Vulnerability Management

TVM assessment, vulnerability exposure analysis, patch prioritization, risk scoring, remediation tracking, and software inventory management via Microsoft Defender for Endpoint.

Last Updated: 2025-02 Microsoft Defender for Endpoint 9 KQL Queries | 1 Decision Tree | 8 Procedures

1 MDE TVM Assessment

Microsoft Defender Vulnerability Management (TVM) provides continuous vulnerability discovery, intelligent prioritization, and remediation tracking across your endpoint fleet. Follow this procedure to perform a comprehensive TVM assessment.

TVM Assessment Procedure

Navigate to Microsoft 365 Defender portal → Vulnerability Management → Dashboard
Review current Exposure Score (0-100, lower is better) and trending direction
Review Device Exposure Distribution (Critical, High, Medium, Low)
Check top security recommendations sorted by impact
Review recently discovered vulnerabilities (CVEs) in the "Weaknesses" tab
Identify devices with most critical vulnerabilities using "Exposed Devices"
Generate vulnerability assessment report for management review

Key TVM Metrics

Exposure Score — Overall security risk posture (0-100). Secure Score for Devices — Configuration compliance percentage. Vulnerable Devices — Count of devices with known vulnerabilities. Critical Vulnerabilities — CVEs with CVSS 9.0+ requiring immediate attention.

2 Vulnerability Exposure KQL Queries

The following KQL queries support vulnerability assessment and exposure analysis workflows. Run these in Microsoft 365 Defender Advanced Hunting to identify, prioritize, and track vulnerabilities across your endpoint fleet.

All Critical Vulnerabilities on Exposed Devices

All Critical Vulnerabilities on Exposed Devices DeviceTvmSoftwareVulnerabilities Critical

Identifies all critical-severity CVEs across the fleet, ranked by the number of affected devices. Provides a prioritized list of the most impactful vulnerabilities requiring immediate remediation attention.

DeviceTvmSoftwareVulnerabilities
| where VulnerabilitySeverityLevel == "Critical"
| summarize AffectedDevices = dcount(DeviceId),
            DeviceNames = make_set(DeviceName, 10),
            AffectedSoftware = make_set(SoftwareName)
    by CveId, VulnerabilitySeverityLevel
| sort by AffectedDevices desc
| take 25

Expected Output

Top 25 critical CVEs ranked by number of affected devices. Includes CVE ID, severity level, device count, sample device names, and affected software names.

When to Use

Weekly vulnerability review prioritization. Run this query at the start of each vulnerability management cycle to identify the highest-impact critical CVEs across your environment.

Devices with Most Vulnerabilities

Devices with Most Vulnerabilities DeviceTvmSoftwareVulnerabilities Risk Ranking

Ranks devices by a composite vulnerability risk score, weighting critical vulnerabilities more heavily than high or medium. Identifies the devices that pose the greatest aggregate risk to the environment.

DeviceTvmSoftwareVulnerabilities
| summarize CriticalCount = countif(VulnerabilitySeverityLevel == "Critical"),
            HighCount = countif(VulnerabilitySeverityLevel == "High"),
            MediumCount = countif(VulnerabilitySeverityLevel == "Medium"),
            TotalVulns = count()
    by DeviceName, DeviceId
| extend RiskScore = (CriticalCount * 10) + (HighCount * 5) + (MediumCount * 1)
| sort by RiskScore desc
| take 20

Expected Output

Top 20 devices ranked by composite vulnerability risk score. Includes device name, ID, counts by severity tier, total vulnerabilities, and the calculated risk score.

When to Use

Identifying devices needing urgent patching. Use this to prioritize patch deployment to the most vulnerable endpoints first, particularly ahead of maintenance windows.

Specific CVE Exposure Check

Specific CVE Exposure Check DeviceTvmSoftwareVulnerabilities CVE Lookup

Checks the entire fleet for exposure to a specific CVE, joining vulnerability data with device information for full context. Replace the target CVE variable with the CVE ID you are investigating.

let targetCVE = "CVE-2024-12345";
DeviceTvmSoftwareVulnerabilities
| where CveId == targetCVE
| join kind=leftouter (
    DeviceInfo
    | where Timestamp > ago(1d)
    | summarize arg_max(Timestamp, *) by DeviceId
) on DeviceId
| project DeviceName, OSPlatform, OSVersion, SoftwareName,
         SoftwareVersion, VulnerabilitySeverityLevel, MachineGroup,
         PublicIP, LoggedOnUsers
| sort by DeviceName asc

Expected Output

All devices affected by the specified CVE with enriched context: device name, OS platform and version, vulnerable software and version, severity, machine group, public IP, and logged-on users.

When to Use

When a new critical CVE is published and you need to assess exposure. Run this immediately upon receiving a vulnerability advisory to determine your organization's attack surface for that specific CVE.

