You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
-[Microsoft Defender for Servers Plan 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
26
26
27
-
> [!NOTE]
28
-
> To use this feature you'll require Microsoft Defender Vulnerability Management Standalone or if you're already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.
29
-
30
-
Remediating vulnerabilities takes time and can be dependent on the responsibilities and resources of the IT team. Security admins can temporarily reduce the risk of a vulnerability by taking immediate action to block all currently known vulnerable versions of an application, until the remediation request is completed. The block option gives IT teams time to patch the application without security admins worrying that the vulnerabilities will be exploited in the meantime.
27
+
Remediating vulnerabilities takes time and can be dependent on the responsibilities and resources of the IT team. Security administrators can temporarily reduce the risk of a vulnerability by taking immediate action to block all currently known vulnerable versions of an application until the remediation request is completed. The block option gives your IT teams time to patch an application without worrying your security administrators about the vulnerabilities.
31
28
32
-
While taking the remediation steps suggested by a security recommendation, security admins with the proper permissions can perform a mitigation action and block vulnerable versions of an application. File indicators of compromise (IOC)s are created for each of the executable files that belong to vulnerable versions of that application. Microsoft Defender Antivirus then enforces blocks on the devices that are in the specified scope.
33
-
34
-
> [!TIP]
35
-
> Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](defender-vulnerability-management-trial.md).
29
+
While taking the remediation steps suggested by a security recommendation, security administrators can perform a mitigation action and block vulnerable versions of an application. File indicators of compromise (IOC)s are created for each of the executable files that belong to vulnerable versions of that application. Microsoft Defender Antivirus then enforces blocks on the devices that are in the specified scope.
36
30
37
31
## Block or warn mitigation action
38
32
39
33
The **block action** is intended to block all installed vulnerable versions of the application in your organization from running. For example, if there's an active zero-day vulnerability you can block your users from running the affected software while you determine work-around options.
40
34
41
35
The **warn action** is intended to send a warning to your users when they open vulnerable versions of the application. Users can choose to bypass the warning and access the application for subsequent launches.
42
36
43
-
For both actions, you can customize the message the users see. For example, you can encourage them to install the latest version. Additionally, you can provide a custom URL the users navigate to when they select the notification. Note that the user must select the body of the toast notification in order to navigate to the custom URL. This can be used to provide additional details specific to the application management in your organization.
37
+
For both actions, you can customize the message the users see. For example, you can encourage them to install the latest version. Additionally, you can provide a custom URL the users navigate to when they select the notification. The user must select the body of the toast notification in order to navigate to the custom URL. The notification can be used to provide more details specific to the application management in your organization.
44
38
45
39
> [!NOTE]
46
-
> The block and warn actions are typically enforced within a couple of minutes but can take up to 3 hours.
40
+
> Block and warn actions are typically enforced within a few minutes, but can take up to three hours.
47
41
48
42
## Minimum requirements
49
43
@@ -53,27 +47,25 @@ For both actions, you can customize the message the users see. For example, you
53
47
54
48
## Version requirements
55
49
56
-
- The Antimalware client version must be 4.18.1901.x or later.
57
-
- The Engine version must be 1.1.16200.x or later.
58
-
- Supported on Windows 10 devices, version 1809 or later, with the latest windows updates installed.
59
-
- Supports Windows Server versions 2022, 2019, 2016, 2012 R2, and 2008 R2 SP1.
60
-
61
-
## Permissions
62
-
63
-
- If you use [Role-based access control (RBAC)](/defender-endpoint/rbac), then you need to have the **Threat and vulnerability management - Application handling** permission assigned.
64
-
- If you haven't turned on RBAC, you must have one of the following Microsoft Entra roles assigned: **Security Administrator** or **Global administrator**. To learn more about permissions, go to [Basic permissions](/defender-endpoint/basic-permissions).
65
-
66
-
> [!IMPORTANT]
67
-
> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
50
+
- The anti-malware client version must be `4.18.1901.x` or later.
51
+
- The Engine version must be `1.1.16200.x` or later.
52
+
- Windows client devices must be running Windows 11 or Windows 10, version 1809 or later, with the latest windows updates installed.
53
+
- Servers must be running Windows Server 2022, 2019, 2016, 2012 R2, and 2008 R2 SP1. Support for Windows Server 2025 is rolling out, beginning in February 2025 and over the next several weeks.
68
54
69
55
## How to block vulnerable applications
70
56
71
-
1. Go to **Vulnerability management** > **Recommendations** in the [Microsoft Defender portal](https://security.microsoft.com).
57
+
1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Vulnerability management** > **Recommendations** .
58
+
72
59
2. Select a security recommendation to see a flyout with more information.
60
+
73
61
3. Select **Request remediation**.
62
+
74
63
4. Select whether you want to apply the remediation and mitigation to all device groups or only a few.
64
+
75
65
5. Select the remediation options on the **Remediation request** page. The remediation options are software update, software uninstall, and attention required.
66
+
76
67
6. Pick a **Remediation due date** and select **Next**.
68
+
77
69
7. Under **Mitigation action**, select **Block** or **Warn**. Once you submit a mitigation action, it's immediately applied.
@@ -85,7 +77,7 @@ For both actions, you can customize the message the users see. For example, you
85
77
>
86
78
> Based on the available data, the block actions take effect on endpoints that have Microsoft Defender Antivirus. Microsoft Defender for Endpoint makes a best-attempt effort of blocking applicable vulnerable applications or versions from running.
