Merge pull request #3606 from MicrosoftDocs/mdvm-motibani

denisebmsft · web-flow · commit 6a60bba3b4f8 · 2025-04-29T11:57:51.000-07:00
MDVM logic for inactive devices and uninstalled software - Moti Bani
diff --git a/defender-vulnerability-management/TOC.yml b/defender-vulnerability-management/TOC.yml
@@ -42,6 +42,8 @@
             href: tvm-hardware-and-firmware.md
       - name: Authenticated scan for Windows
         href: windows-authenticated-scan.md
+      - name: Understand retention logic 
+        href: retention-logic-mdvm.md
     - name: Detect and assess threats
       items:
       - name: Dashboard insights
diff --git a/defender-vulnerability-management/media/exclude-devices-menu.png b/defender-vulnerability-management/media/exclude-devices-menu.png
diff --git a/defender-vulnerability-management/retention-logic-mdvm.md b/defender-vulnerability-management/retention-logic-mdvm.md
@@ -0,0 +1,53 @@
+---
+title: Understand retention logic in Microsoft Defender Vulnerability Management
+description: Get an overview of retention logic for inactive devices or uninstalled software in Microsoft Defender Vulnerability Management.
+author: denisebmsft
+ms.author: deniseb
+manager: deniseb
+ms.reviewer: mobani
+ms.topic: concept-article
+ms.service: defender-vuln-mgmt
+ms.localizationpriority: medium
+ms.collection: 
+- tier1
+- m365-security
+- essentials-overview
+search.appverid: met150
+audience: ITPro
+ms.date: 04/29/2025
+---
+
+# Understand retention logic in Microsoft Defender Vulnerability Management
+
+[Defender Vulnerability Management](defender-vulnerability-management.md) continuously prioritizes vulnerabilities across devices and provides security recommendations to mitigate risk in the Microsoft Defender portal. Defender Vulnerability Management recommendations use different retention periods to determine when to stop flagging vulnerabilities based on event reporting activity. 
+
+This article describes how retention works for two common scenarios: inactive devices and uninstalled software.
+
+## Inactive devices
+
+In the Microsoft Defender portal, a device can be listed as inactive for any of the following reasons:
+
+- The device stopped sending sensor data at least seven days ago
+- The device was offboarded from Defender for Endpoint at least seven days ago
+- The device has network connectivity issues, such as impaired communications, blocked URLs, or blocked ports, and sends some (but not all) events
+
+If a device stops reporting to Defender for Endpoint, Defender Vulnerability Management continues to display the latest vulnerability snapshot for 30 days. After that, the device is marked as inactive, and its vulnerabilities are no longer shown in the [Microsoft Defender portal](https://security.microsoft.com). Data for inactive devices is retained for 180 days (see [Microsoft Defender for Endpoint data storage and privacy](/defender-endpoint/data-storage-privacy)).
+
+To prevent confusion in your vulnerability data, you can exclude a device manually in the device inventory, as shown in the following screenshot:
+
+:::image type="content" source="media/exclude-devices-menu.png" alt-text="Screenshot showing how to exclude devices in the Microsoft Defender portal device inventory.":::
+
+For more information, see [Exclude devices](/defender-endpoint/exclude-devices).
+
+## Uninstalled or inactive software
+
+A device can continue reporting some telemetry but stop sending signals for specific software. If no events are received for the software for 30 consecutive days, Defender Vulnerability Management assumes the software was removed and automatically stops flagging its vulnerabilities.
+
+For more information, see [Software inventory](tvm-software-inventory.md).
+
+## See also
+
+- [Device inventory](/defender-endpoint/machines-view-overview)
+- [Microsoft Defender Vulnerability Management dashboard](tvm-dashboard-insights.md)
+- [Vulnerabilities in my organization](tvm-weaknesses.md)
+- [Microsoft Defender for Endpoint data storage and privacy](/defender-endpoint/data-storage-privacy)