Vulnerable Software Inventory

Vulnerable Software Inventory DeviceTvmSoftwareVulnerabilities Software Risk

Correlates software vulnerability data with the software inventory to identify which software titles and versions carry the most vulnerabilities and affect the most devices across the fleet.

DeviceTvmSoftwareVulnerabilities
| join kind=inner (
    DeviceTvmSoftwareInventory
    | summarize DeviceCount = dcount(DeviceId) by SoftwareName, SoftwareVersion
) on SoftwareName
| summarize VulnCount = dcount(CveId),
            CriticalVulns = dcountif(CveId, VulnerabilitySeverityLevel == "Critical"),
            DevicesAffected = dcount(DeviceId)
    by SoftwareName, SoftwareVersion
| sort by CriticalVulns desc, VulnCount desc
| take 30

Expected Output

Software ranked by vulnerability count and critical vulnerability count. Includes software name, version, total vulnerabilities, critical vulnerabilities, and the number of affected devices.

When to Use

Identifying software that poses the highest risk across the fleet. Use this during monthly vulnerability reviews to recommend software upgrades, replacements, or removal of high-risk applications.

End-of-Life Software Detection

End-of-Life Software Detection DeviceTvmSoftwareInventory EOL Risk

Detects all software that has reached or is approaching end-of-life/end-of-support status. End-of-life software no longer receives security patches and represents a significant ongoing vulnerability risk.

DeviceTvmSoftwareInventory
| where EndOfSupportStatus != "None" and EndOfSupportStatus != ""
| summarize DeviceCount = dcount(DeviceId),
            Devices = make_set(DeviceName, 10),
            Versions = make_set(SoftwareVersion)
    by SoftwareName, EndOfSupportStatus, EndOfSupportDate
| sort by DeviceCount desc

Expected Output

All end-of-life software with device counts, sample device names, software versions, EOL status, and the end-of-support date. Sorted by the number of affected devices.

When to Use

Monthly review to identify unsupported software requiring migration. EOL software should be flagged for replacement planning as it will not receive future security updates from the vendor.

Vulnerability Age Analysis

Vulnerability Age Analysis DeviceTvmSoftwareVulnerabilities Remediation Velocity

Calculates the average and maximum age of unpatched critical and high severity vulnerabilities. Provides a key metric for tracking remediation velocity and identifying stale vulnerabilities that have remained unpatched for too long.

DeviceTvmSoftwareVulnerabilities
| where VulnerabilitySeverityLevel in ("Critical", "High")
| extend VulnAge = datetime_diff('day', now(), todatetime(CvePublishedDate))
| summarize AvgAge = avg(VulnAge),
            MaxAge = max(VulnAge),
            VulnCount = count()
    by VulnerabilitySeverityLevel
| extend AvgAgeDays = round(AvgAge, 0), MaxAgeDays = round(MaxAge, 0)
| project VulnerabilitySeverityLevel, VulnCount, AvgAgeDays, MaxAgeDays

Expected Output

Average and maximum age of unpatched vulnerabilities grouped by severity level. Shows the count of open vulnerabilities, average days since CVE publication, and the oldest unpatched vulnerability age.

When to Use

Tracking remediation velocity and identifying stale vulnerabilities. Use this in management reporting to demonstrate patching performance and highlight aging vulnerabilities that need escalation.

Devices Missing Security Updates

Devices Missing Security Updates DeviceTvmSecureConfigurationAssessment Non-Compliant

Identifies devices that are not compliant with security update configuration assessments. Focuses on patch-related configuration IDs to surface devices where patch deployment may be failing or stalled.

DeviceTvmSecureConfigurationAssessment
| where ConfigurationId has "scid-91"
| where IsCompliant == 0
| where IsApplicable == 1
| summarize NonCompliantCount = count()
    by DeviceName, ConfigurationId, ConfigurationName
| sort by NonCompliantCount desc
| take 30

Expected Output

Devices not compliant with security update configurations. Shows device name, configuration ID, configuration name, and the count of non-compliant assessments.

When to Use

Identifying devices with patch deployment failures. Run this after patch deployment windows to verify compliance and identify devices that need manual intervention or troubleshooting.

Browser Extension Risk Assessment

Browser Extension Risk Assessment DeviceTvmBrowserExtensions Extension Audit

Audits browser extensions installed across the fleet, identifying the most prevalent extensions and the browsers they are installed on. Helps detect potentially risky, unauthorized, or data-exfiltration-capable extensions.

DeviceTvmBrowserExtensions
| summarize DeviceCount = dcount(DeviceId),
            BrowserTypes = make_set(BrowserName)
    by ExtensionName, ExtensionId, ExtensionVersion
| where DeviceCount > 5
| sort by DeviceCount desc
| take 30

Expected Output

Most prevalent browser extensions across the fleet. Includes extension name, ID, version, device count, and the browsers where the extension is installed.

