Trial user guide: Microsoft Defender Vulnerability Management
This user guide is a simple tool to help you set up and make the most of your free Microsoft Defender Vulnerability Management trial. Following these suggested steps from the Microsoft Security team, you'll learn how vulnerability management can help you protect your users and data.
Important
The trial offering for Microsoft Defender Vulnerability Management isn't currently available to:
- US Government customers using GCC High, and DoD
- Microsoft Defender for Business customers
What is Microsoft Defender Vulnerability Management?
Reducing cyber risk requires a comprehensive risk-based vulnerability management program to identify, assess, remediate, and track important vulnerabilities across your most critical assets.
Microsoft Defender Vulnerability Management delivers asset visibility, continuous real-time discovery and assessment of vulnerabilities, context-aware threat & business prioritization, and built-in remediation processes. It includes capabilities so your teams can intelligently assess, prioritize, and seamlessly remediate the biggest risks to your organization.
Watch the following video to learn more about Defender Vulnerability Management:
Let's get started
Step 1: Set up
Note
Users must have an appropriate role assigned in Microsoft Entra ID to perform this task. For more information, see Required roles for starting the trial.
The Microsoft Defender Vulnerability Management trial can be accessed in several ways:
Work with a reseller. If you're not already working with a reseller, see Microsoft Security partners.
Use the Microsoft Defender portal. In the portal, in the navigation pane, select Trials.
- If you have Defender for Endpoint Plan 2, find the Defender Vulnerability Management add-on card and select Try now.
- If you're a new customer or an existing Defender for Endpoint P1 or Microsoft 365 E3 customer, choose the Defender Vulnerability Management card and select Try now.
Sign up through the Microsoft 365 admin center.
Note
For more options on how to sign up to the trial, see Sign up for Microsoft Defender Vulnerability Management.
Review the information about what's included in the trial, then select Begin trial. Once you activate the trial it can take up to six hours for the new features to become available in the portal.
The Defender Vulnerability Management add-on trial lasts for 90 days.
The Defender Vulnerability Management Standalone trial lasts for 90 days.
When you're ready to get started, visit the Microsoft Defender portal and select Vulnerability management in the left navigation bar to start using the Defender Vulnerability Management trial.
Note
If you're a Microsoft Defender for Cloud customers, see Vulnerability Management capabilities for servers to learn more about the Defender Vulnerabilities Management capabilities available to your organization.
Try out Defender Vulnerability Management
Step 1: Know what to protect in a single view
Built-in and agentless scanners continuously monitor and detect risk even when devices aren't connected to the corporate network. Expanded asset coverage consolidates software applications, digital certificates, browser extensions, and hardware and firmware into a single inventory view.
Device inventory: The device inventory shows a list of the devices in your network. By default, the list displays devices seen in the last 30 days. At a glance, you'll see information such as domains, risk levels, OS platform, associated CVEs, and other details for easy identification of devices most at risk. For more information, see Device inventory.
Discover and assess your organization's software in a single, consolidated inventory view:
Software application inventory: The software inventory in Defender Vulnerability Management is a list of known applications in your organization. The view includes vulnerability and misconfiguration insights across installed software with prioritized impact scores and details such as OS platforms, vendors, number of weaknesses, threats, and an entity-level view of exposed devices. For more information, see Software inventory.
Browser extension assessments: The browser extensions page displays a list of the extensions installed across different browsers in your organization. Extensions usually need different permissions to run properly. Defender Vulnerability Management provides detailed information on the permissions requested by each extension and identifies those with the highest associated risk levels, the devices with the extension turned on, installed versions, and more. For more information, see Browser extensions assessment in Microsoft Defender Vulnerability Management.
Certificate inventory: The certificate inventory allows you to discover, assess, and manage digital certificates installed across your organization in a single view. This can help you:
Identify certificates that are about to expire so you can update them and prevent service disruption.
Detect potential vulnerabilities due to the use of weak signature algorithm (for example, SHA-1-RSA), short key size (for example, RSA 512 bit), or weak signature hash algorithm (for example, MD5).
Ensure compliance with regulatory guidelines and organizational policy.
For more information, see Certificate inventory.
Hardware and firmware: The hardware and firmware inventory provides a list of known hardware and firmware in your organization. It provides individual inventories for system models, processors, and BIOS. Each view includes details such as the name of the vendor, number of weaknesses, threats insights, and the number of exposed devices. For more information, see Certificate inventory.
Authenticated scan for Windows: With Authenticated scan for Windows you can remotely target by IP ranges or hostnames and scan Windows services by providing Defender Vulnerability Management with credentials to remotely access the devices. Once configured the targeted unmanaged devices will be scanned regularly for software vulnerabilities. For more information, see Authenticated scan for Windows.
Assign device value: Defining a device's value helps you differentiate between asset priorities. The device value is used to incorporate the risk appetite of an individual asset into the Defender Vulnerability Management exposure score calculation. Devices assigned as "high value" will receive more weight. Device value options include Low, Normal (Default), and High. You can also use the set device value API. For more information, see Assign device value.
Step 2: Track and mitigate remediation activities
Request remediation: Vulnerability management capabilities bridge the gap between Security and IT administrators through the remediation request workflow. Security administrators can request that the IT Administrator remediate a vulnerability from the Recommendation pages in Microsoft Intune. For more information, see Request remediation.
View your remediation activities: When you submit a remediation request from the Security recommendations page, it starts a remediation activity. A security task is created that can be tracked on a Remediation page, and a remediation ticket is created in Intune. For more information, see View your remediation activities.
Block vulnerable applications: Remediating vulnerabilities takes time and can be dependent on the responsibilities and resources of the IT team. Security admins can temporarily reduce the risk of a vulnerability by taking immediate action to block all currently known vulnerable versions of an application or warn users with customizable messages before opening vulnerable app versions until the remediation request is completed. The block option gives IT teams time to patch the application without security admins worrying that the vulnerabilities will be exploited in the meantime.
Note
When your trial ends, blocked applications are immediately unblocked. Baseline profiles might be stored for a little longer before they're deleted.
Use enhanced assessment capabilities, such as Network shares analysis to protect vulnerable network shares. As network shares can be easily accessed by network users, small common weaknesses can make them vulnerable. These types of misconfigurations are commonly used in the wild by attackers for lateral movement, reconnaissance, data exfiltration, and more. That's why we built a new category of configuration assessments in Defender Vulnerability Management that identify the common weaknesses that expose your endpoints to attack vectors in Windows network shares. This helps you:
Disallow offline access to shares
Remove shares from the root folder
Remove share write permission set to 'Everyone'
Set folder enumeration for shares
View and monitor your organization's devices using a Vulnerable devices report that shows graphs and bar charts with vulnerable device trends and current statistics. The goal is for you to understand the breadth and scope of your device exposure.
Step 3: Set up security baseline assessments
Instead of running point-in-time compliance scans, security baselines assessment helps you to continuously and proactively monitor your organization's compliance against industry security benchmarks in real time. A security baseline profile is a customized profile that you can create to assess and monitor endpoints in your organization against industry security benchmarks (CIS, NIST, MS). When you create a security baseline profile, you're creating a template that consists of multiple device configuration settings and a base benchmark to compare against.
Security baselines provide support for Center for Internet Security (CIS) benchmarks for Windows 10, Windows 11, and Windows Server 2008 R2 and above, as well as Security Technical Implementation Guides (STIG) benchmarks for Windows 10 and Windows Server 2019.
Get started with security baselines assessment.
Note
When your trial ends, security baseline profiles might be stored for a little while before they're deleted.
Step 4: Create meaningful reports to get in-depth insights using APIs and Advanced Hunting
Defender Vulnerability Management APIs can help drive clarity in your organization with customized views into your security posture and automation of vulnerability management workflows. Alleviate your security team's workload with data collection, risk score analysis, and integrations with your other organizational processes and solutions. For more information, see:
Advanced hunting enables flexible access to Defender Vulnerability Management raw data, which allows you to proactively inspect entities for known and potential threats. For more information, see Hunt for exposed devices.
Licensing and trial information
As part of the trial setup, the new Defender Vulnerability Management trial licenses are applied to users automatically. Therefore, no license assignment is needed Licenses are active for the duration of the trial.
Getting started with the trial
You can start using Defender Vulnerability Management features as soon as you see them in the Microsoft Defender portal. Nothing is created automatically and users aren't affected. When you navigate to each solution, you may be guided to make extra setup configurations to start using features.
Extending the trial
You can request one extension of your current trial for 30 days within the last 15 days of the trial period. For any questions, please contact your field seller.
Ending the trial
Administrators can disable the trial at any time. In the Microsoft Defender portal, in the navigation pane, select Trials, go to the Defender Vulnerability Management trial card, and then select End trial.
Unless stated otherwise, your trial is maintained, usually for 180 days, before it's permanently deleted. You can continue to access your data gathered during the trial until that time.
Additional resources
- Terms and conditions: See the terms and conditions for Microsoft 365 trials.
- Compare offerings: Microsoft Defender Vulnerability Management
- Defender Vulnerability Management documentation
- Datasheet: Microsoft Defender Vulnerability Management: Reduce cyber risk with continuous vulnerability discovery and assessment, risk-based prioritization, and remediation