recommendations list the improvement opportunities prioritized based on the important factors mentioned in the previous section - threat, likelihood to be breached, and value. Selecting a recommendation takes you to the security recommendations page with more details.

Security recommendations overview

Security recommendations enable you to view your organization's security recommendations, the number of weaknesses found, related components, threat insights, number of exposed devices, device status, remediation type, remediation activities, and associated tags. You can also see how your exposure score and Secure Score for devices would change when recommendations are implemented.

The color of the Exposed devices graph changes as the trend changes. If the number of exposed devices is on the rise, the color changes to red. If there's a decrease in the number of exposed devices, the color of the graph changes to green.

Note

Vulnerability management shows devices that were in use within the last 30 days. This is different from device status in Defender for Endpoint, where if a device has Inactive status if it doesn't communicate with the service for more than seven days.

Screenshot of the security recommendations landing page.

Icons

Useful icons also quickly call your attention to:

  • arrow hitting a target. possible active alerts
  • red bug. associated public exploits
  • light bulb. recommendation insights

Impact

The impact column shows the potential impact on your exposure score and Secure Score for Devices once a recommendation is implemented. You should prioritize items that lower your exposure score and raise your Secure Score for Devices.

  • The potential reduction in your exposure score is displayed as: . A lower exposure score means devices are less vulnerable to exploitation. Since the exposure score is based on a combination of factors, including new remediations or newly discovered vulnerabilities, the actual score reduction might be lower.

  • The projected increase to your Secure Score for Devices is displayed as: . A higher Secure Score for Devices means your endpoints are more resilient against cybersecurity attacks.

Explore security recommendation options

  1. Select the security recommendation that you want to investigate or process from the list.

    Example of a security recommendation flyout page.

  2. In the flyout, you can choose any of the following options:

    • Open software page - Open the software page to get more context on the software and how it's distributed. The information can include threat context, associated recommendations, weaknesses discovered, number of exposed devices, discovered vulnerabilities, names and detailed of devices with the software installed, and version distribution.

    • Remediation options - Submit a remediation request to open a ticket in Microsoft Intune for your IT administrator to pick up and address. Track the remediation activity in the Remediation page.

    • Exception options - Submit an exception, provide justification, and set exception duration if you can't remediate the issue yet.

Note

When a software change is made on a device, it typically takes 2 hours for the data to be reflected in the security portal. However, it may sometimes take longer. Configuration changes can take anywhere from 4 to 24 hours.

Investigate changes in device exposure or impact

If there's a large jump in the number of exposed devices, or a sharp increase in the impact on your organization exposure score and Secure Score for Devices, then that security recommendation is worth investigating.

  1. Select a recommendation, and then select Open software page.

  2. Select the Event timeline tab to view all the impactful events related to that software, such as new vulnerabilities or new public exploits. Learn more about event timeline.

  3. Decide how to address the increase or your organization's exposure, like submitting a remediation request.

Recommendations on devices

To see the list of security recommendations that apply to a device, follow these steps:

  1. Navigate to the Device inventory through Assets > Devices navigation menu, then select a device.

  2. Select the Security recommendations tab to see a list of security recommendations for the device.

    Screenshot of the certificate inventory page

Note

If you have the Microsoft Defender for IoT integration enabled in Defender for Endpoint, recommendations for Enterprise IoT devices that appear on IoT devices tab appears on the security recommendations page. For more information, see Enable Enterprise IoT security with Defender for Endpoint.

Request remediation

The vulnerability management remediation capability bridges the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the Security recommendation page to Intune. Learn more about remediation options

How to request remediation

  1. Select a security recommendation you would like to request remediation for and then select Remediation options.

  2. Fill out the form and select Submit request.

  3. To view the status of your remediation request, go to the Remediation page.

For more information, see Learn more about how to request remediation,

File for exception

As an alternative to a remediation request when a recommendation isn't relevant at the moment, you can create exceptions for recommendations. Learn more about exceptions

Only users with appropriate permissions can add exceptions (see Microsoft Defender XDR Unified role-based access control (RBAC)).

When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state will change to Full exception or Partial exception (by device group).

How to create an exception

  1. Select the security recommendation you want to create an exception for, and then select Exception options.

    Showing where the exception options is located in a security recommendation flyout.

  2. Fill out the form and submit.

  3. To view your exceptions (current and past), navigate to the Remediation page under the Endpoints > Vulnerability management navigation menu and select Remediation, and then select the Exceptions tab.

For more information, see Learn more about how to create an exception.

Report inaccuracy

You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security recommendation information.

  1. In the Microsoft Defender portal, open a security recommendation.

  2. Select the three dots beside the security recommendation that you want to report, then select Report inaccuracy.

  3. In the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy.

  4. Select Submit. Your feedback is immediately sent to the vulnerability management experts.