Secure Score - Vulnerability Exceptions Not Registering
I have followed the guide to configure the proper permissions to manage within Defender. Device groups have been created based off tags we applied to the devices, and the device groups register the expected number of devices. We apply an exception to the vulnerability recommendation based off the device group, looking at the individual device pages we can confirm the recommendation is excluded and it all appears to work as intended up to this point. The problem starts on the vulnerability dashboard. The recommendation shows it is in partial exception status however none of the statistics or data reflect this including our secure score. I can confirm making a global exception works as expected and we can see the score adjust properly. Has anyone experienced this before or have any pointers? We have been working at this for weeks trying different things without luck, we are ensuring to leave adequate sync times.Deep Dive into Preview Features in Microsoft Defender Console
Background for Discussion Microsoft Defender XDR (Extended Detection and Response) is evolving rapidly, offering enhanced security capabilities through preview features that can be enabled in the MDE console. These preview features are accessible via: Path: Settings > Microsoft Defender XDR > General > Preview features Under this section, users can opt into three distinct integrations: Microsoft Defender XDR + Microsoft Defender for Identity Microsoft Defender for Endpoint Microsoft Defender for Cloud Apps Each of these options unlocks advanced functionalities that improve threat detection, incident correlation, and response automation across identity, endpoint, and cloud environments. However, enabling these features is optional and may depend on organizational readiness or policy. This raises important questions about: What specific technical capabilities are introduced by each preview feature? Where exactly are these feature parameters are reflected in the MDE console? What happens if an organization chooses not to enable these preview features? Are there alternative ways to access similar functionalities through public preview or general availability?
OpenSSL
We have the recommendation to update OpenSSL. However, we can not figure out how to actually do this. There seems to be no installed location of OpenSSL so how can we update this? I have found a few posts/comments that have led me to this page New OpenSSL v3 vulnerability: prepare with Microsoft Defender for Cloud - Microsoft Community Hub but this doesn't actually help you at all. Going to OpenSSL's site for download just gives you a repository of files that don't actually update anything. So what are we supposed to do to get this remediated?
Does Microsoft Graph API Throttle When Triggering More Than 200 On-Demand Remediation Calls?
Hi Everyone, I'm using the following Microsoft Graph API endpoint to trigger proactive remediation scripts on Intune-managed devices: POST https://graph.microsoft.com/beta/deviceManagement/managedDevices/{managedDeviceId}/initiateOnDemandProactiveRemediation My scenario involves triggering this API for around 200+ devices, each with multiple scripts. I have a few concerns and would appreciate some guidance: Are there any throttling limits specific to this endpoint or the Intune service that I should be aware of? If I send 200+ POST requests in a short time window, will I hit rate limits or receive 429 errors? What is the recommended approach to avoid throttling — should I batch requests, add delays, or implement retry logic? Is there any official documentation or best practices for handling bulk remediation triggers? I’ve reviewed the general Microsoft Graph throttling guidance and service-specific throttling limits, but I’m unsure how they apply to this specific endpoint. Any help, examples, or insights would be greatly appreciated! Thanks, Swahela MullaMicrosoft Defender EOP
We have been experiencing an issue since last week where we are unable to view the details of quarantined emails. Could you please confirm if this is related to a known backend service issue, or if there are any specific troubleshooting steps we should perform on our end? Any guidance or updates would be greatly appreciated.
User Profile Deletion
Hi, I just wanted to pick anyone's brains, in case they have also encountered this or would have any idea why this is the case. I am fairly new to Intune and script writing, to clarify. Basically, we have been working on a Detect and Remediation script that is deployed via Intune (Devices >Ssni Script and Remediations) to Windows 10 (Ent 22H2) and Windows 11 (Ent 24H2) devices. On any fresh enrolled devices, it detects and deletes user profiles completely fine, but fails to even detect profiles on devices that were enrolled a while ago. However, if we run an Autopilot reset on those devices, the script works again. What difference would a freshly built/enrolled device have to an older one, when they also run other scripts fine. The script targets profiles that are older than 1 hour as we want to keep on top of removing profiles consistently to keep disk space low, especially on lower spec laptops. It will exclude SYSTEM profiles and also any *Admin* user folders - as that has a separate script to only delete LAPSAdmin on an evening, when the workplace is closed (8pm UK). This LAPSAdmin script worked fine on the older enrolled devices. Some of the profiles on the machines go back to 2023, is the '1 hour' target not effective against that old of a profile - has it become stale?SS Like I said, I am fairly new to this and have used bits and pieces from different locations to help muster up a script. I thought I had it nailed as it was working on test devices that were just enrolled purely for testing, until I was asked to put it onto another group. Intune doesn't say the script fails - indicating there are no errors. However, I am not saying there isn't. Detect: Remediate: Thanks for your time, Dean
TVM still showing outdated vulnerabilities despite applications being up to date
Hi everyone, we’re using Microsoft Defender for Endpoint with Threat & Vulnerability Management (TVM) enabled. Lately, we've noticed that certain vulnerabilities (e.g., CVEs in browsers or third-party software) continue to be flagged on devices, even though the affected applications have been updated weeks ago. Example scenario: The device is actively onboarded and reporting to Defender XDR The application has been updated manually or via software deployment The correct version appears under Software Inventory However, the CVE still shows up under Weaknesses Has anyone experienced similar behavior? Are there any best practices to trigger a re-evaluation of vulnerabilities or force a TVM scan refresh? Would a device reboot or restarting the MDE service help in this case? Any insights, suggestions, or known workarounds would be greatly appreciated. Thanks in advance!