When to Use

Identifying potentially risky or unauthorized browser extensions. Run this monthly to audit the extension landscape and flag unknown or unapproved extensions for security review.

Remediation Progress Tracking

Remediation Progress Tracking DeviceTvmSoftwareVulnerabilities Reporting

Generates a current-state vulnerability posture snapshot summarizing critical and high vulnerabilities, affected devices, and unique CVE count. Designed for weekly management reporting and dashboarding.

DeviceTvmSoftwareVulnerabilities
| where VulnerabilitySeverityLevel in ("Critical", "High")
| summarize
    TotalVulns = count(),
    CriticalVulns = countif(VulnerabilitySeverityLevel == "Critical"),
    HighVulns = countif(VulnerabilitySeverityLevel == "High"),
    AffectedDevices = dcount(DeviceId),
    UniqueCVEs = dcount(CveId)
| extend Summary = strcat("Total: ", TotalVulns, " vulns (", CriticalVulns, " Critical, ", HighVulns, " High) across ", AffectedDevices, " devices")

Expected Output

Current vulnerability posture snapshot with total vulnerability count, critical and high breakdowns, number of affected devices, unique CVE count, and a summary string for reporting.

When to Use

Weekly management reporting on vulnerability status. Use this to track week-over-week progress on vulnerability remediation and provide leadership with a concise posture summary.

3 Patch Prioritization

Follow this decision tree to determine the appropriate patch priority and remediation timeline for each newly identified vulnerability. This ensures consistent, risk-based prioritization across the team.

New Vulnerability Identified — Begin Prioritization
- Is the vulnerability actively exploited in the wild (KEV list / vendor advisory)?
  - CRITICAL priority: Patch within 24-48 hours. Activate emergency change process. Notify security leadership immediately.
  - Continue
    - Is there a public exploit available (Exploit-DB, GitHub)?
      - HIGH priority: Patch within 7 days. Schedule priority deployment in next available maintenance window.
      - Continue
        
        Is the CVSS score ≥ 9.0?
        
        HIGH priority: Patch within 14 days. Include in next scheduled patch cycle.
        
        Continue
        
        Is the affected asset internet-facing or business-critical?
        
        Increase priority by one level. Internet-facing and business-critical assets have higher exposure and impact.
        
        Continue to CVSS-based prioritization
        
        Apply CVSS-based remediation timeline:
        
        CVSS 7.0-8.9 — MEDIUM: Patch within 30 days via standard patch cycle.
        
        CVSS 4.0-6.9 — LOW: Patch within 90 days in regular maintenance.
        
        CVSS 0.1-3.9 — MINIMAL: Patch in next available maintenance window.

Beyond CVSS

Effective patch prioritization considers more than just CVSS scores. Factor in: asset criticality, network exposure, compensating controls, exploit maturity, and whether the vulnerability is being actively exploited. Microsoft's security recommendations in TVM already incorporate many of these factors.

4 Risk Scoring and Classification

Use this composite risk scoring model to calculate a consistent, weighted risk score for each vulnerability. The model considers multiple factors beyond CVSS to provide a more accurate representation of actual risk to the organization.

Risk Scoring Model

Factor	Weight	Critical (4)	High (3)	Medium (2)	Low (1)
CVSS Base Score	30%	9.0-10.0	7.0-8.9	4.0-6.9	0.1-3.9
Exploit Availability	25%	Active exploitation	Public exploit	PoC available	No known exploit
Asset Criticality	25%	Domain controllers, key servers	Department servers	Standard workstations	Test/dev systems
Network Exposure	20%	Internet-facing	DMZ / accessible from multiple zones	Internal only	Isolated network

Risk Classification Matrix

Risk Level	Composite Score	SLA	Approval for Exception
Critical	3.5-4.0	48 hours	CISO only
High	2.5-3.4	7 days	Security Manager
Medium	1.5-2.4	30 days	Team Lead
Low	1.0-1.4	90 days	Analyst

5 Remediation Tracking

A structured remediation workflow ensures vulnerabilities progress from identification through to verified resolution. Follow this end-to-end process for each vulnerability or batch of vulnerabilities identified.

