Microsoft Defender Vulnerability Management for Small Business in Berlin

Knowing which vulnerabilities exist in your environment is a prerequisite for fixing them — but knowing which ones are actually exploited in the wild, which ones expose your most critical assets, and which ones your current configuration has already mitigated is a different and far more operationally useful capability. Microsoft Defender Vulnerability Management (MDVM) is a built-in module within the Microsoft Defender platform that continuously inventories software and configurations across your endpoints and correlates that inventory against real-world exploit intelligence to produce a prioritized, risk-weighted list of what to fix first. For small businesses in Berlin running Microsoft 365 Business Premium, MDVM is included in Microsoft Defender for Endpoint Plan 2 and requires no additional deployment beyond the MDE sensor already on enrolled devices.

Traditional vulnerability scanning produces a list of CVEs sorted by CVSS score. MDVM produces a threat-informed risk assessment: CVEs are weighted by active exploitation in the wild, device criticality, network exposure, and the specific configuration of the affected endpoint. A critical CVE on an isolated test machine with no internet exposure ranks lower than a medium CVE on an executive’s laptop that is actively exploited by ransomware groups.

What MDVM inventories

MDVM builds its vulnerability and configuration baseline from data collected by the MDE sensor on each enrolled device. The inventory covers:

• Installed software: All software installed on the endpoint, cross-referenced against Microsoft’s vulnerability database. MDVM detects vulnerable application versions for Windows components, browsers, Office products, common third-party applications (Adobe, Java, 7-Zip, and hundreds of others), and browser extensions.
• Operating system configuration: Security configurations evaluated against security baselines — BitLocker status, Windows Firewall configuration, SMBv1 enabled, legacy protocol usage, and similar.
• Certificate inventory: TLS certificates on endpoints nearing expiration or using weak algorithms.
• Browser extensions: Installed browser extensions evaluated for risk — permissions requested, known-malicious status, and update state.
• Network shares and configuration weaknesses: Exposed network shares and authentication configuration gaps flagged as configuration vulnerabilities.

Exposure score and Secure Score integration

MDVM maintains an Exposure Score for the organization that reflects the overall vulnerability posture across all enrolled devices. The score decreases as vulnerabilities are remediated and increases as new vulnerabilities are discovered. Individual Security Recommendations from MDVM also contribute to Microsoft Secure Score, connecting vulnerability remediation to the organization’s overall security posture dashboard.

Navigate to security.microsoft.com › Vulnerability management › Dashboard to view the current exposure score, top security recommendations, most exposed devices, and top vulnerable software. This view provides the operational starting point for any vulnerability remediation sprint — ranked by actual risk rather than theoretical CVSS severity.

Weaknesses view and CVE tracking

The Weaknesses view lists all CVEs detected across enrolled devices, filtered by severity, exploit availability, exploit type (remote code execution, privilege escalation, etc.), and whether the CVE has been seen in active threat campaigns. Filtering to CVEs with “exploit in the wild” or “exploit kit available” produces a short list of the highest operational priority — vulnerabilities that are being actively weaponized against targets similar to your organization.

Each CVE entry shows how many devices in the environment are affected, which software versions are vulnerable, and what remediation action is available (patch version, configuration change, or workaround). The remediation action links directly to the relevant update or configuration guidance.

Remediation activities and integration with Intune

MDVM supports creating Remediation Activities from within the vulnerability management interface. A remediation activity captures the recommended action, affected devices, responsible team, and target completion date. For organizations using Microsoft Intune, MDVM can initiate a remediation action that deploys the relevant update or configuration directly through Intune — closing the loop between vulnerability discovery and remediation without leaving the Defender portal.

This integration is particularly valuable for small IT teams: rather than exporting a vulnerability report, creating a ticket, and manually tracking which patches were deployed, the entire workflow runs within the same Microsoft security toolset already in use.

Software inventory and end-of-life detection

MDVM’s software inventory flags end-of-life (EOL) software — applications that no longer receive security updates from their vendor. EOL software is a persistent vulnerability category that does not produce CVEs because the vendor has stopped issuing patches, making it invisible to traditional patch management tools but clearly visible in MDVM’s inventory. For a small Berlin business, EOL detection is often the most immediately actionable finding: old Java versions, unmaintained utilities, and legacy browser installations that the IT team did not know still existed on endpoints.

Threat analytics correlation

MDVM integrates with Microsoft’s Threat Analytics reports — curated threat intelligence summaries for active threat actors and campaigns. For each tracked threat actor, Threat Analytics shows whether any devices in your organization have vulnerabilities or configurations that the actor’s known techniques exploit. This produces a direct answer to a question that traditional vulnerability management cannot answer: “Are we currently exposed to the techniques used by the ransomware groups that have been active in our industry this month?”