87
79
88
-
If additional vulnerabilities are found on a different version of an application, you get a new security recommendation, asking you to update the application, and you can choose to also block this different version.
80
+
If more vulnerabilities are found on a different version of an application, you get a new security recommendation, asking you to update the application, and you can choose to also block this different version.
89
81
90
82
## When blocking isn't supported
91
83
@@ -101,32 +93,34 @@ If you try to block an application and it doesn't work, you might have reached t
101
93
102
94
## View remediation activities
103
95
104
-
After you've submitted the request, go to **Vulnerability management** > **Remediation** > **Activities** to see the newly created remediation activity.
96
+
After you've submitted a requestto block vulnerable applications, you can view remediation activities by following these steps:
105
97
106
-
Filter by Mitigation type: Block and/or Warn to view all activities pertaining to block or warn actions.
98
+
1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Vulnerability management** > **Remediation** > **Activities**.
107
99
108
-
This is an activity log, and not the current block status of the application. Select the relevant activity to see a flyout panel with details including the remediation description, mitigation description and the device remediation status:
100
+
2. Filter the results by this mitigation type: `Block and/or Warn to view all activities pertaining to block or warn actions`.
109
101
110
-
:::image type="content" alt-text="Remediation and mitigation details" source="/defender/media/defender-vulnerability-management/remediation-mitigation-details.png" lightbox="/defender/media/defender-vulnerability-management/remediation-mitigation-details.png":::
102
+
3. An activity log displays. Keep in mind that it's an activity log, not the current block status of the application. Select the relevant activity to see a flyout panel with details including the remediation description, mitigation description, and the device remediation status:
103
+
104
+
:::image type="content" alt-text="Remediation and mitigation details" source="/defender/media/defender-vulnerability-management/remediation-mitigation-details.png" lightbox="/defender/media/defender-vulnerability-management/remediation-mitigation-details.png":::
111
105
112
106
## View blocked applications
113
107
114
-
Find the list of blocked applications by going to **Remediation** > **Blocked applications** tab:
108
+
To view a list of blocked applications, follow these steps:
1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Remediation** > **Blocked applications** tab:
117
111
118
-
Select a blocked application to view a flyout with details about the number of vulnerabilities, whether exploits are available, blocked versions, and remediation activities.
The option to **View details of blocked versions in the Indicator page** brings you to the **Settings** > **Endpoints** > **Indicators** page where you can view the file hashes and response actions.
114
+
2. Select a blocked application to view a flyout with details about the number of vulnerabilities, whether exploits are available, blocked versions, and remediation activities.
121
115
122
-
> [!NOTE]
123
-
> If you use the Indicators API with programmatic indicator queries as part of your workflows, be aware that the block action will give additional results.
124
-
>
125
-
> Currently some detections related to warn policies may show up as active malware in Microsoft Defender XDR and/or Microsoft Intune. This behavior will be fixed in an upcoming release.
116
+
3. Select **View details of blocked versions in the Indicator page**, which brings you to the **Indicators** page, where you can view the file hashes and response actions.
117
+
118
+
> [!NOTE]
119
+
> If you use the Indicators API with programmatic indicator queries as part of your workflows, the block action yields more results.
126
120
127
-
You can also**Unblock software** or **Open software page**:
121
+
4. To unblock an application, select**Unblock software** or **Open software page**:
@@ -138,14 +132,14 @@ After you've unblocked an application, refresh the page to see it removed from t
138
132
139
133
When users try to access a blocked application, they receive a message informing them that the application was by their organization. This message is customizable.
140
134
141
-
For applications where the warn mitigation option was applied, users receive a message informing them that the application has been blocked by their organization. The user has the option to bypass the block for subsequent launches, by choosing "Allow". This allow is only temporary, and the application will be blocked again after a while.
135
+
For applications where the warn mitigation option was applied, users receive a message informing them that the application was blocked by their organization. The user can bypass the block for subsequent launches, by choosing "Allow". This allow action is only temporary, and the application is blocked again after a while.
142
136
143
137
> [!NOTE]
144
-
> If your organization has deployed the DisableLocalAdminMerge group policy, you may experience instances where allowing an application does not take effect. This behavior will be fixed in an upcoming release.
138
+
> If your organization has deployed the `DisableLocalAdminMerge` group policy, you could experience instances where allowing an application doesn't take effect.
145
139
146
140
## End-user updating blocked applications
147
141
148
-
A commonly asked question is how does an end-user update a blocked application? The block is enforced by blocking the executable file. Some applications, such as Firefox, rely on a separate update executable, which won't be blocked by this feature. In other cases when the application requires the main executable file to update, it's recommended to either implement the block in warn mode (so that the end-user can bypass the block) or the end-user can delete the application (if no vital information is stored on the client) and reinstalls the application.
142
+
A commonly asked question is, "How does an enduser update a blocked application?" The block is enforced by blocking the executable file. Some applications, such as Firefox, rely on a separate update executable, which isn't blocked by this feature. In other cases, when the application requires the main executable file to update, it's recommended to either implement the block in warn mode (so that the enduser can bypass the block) or ask the enduser to delete the application (if no vital information is stored on the client) and then reinstall it.
0 commit comments