Threat & Vulnerability Management

Applies to:


Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrustructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.

It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context.

Next-generation capabilities

Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledgebase.

It is the first solution in the industry to automate the remediation process through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) for patching, configuration changes, or upgrades.


Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) integration will be available in the coming weeks.

It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication.

  • Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
  • Linked machine vulnerability and security configuration assessment data in the context of exposure discovery
  • Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager

Real-time discovery

To discover endpoint vulnerabilities and misconfiguration, Threat & Vulnerability Management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead, and provides:

  • Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard.
  • Visibility into software and vulnerabilities. Optics into the organization’s software inventory, as well as software changes like installations, uninstallations, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications.
  • Application runtime context. Constant visibility into application usage patterns for better prioritization and decision-making. Critical dependencies, such as vulnerable runtime libraries being loaded by other applications, are made visible.
  • Configuration posture. Visibility into organizational security configuration, surfacing issues like disabled antivirus, enabled SMBv1, or misconfigurations that could allow escalation of privileges. Issues are reported in the dashboard with actionable security recommendations.

Intelligence-driven prioritization

Threat & Vulnerability Management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, Threat & Vulnerability Management in Microsoft Defender ATP highlights the most critical weaknesses that need attention by fusing its security recommendations with dynamic threat and business context:

  • Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, Threat & Vulnerability Management dynamically aligns the prioritization of its security recommendations to focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk.
  • Pinpointing active breaches. Microsoft Defender ATP correlates Threat & Vulnerability Management and EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an active breach within the organization.
  • Protecting high-value assets. Microsoft Defender ATP’s integration with Azure Information Protection allows Threat & Vulnerability Management to call attention to exposed machines with business-critical applications, confidential data, or high-value users.

Seamless remediation

Microsoft Defender ATP’s Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues.

  • One-click remediation requests to IT. Through Microsoft Defender ATP’s integration with Microsoft Intune and System Center Configuration Manager (SCCM), security administrators can create a remediation task in Microsoft Intune with one click. We plan to expand this capability to other IT security management platforms.
  • Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities.
  • Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization.