Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
What’s new in Microsoft Defender Vulnerability Management | April 2023 Update
Published Apr 03 2023 07:38 AM 8,632 Views

We are excited to share new and updated capabilities for Microsoft Defender Vulnerability Management. Vulnerability management is a moving target, and we hope these updates will enable you to enhance your vulnerability management program and better protect your organization. Our April update unveils the following enhancements and new capabilities:  

  • Enhanced security baseline assessments, including new Microsoft benchmarks, and the ability to add exceptions that exclude the assessment of specific configurations on certain devices.   
  • New “Pending restart” information provides information about the reboot status of devices.
  • The ability to view data for devices that are not onboarded, through vulnerability management APIs.  

Enhanced security baseline assessment  

Microsoft Defender Vulnerability Management’s security baseline assessment feature is an automated configuration assessment solution with the ability to customize configuration checks and manage exceptions. It provides accurate current configuration values and evidence for different operating systems along with recommended values from a wide range of benchmarks to help SOC teams achieve their goal of keeping their organizations safe. 



Figure 1: Monitor and track the status of your compliance with the security baseline assessment dashboard.


Instead of running endless compliance scans, security baseline assessment feature allows organizations to continuously and effortlessly monitor security baseline compliance and identify changes in real time. Customers have been actively leveraging our security baseline assessment and we’re excited to share a few updates we’ve been working on to enhance this premium feature: 


Create and manage exceptions for your security baseline assessments  

Security teams should be focusing on critical systems and applications while cautiously using exception management. This is exactly what our new capability offers.


By using the new exceptions capability in security baseline assessment, you can exclude specific devices and configurations from configuration checks profiles. This means that these devices won’t be active in the profiles anymore and therefore, won’t affect the organization’s metrics and score. Having this capability will enhance management and control abilities, as well as obtain more clarity in compliance visibility. For more information about this update, read more about security baseline assessments here.



Figure 2: Define exception - enter details, choose the scope, and select the configurations and devices you want to exclude.


Security baseline assessment now include Microsoft Benchmarks  

Our current collection of CIS and STIG benchmarks have helped organizations identify recommended security settings and configurations with regulatory and industry standards. In addition to the powerful CIS and STIG benchmarks, you can now leverage Microsoft benchmarks to best configure your Microsoft environments. Starting today, organizations will have the option of managing and assessing configurations against the Microsoft benchmarks.


View device restart status 

The patching process is one of the most important components of a comprehensive vulnerability management solution. To help organizations better track patching status, we developed a new capability that will allow you to track the status of the devices during the patching process that will indicate if the patching has failed due to a pending restart and how many devices are pending a restart.  


We have created this new feature with intent to explain the gap between how update actions taken are not yet reflected in the exposure metrics, that can occur in many cases, due to the fact that some devices require restarts in order to complete an update.


There are various places in Defender Vulnerability Management where you can find this indication. A pending restart tag is now available with the security recommendations. On the software page, this indication appears as part of the missing KBs section. As a first step, this new capability covers Windows (OS) updates, and KB corrections. Please stay tuned, as we plan to extend this feature to many other operating systems in the future. 



Figure 3: Review security recommendations associated with devices that are pending restart by filtering on the appropriate tag.



Figure 4: Review missing KBs associated with devices that are pending restart through the software page.


Get data for devices that are not onboarded 

We know customers have been leveraging Microsoft Defender Vulnerability Management APIs to create custom reports and dashboards which provide security teams and stakeholders with meaningful insights about their organization’s security posture. Defender Vulnerability Management API has typically provided data for devices that have been onboarded to Microsoft Defender for Endpoint, as the vulnerability management export APIs pull data on a per-device basis. The file exports have only included onboarded devices and the existing ‘IsOnboarded’ field in the export was always set to ‘True’. 


In the coming weeks, we will be updating the Defender Vulnerability Management API to return data on devices that have not yet been onboarded to Microsoft Defender for Endpoint. This update will provide organizations with more information about devices, meaning you can now create more detailed reports to better monitor the devices and risks in your organization. This will apply to vulnerability management API exports done via files, and the export file will now include data on those devices not yet onboarded to Microsoft Defender for Endpoint. 


As a result, the additional data may result in much larger export files for the vulnerability management APIs due to inclusion of both onboarded and not yet onboarded devices. 


While there is no action needed to prepare for this change, the amount of data exported may now be significantly larger so you may choose to apply a filter to control what is exported within your data export tools.


Learn and explore premium capabilities of Microsoft Defender Vulnerability Management such as security baseline assessments and more through a trial of Defender Vulnerability Management on our website here. 

1 Comment
Version history
Last update:
‎Apr 03 2023 07:41 AM
Updated by: