4.3 Threat & Vulnerability Management

Why Vulnerability Management Is in the Response Domain

SC-200 frames Microsoft Defender Vulnerability Management (MDVM) as part of incident response because exposed weaknesses are how incidents start, and remediation is how you stop them recurring. Expect questions that ask you to prioritize what to fix, route the fix to IT, waive what cannot be fixed, and use vulnerability evidence to explain an alert.

MDVM is built into Microsoft Defender for Endpoint — onboarded devices are continuously assessed with no separate scheduled scan or scanner appliance. Defender Vulnerability Management also has a standalone add-on with premium capabilities (browser extension assessment, baselines, blocking vulnerable apps).

Core Scores (do not mix these up)

A classic distractor pairs these. "Reduce the score that represents risk" → lower the exposure score. "Improve the score that represents hardening" → raise Secure Score for Devices.

Security Recommendations and Prioritization

The Recommendations list is the prioritized backlog. Each item shows weaknesses, exposed devices, and impact on both scores. Prioritization is threat-aware: recommendations tied to active exploitation, public exploits, or threat campaigns are pushed up via insight tags such as threat insight and breach likelihood, so you fix what attackers are actually using first.

• Weaknesses — CVEs across the environment, with exposed device counts
• Software inventory — installed products, end-of-support flags
• Event timeline — new CVEs / exploits that changed your exposure

Remediation: Closing the SOC-to-IT Loop

Security operations finds the problem; IT fixes it. MDVM bridges this with a remediation request.

Recommendation -> "Request remediation"
   -> creates a remediation activity (owner, due date, priority)
   -> integrates with Microsoft Intune as a security task / ticket
   -> IT remediates; progress tracked in Remediation page

The Microsoft Intune integration is the exam answer to "how does the SOC hand a vulnerability fix to the desktop/endpoint team with tracking." Remediation activities are tracked to completion on the Remediation page.

Exceptions: When You Cannot Remediate

Some recommendations cannot be actioned now — a compensating control exists, a third party owns the system, or a fix would break a critical app. Instead of leaving it noisy and miscounted, file an exception.

• Scope: global (all devices) or by device group
• Requires a justification (e.g., third-party mitigation, risk accepted, planned remediation, alternate mitigation)
• Is time-bound — it expires and the recommendation returns to active
• While active, the recommendation is removed from the active exposure calculation

Exception is the answer to "a recommendation can't be fixed but shouldn't keep inflating exposure or block the queue" — not "ignore it" or "delete the device."

Vulnerability Evidence in Incident Investigation

MDVM data is not siloed — it enriches investigation. On a device page, the Discovered vulnerabilities and Security recommendations tabs show that device's CVEs and misconfigurations.

During an incident, this answers the analyst's question: was there an exploitable weakness that explains this alert? If a server raised an exploitation alert and the same device has a known unpatched, actively-exploited CVE, that evidence raises confidence the alert is a true positive and tells you the root cause to remediate so it does not recur.

Putting It Together for the Exam

For SC-200, reason in this order on an MDVM scenario:

1. Prioritize — use exposure score + threat-aware recommendations (fix exploited CVEs first)
2. Act — Request remediation (→ Intune) for fixable items
3. Waive — file a time-bound exception with justification for the rest
4. Investigate — use device vulnerability evidence to confirm root cause and prevent recurrence
5. Verify — confirm the exposure score drops and the recommendation clears after remediation