Remediate vulnerabilities

Applies to:

Important

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

To sign up for the Defender Vulnerability Management public preview or if you have any questions, contact us (mdvmtrial@microsoft.com).

Already have Microsoft Defender for Endpoint P2? Sign up for a free trial of the Defender Vulnerability Management Add-on.

Watch this short video to learn how threat and vulnerability management discovers vulnerabilities and misconfigurations on your endpoints and provides actionable insights that help you quickly remediate threats and vulnerabilities in your environment.

Request remediation

Vulnerability management capabilities bridges the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the Recommendation pages to Intune.

Enable Microsoft Intune connection

To use this capability, enable your Microsoft Intune connections. In the Microsoft 365 Defender portal, navigate to Settings > Endpoints > General > Advanced features. Scroll down and look for Microsoft Intune connection. By default, the toggle is turned off. Turn your Microsoft Intune connection toggle On.

Note: If you have the Intune connection enabled, you get an option to create an Intune security task when creating a remediation request. This option does not appear if the connection is not set.

See Use Intune to remediate vulnerabilities identified by Microsoft Defender for Endpoint for details.

Remediation request steps

  1. Go to the Vulnerability management navigation menu in the Microsoft 365 Defender portal, and select Recommendations.

  2. Select a security recommendation you would like to request remediation for, and then select Remediation options.

  3. Fill out the form, including what you are requesting remediation for, applicable device groups, priority, due date, and optional notes.

    1. If you choose the "attention required" remediation option, selecting a due date will not be available since there is no specific action.
  4. Select Submit request. Submitting a remediation request creates a remediation activity item within vulnerability management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to devices.

  5. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment.

  6. Go to the Remediation page to view the status of your remediation request.

If you want to check how the ticket shows up in Intune, see Use Intune to remediate vulnerabilities identified by Microsoft Defender for Endpoint for details.

Note

If your request involves remediating more than 10,000 devices, we can only send 10,000 devices for remediation to Intune.

After your organization's cybersecurity weaknesses are identified and mapped to actionable security recommendations, start creating security tasks. You can create tasks through the integration with Microsoft Intune where remediation tickets are created.

Lower your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations.

View your remediation activities

When you submit a remediation request from the Security recommendations page, it kicks-off a remediation activity. A security task is created that can be tracked on a Remediation page, and a remediation ticket is created in Microsoft Intune.

If you chose the "attention required" remediation option, there will be no progress bar, ticket status, or due date since there is no actual action we can monitor.

Once you are in the Remediation page, select the remediation activity that you want to view. You can follow the remediation steps, track progress, view the related recommendation, export to CSV, or mark as complete.

Example of the Remediation page, with a selected remediation  activity, and that activity's flyout listing the description, IT service and device management tools, and device remediation

Note

There is a 180 day retention period for completed remediation activities. To keep the Remediation page performing optimally, the remediation activity will be removed 6 months after its completion.

Completed by column

Track who closed the remediation activity with the "Completed by" column on the Remediation page.

  • Email address: The email of the person who manually completed the task
  • System confirmation: The task was automatically completed (all devices remediated)
  • N/A: Information is not available because we don't know how this older task was completed

Created by and completed by columns with two rows. One row for completed by has example of an email, the other row says system confirmation.

Top remediation activities in the dashboard

View Top remediation activities in the Vulnerability management dashboard. Select any of the entries to go to the Remediation page. You can mark the remediation activity as completed after the IT admin team remediates the task.

Example of Top remediation activities card with a table that lists top activities that were generated from security recommendations.