Forum Discussion

GirthDefenceForce's avatar
GirthDefenceForce
Copper Contributor
May 07, 2026

Defender Threat & Vulnerability Management Reporting

Hello, we're looking at implementing DTVM for our endpoints, but are curious about reporting.

 

Is there a way we can get these reports in a PDF format, and scoped to specific devices only? I'd like to use the evidence paths gathered from KQL to help build the reports. Are there any guides or steps out there that shows how we can do this with tools like PowerBI?

 

Thanks in advance.

endpoint security
Getting Started
microsoft defender for endpoint
Microsoft Graph Security API

1 Reply

  • Marcel_Graewer's avatar
    Marcel_Graewer
    Brass Contributor
    May 07, 2026

    Hi,

    quick honest answer: native PDF export is not part of MDVM today. The built-in reporting (Vulnerable Devices Report, Recommendations, Inventory) is interactive inside the Defender portal, not a scheduled report engine. There are a few realistic paths depending on what you actually need.

    For ad-hoc exports, the portal pages support CSV download directly. Crude but works for one-off snapshots.

    For recurring, formatted reports the practical patterns are:

    Power BI on top of the Export API. MDVM exposes a full Export API for software vulnerabilities, secure configurations, and per-device inventory, see https://learn.microsoft.com/en-us/defender-endpoint/api/get-assessment-software-vulnerabilities. The required application permission is Vulnerability.Read.All. Available in Defender for Endpoint P1, P2, and MDVM Standalone. Microsoft has a walkthrough for the Export API specifically: https://techcommunity.microsoft.com/blog/vulnerability-management/using-export-api-with-defender-vulnerability-management/4191046. Power BI Service can then schedule a refresh and email reports as PDF via the Subscribe feature, but be aware that scheduled email subscriptions require Power BI Pro or Premium per User.

    Advanced Hunting + Logic App. If your reporting need is narrower, for example "all critical CVEs older than 30 days per business unit", a KQL query against DeviceTvmSoftwareVulnerabilities joined with DeviceTvmSoftwareInventory and DeviceInfo, scheduled via Logic App, can produce a formatted email report with much less infrastructure than Power BI. PDF rendering needs a converter step (third-party connector or HTML-to-PDF service), which is a small but real piece of work. Note Advanced Hunting has a 30-day data window, so for longer trends you still need to ingest the data somewhere.

    Microsoft Security Exposure Management. Worth checking if your tenant is licensed for it. MDVM is now integrated into MSEM, and the unified recommendations and exposure views give better executive-level visibility than the standalone MDVM reports. Still no native PDF, but the dashboards are richer for stakeholder communication.

    One thing worth knowing before committing to an approach: the Export API delivers full snapshots and delta exports up to 14 days back. If your stakeholders want trends beyond that window, you have to ingest and store the snapshots yourself (Sentinel workspace, Log Analytics, or your own database). That ingestion piece is often the underestimated part of MDVM reporting projects.

    Happy to share more detail on any of the three paths if useful.