You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
-[Microsoft Defender for Servers Plan 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
26
26
27
-
> [!NOTE]
28
-
> To use this feature you'll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
29
-
30
-
Remediating vulnerabilities takes time and can be dependent on the responsibilities and resources of the IT team. Security admins can temporarily reduce the risk of a vulnerability by taking immediate action to block all currently known vulnerable versions of an application, until the remediation request is completed. The block option gives IT teams time to patch the application without security admins worrying that the vulnerabilities will be exploited in the meantime.
27
+
Remediating vulnerabilities takes time and can be dependent on the responsibilities and resources of the IT team. Security administrators can temporarily reduce the risk of a vulnerability by taking immediate action to block all currently known vulnerable versions of an application until the remediation request is completed. The block option gives your IT teams time to patch an application without worrying your security administrators that the vulnerabilities will be exploited.
31
28
32
-
While taking the remediation steps suggested by a security recommendation, security admins with the proper permissions can perform a mitigation action and block vulnerable versions of an application. File indicators of compromise (IOC)s are created for each of the executable files that belong to vulnerable versions of that application. Microsoft Defender Antivirus then enforces blocks on the devices that are in the specified scope.
33
-
34
-
> [!TIP]
35
-
> Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](defender-vulnerability-management-trial.md).
29
+
While taking the remediation steps suggested by a security recommendation, security administartors can perform a mitigation action and block vulnerable versions of an application. File indicators of compromise (IOC)s are created for each of the executable files that belong to vulnerable versions of that application. Microsoft Defender Antivirus then enforces blocks on the devices that are in the specified scope.
36
30
37
31
## Block or warn mitigation action
38
32
39
33
The **block action** is intended to block all installed vulnerable versions of the application in your organization from running. For example, if there's an active zero-day vulnerability you can block your users from running the affected software while you determine work-around options.
40
34
41
35
The **warn action** is intended to send a warning to your users when they open vulnerable versions of the application. Users can choose to bypass the warning and access the application for subsequent launches.
42
36
43
-
For both actions, you can customize the message the users see. For example, you can encourage them to install the latest version. Additionally, you can provide a custom URL the users navigate to when they select the notification. Note that the user must select the body of the toast notification in order to navigate to the custom URL. This can be used to provide additional details specific to the application management in your organization.
37
+
For both actions, you can customize the message the users see. For example, you can encourage them to install the latest version. Additionally, you can provide a custom URL the users navigate to when they select the notification. The user must select the body of the toast notification in order to navigate to the custom URL. This can be used to provide additional details specific to the application management in your organization.
44
38
45
39
> [!NOTE]
46
40
> The block and warn actions are typically enforced within a couple of minutes but can take up to 3 hours.
@@ -58,22 +52,20 @@ For both actions, you can customize the message the users see. For example, you
58
52
- Supported on Windows 10 devices, version 1809 or later, with the latest windows updates installed.
59
53
- Supports Windows Server versions 2022, 2019, 2016, 2012 R2, and 2008 R2 SP1.
60
54
61
-
## Permissions
62
-
63
-
- If you use [Role-based access control (RBAC)](/defender-endpoint/rbac), then you need to have the **Threat and vulnerability management - Application handling** permission assigned.
64
-
- If you haven't turned on RBAC, you must have one of the following Microsoft Entra roles assigned: **Security Administrator** or **Global administrator**. To learn more about permissions, go to [Basic permissions](/defender-endpoint/basic-permissions).
65
-
66
-
> [!IMPORTANT]
67
-
> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
68
-
69
55
## How to block vulnerable applications
70
56
71
-
1. Go to **Vulnerability management** > **Recommendations** in the [Microsoft Defender portal](https://security.microsoft.com).
57
+
1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Vulnerability management** > **Recommendations** .
58
+
72
59
2. Select a security recommendation to see a flyout with more information.
60
+
73
61
3. Select **Request remediation**.
62
+
74
63
4. Select whether you want to apply the remediation and mitigation to all device groups or only a few.
64
+
75
65
5. Select the remediation options on the **Remediation request** page. The remediation options are software update, software uninstall, and attention required.
66
+
76
67
6. Pick a **Remediation due date** and select **Next**.
68
+
77
69
7. Under **Mitigation action**, select **Block** or **Warn**. Once you submit a mitigation action, it's immediately applied.
@@ -101,30 +93,34 @@ If you try to block an application and it doesn't work, you might have reached t
101
93
102
94
## View remediation activities
103
95
104
-
After you've submitted the request, go to **Vulnerability management** > **Remediation** > **Activities** to see the newly created remediation activity.
96
+
After you've submitted a request to block vulnerable applications, you can view remediation activities by following these steps:
97
+
98
+
1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Vulnerability management** > **Remediation** > **Activities**.
105
99
106
-
Filter by Mitigation type: Block and/or Warn to view all activities pertaining to block or warn actions.
100
+
2.Filter the results by this mitigation type: `Block and/or Warn to view all activities pertaining to block or warn actions`.
107
101
108
-
This is an activity log, and not the current block status of the application. Select the relevant activity to see a flyout panel with details including the remediation description, mitigation description and the device remediation status:
102
+
3. An activity log displays. Keep in mond that this is an activity log, and not the current block status of the application. Select the relevant activity to see a flyout panel with details including the remediation description, mitigation description and the device remediation status:
109
103
110
-
:::image type="content" alt-text="Remediation and mitigation details" source="/defender/media/defender-vulnerability-management/remediation-mitigation-details.png" lightbox="/defender/media/defender-vulnerability-management/remediation-mitigation-details.png":::
104
+
:::image type="content" alt-text="Remediation and mitigation details" source="/defender/media/defender-vulnerability-management/remediation-mitigation-details.png" lightbox="/defender/media/defender-vulnerability-management/remediation-mitigation-details.png":::
111
105
112
106
## View blocked applications
113
107
114
-
Find the list of blocked applications by going to **Remediation** > **Blocked applications** tab:
108
+
To view a list of blocked applications, follow these steps:
109
+
110
+
1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Remediation** > **Blocked applications** tab:
Select a blocked application to view a flyout with details about the number of vulnerabilities, whether exploits are available, blocked versions, and remediation activities.
114
+
2.Select a blocked application to view a flyout with details about the number of vulnerabilities, whether exploits are available, blocked versions, and remediation activities.
119
115
120
-
The option to **View details of blocked versions in the Indicator page**brings you to the **Settings** > **Endpoints** > **Indicators** page where you can view the file hashes and response actions.
116
+
3. Select **View details of blocked versions in the Indicator page**, which brings you to the **Indicators** page, where you can view the file hashes and response actions.
121
117
122
118
> [!NOTE]
123
119
> If you use the Indicators API with programmatic indicator queries as part of your workflows, be aware that the block action will give additional results.
124
120
>
125
121
> Currently some detections related to warn policies may show up as active malware in Microsoft Defender XDR and/or Microsoft Intune. This behavior will be fixed in an upcoming release.
126
122
127
-
You can also**Unblock software** or **Open software page**:
123
+
4. To unblock an application, select**Unblock software** or **Open software page**:
0 commit comments