Remediation activities and exceptions

Applies to:

Want to experience Microsoft Defender ATP? Sign up for a free trial.


To use this capability, enable your Microsoft Intune connections. Navigate to Settings > General > Advanced features. Scroll down and look for Microsoft Intune connection. By default, the toggle is turned off. Turn your Microsoft Intune connection toggle on.

After your organization's cybersecurity weaknesses are identified and mapped to actionable security recommendations, start creating security tasks through the integration with Microsoft Intune where remediation tickets are created.

Lower your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations.

You can access the Remediation page a few different ways:

Go to the Threat & Vulnerability Management navigation menu and select Remediation to open up the list of remediation activities and exceptions found in your organization.

Top remediation activities in the dashboard

View Top remediation activities in the Threat & Vulnerability Management dashboard. Select any of the entries to go to the Remediation page. You can mark the remediation activity as completed after the IT admin team remediates the task.

Example of Top remediation activities card with a table that lists top activities that were generated from security recommendations.

Remediation activities

When you submit a remediation request from the Security recommendations page, it kicks-off a remediation activity. A security task is created which will be tracked in the Threat & Vulnerability Management Remediation page, and a remediation ticket is created in Microsoft Intune.

Once you are in the Remediation page, select the remediation activity that you want to view. You can follow the remediation steps, track progress, view the related recommendation, export to CSV, or mark as complete. Example of the Remediation page, with a selected remediation activity, and that activity's flyout listing the description, IT service and device management tools, and device remediation progress.


When you file for an exception from the Security recommendations page, you create an exception for that security recommendation. You can file exceptions to exclude certain recommendation from showing up in reports and affecting your Microsoft Secure Score for Devices.

The exceptions you've filed will show up in the Remediation page, in the Exceptions tab. You can filter your view based on exception justification, type, and status.

Example of the exception page and filter options.

Exception actions and statuses

You can take the following actions on an exception:

  • Cancel - You can cancel the exceptions you've filed any time
  • Resurface - Your exception automatically becomes void and resurfaces in the security recommendation list when dynamic environmental factors change, which adversely affect the exposure impact associated with a recommendation that had previously been excluded

The following statuses will be a part of an exception:

  • Canceled - The exception has been canceled and is no longer in effect
  • Expired - The exception that you've filed is no longer in effect
  • In effect - The exception that you've filed is in progress

Exception impact on scores

Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Microsoft Secure Score for Devices of your organization in the following manner:

  • No impact - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores.
  • Mitigation-like impact - As if the recommendation was mitigated (and scores will be adjusted accordingly) when you select it as a compensating control.
  • Hybrid - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Microsoft Secure Score for Devices results out of the exception option that you made.

The exception impact shows on both the Security recommendations page column and in the flyout pane.

Screenshot identifying the impact sections which list score impacts in the full page security recommendations table, and the flyout.

View exceptions in other places

Select Show exceptions at the bottom of the Top security recommendations card in the dashboard to open a filtered view in the Security recommendations page of recommendations with an "Exception" status.

Screenshot of Show exceptions link in the Top security recommendations card in the dashboard.