Remediation Workflow

Vulnerability identified via TVM or scanning
Risk assessed and prioritized using scoring model
Remediation ticket created with SLA based on priority
Ticket assigned to responsible team (IT Ops, App Team, etc.)
Patch/fix applied per change management process
Verification scan performed to confirm remediation
Ticket closed with evidence of remediation

Dashboard Metrics

Metric	Description	Target	RAG Threshold
Open Critical Vulns	Count of unpatched critical CVEs	0	Red: >5 Amber: 1-5 Green: 0
Open High Vulns	Count of unpatched high CVEs	<10	Red: >25 Amber: 10-25 Green: <10
Mean Time to Remediate (Critical)	Average days from discovery to patch	<2 days	Red: >7 Amber: 2-7 Green: <2
Mean Time to Remediate (High)	Average days from discovery to patch	<7 days	Red: >14 Amber: 7-14 Green: <7
SLA Compliance Rate	% of vulns patched within SLA	>95%	Red: <80% Amber: 80-95% Green: >95%
Vulnerability Recurrence	Vulns that reappear after remediation	<5%	Red: >15% Amber: 5-15% Green: <5%
Scan Coverage	% of assets scanned by TVM	>98%	Red: <90% Amber: 90-98% Green: >98%

6 Exception and Risk Acceptance

When a vulnerability cannot be remediated within its SLA due to business, technical, or operational constraints, a formal risk acceptance process must be followed. All exceptions require documented justification, compensating controls, and appropriate approval authority.

Risk Acceptance Form

Complete the following template for every vulnerability exception request. All fields are mandatory.

EXCEPTION ID:           [EXC-YYYY-NNNN]
VULNERABILITY:          [CVE ID and description]
AFFECTED ASSETS:        [Device names/count]
BUSINESS JUSTIFICATION: [Why the vulnerability cannot be remediated]
COMPENSATING CONTROLS:  [Controls mitigating the risk]
RISK LEVEL:             [Critical/High/Medium/Low]
REQUESTED DURATION:     [Days/months]
REQUESTED BY:           [Name and role]
APPROVED BY:            [Must meet authority level per table below]
REVIEW DATE:            [Mandatory review date]

Approval Authority

Risk Level	Approval Authority	Maximum Duration	Review Frequency
Critical	CISO	30 days	Every 2 weeks
High	Security Manager	90 days	Monthly
Medium	Team Lead	180 days	Quarterly
Low	Senior Analyst	365 days	Semi-annually

Exception Process Checklist

Exception Process Checklist Required

0 / 7

Document complete business justification for exception

Identify and implement compensating controls

Obtain approval from appropriate authority level

Record exception in risk register

Set calendar reminder for review date

Monitor compensating control effectiveness

Re-assess at expiration — renew, remediate, or close

Exception Governance

All exceptions must have compensating controls documented. Exceptions without compensating controls require CISO approval regardless of risk level. Expired exceptions are automatically escalated.

7 Software Inventory Management

Maintaining an accurate software inventory is essential for vulnerability management. TVM provides continuous discovery of software installed across the fleet, enabling identification of unauthorized, outdated, or end-of-life applications.

Software Inventory Procedure

Access TVM → Software Inventory in Microsoft 365 Defender
Review software catalog for unauthorized or unexpected applications
Cross-reference with approved software list (CMDB)
Flag unauthorized software for removal or approval review
Identify end-of-life software for migration planning
Track software version distribution to identify outdated installations
Generate software inventory report for compliance

Shadow IT Detection

Shadow IT Risk

Unauthorized software may introduce unpatched vulnerabilities, bypass security controls, or provide attack vectors. Use TVM software inventory to detect and address shadow IT installations.

Shadow IT Review Checklist Monthly

0 / 7

Export current software inventory from TVM

Compare against approved software baseline

Identify new/unauthorized applications

Investigate purpose and owner of unauthorized software

Determine risk level of each unauthorized application

Create removal or approval tickets as appropriate

Update approved software baseline

8 Security Recommendations Review

Microsoft Defender TVM generates actionable security recommendations based on the configuration and vulnerability state of your fleet. Regularly reviewing and implementing these recommendations reduces your overall exposure score and hardens the environment.

Recommendations Review Procedure

Navigate to TVM → Security Recommendations
Sort by "Exposure Impact" to prioritize high-impact items
Review recommendation details: affected devices, remediation steps, expected impact
Categorize: Security Controls, OS Configuration, Application Configuration
Assign remediation owners based on recommendation type
Create implementation tickets with SLA aligned to priority
Track implementation progress weekly
Mark recommendations as completed in TVM after implementation

Recommendation Priority

Category	Examples	Default Priority	Owner
Security Controls	Enable ASR rules, Configure firewall, Enable credential guard	High	Security Engineering
OS Configuration	Enable secure boot, Configure audit policies, Disable SMBv1	Medium	IT Operations
Application Configuration	Update browser settings, Configure Office macros, Java settings	Medium	Desktop Engineering
Software Updates	OS patches, Application updates, Driver updates	Varies by CVSS	Patch Management
Hardware	TPM enablement, Firmware updates	Low	Hardware Team

Recommendations Review Checklist

Weekly Recommendations Review Weekly

0 / 7

Review new security recommendations weekly

Prioritize recommendations by exposure impact

Assign owners to top 10 unaddressed recommendations

Track implementation progress

Close completed recommendations in TVM

Report recommendation compliance to management monthly

Escalate stalled recommendations after 30 days