|
| 1 | +--- |
| 2 | +title: Exceptions in Microsoft Defender Vulnerability Management |
| 3 | +description: Learn about exceptions in Microsoft Defender Vulnerability Management. |
| 4 | +ms.service: defender-vuln-mgmt |
| 5 | +ms.author: lwainstein |
| 6 | +author: limwainstein |
| 7 | +ms.localizationpriority: medium |
| 8 | +manager: bagol |
| 9 | +audience: ITPro |
| 10 | +ms.collection: |
| 11 | + - m365-security |
| 12 | + - Tier1 |
| 13 | +ms.topic: how-to |
| 14 | +search.appverid: met150 |
| 15 | +ms.date: 10/20/2025 |
| 16 | +appliesto: |
| 17 | + - Microsoft Defender Vulnerability Management |
| 18 | + - Microsoft Defender for Endpoint Plan 2 |
| 19 | + - Microsoft Defender XDR |
| 20 | + - Microsoft Defender for Servers Plan 1 & 2 |
| 21 | +--- |
| 22 | + |
| 23 | +# Exceptions in Microsoft Defender Vulnerability Management |
| 24 | + |
| 25 | +[!INCLUDE [Prerelease information](../includes/prerelease.md)] |
| 26 | + |
| 27 | +Microsoft Defender Vulnerability Management provides exceptions to help you control what type of data is relevant to your organization and to selectively exclude specific data from your remediation efforts. |
| 28 | + |
| 29 | +Exceptions provide more accurate risk reporting and prioritization, especially when you have alternate mitigations, accepted risk, or a remediation plan in place. |
| 30 | + |
| 31 | +This article describes how to create, view, and manage Defender Vulnerability Management exceptions. |
| 32 | + |
| 33 | +> [!TIP] |
| 34 | +> Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](defender-vulnerability-management-trial.md). |
| 35 | +
|
| 36 | +## Types of exceptions |
| 37 | + |
| 38 | +Microsoft Defender Vulnerability Management supports two types of exceptions: |
| 39 | + |
| 40 | +- **Security recommendation exceptions**: Exclude specific security recommendations from analysis in your environment. You create this exception at the security recommendation level, which applies to all underlying CVEs associated with that recommendation. |
| 41 | + |
| 42 | + :::image type="content" alt-text="Screenshot highlighting Exception options in a Recommendation pane." source="media/tvm-exception-overview/exception-button-small.png" lightbox="media/tvm-exception-overview/exception-button-small.png"::: |
| 43 | + |
| 44 | +- **CVE exceptions** (Preview): Exclude specific Common Vulnerabilities and Exposures (CVEs) from analysis in your environment. You create a CVE exception from the **Weaknesses** page for a specific CVE. |
| 45 | + |
| 46 | + :::image type="content" alt-text="Screenshot showing how to create a CVE exception." source="media/tvm-exception-overview/cve-exception-create.png" lightbox="media/tvm-exception-overview/cve-exception-create.png"::: |
| 47 | + |
| 48 | +## Exception by device group |
| 49 | + |
| 50 | +You can apply an exception to all current device groups or to specific device groups. Future device groups aren't included in the exception. Device groups that already have an exception aren't displayed in the list. |
| 51 | + |
| 52 | +After you create the exception: |
| 53 | + |
| 54 | +- For recommendation exceptions, if you select specific device groups, the recommendation state changes from **active** to **partial exception**. The state changes to **full exception** if you select all the device groups. |
| 55 | +- For CVE exceptions, the CVE no longer appears in the inventory lists for the selected scope. |
| 56 | + |
| 57 | + |
| 58 | + |
| 59 | +## Global exceptions |
| 60 | + |
| 61 | +If you have Security Administrator permission or a custom role that includes the exceptions handling permission, you can create and cancel a global exception. This exception affects **all** current and future device groups in your organization, and only users with similar permissions can change it. |
| 62 | + |
| 63 | +> [!IMPORTANT] |
| 64 | +> While the Global Administrator permission also allows you to create and cancel global exceptions, Microsoft recommends that you use roles with the fewest permissions. Using lower accounts with lower permissions helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. |
| 65 | +
|
| 66 | +After you create the exception: |
| 67 | + |
| 68 | +- For recommendation exceptions, the recommendation state changes from **active** to **full exception**. |
| 69 | +- For CVE exceptions, the CVE no longer appears in the inventory lists for the entire organization. |
| 70 | + |
| 71 | + |
| 72 | + |
| 73 | +Some things to keep in mind: |
| 74 | + |
| 75 | +- If a recommendation is under global exception, then newly created exceptions for device groups is suspended until the global exception has expired or been canceled. After that point, the new device group exceptions go into effect until they expire. |
| 76 | +- If a recommendation already has exceptions for specific device groups and a global exception is created, then the device group exception is suspended until it expires or the global exception is canceled before it expires. |
| 77 | + |
| 78 | +### Justification |
| 79 | + |
| 80 | +The following justifications are available for exceptions: |
| 81 | + |
| 82 | +- **Third party control**: A third party product or software already addresses this recommendation. |
| 83 | +- **Alternate mitigation**: An internal tool already addresses this recommendation. |
| 84 | +- **Risk accepted**: Poses low risk and/or implementing the recommendation is too expensive. |
| 85 | +- **Planned remediation (grace)**: Already planned but is awaiting execution or authorization. |
| 86 | +- **CVE with no patch** (CVE exceptions only): No patch is available from the vendor. |
| 87 | + |
| 88 | +## Exposed devices and impact after exceptions |
| 89 | + |
| 90 | +# [Recommendation exceptions](#tab/recommendation-exclusions) |
| 91 | + |
| 92 | +The impact (after exceptions) shows remaining impact to exposure score or secure score after exceptions are applied. Exception justifications that affect the scores include **third party control** and **alternate mitigation**. Other justifications don't reduce the exposure of a device, and so the exposure score and secure score don't change. |
| 93 | + |
| 94 | + |
| 95 | + |
| 96 | +# [CVE exceptions (Preview)](#tab/cve-exclusions) |
| 97 | + |
| 98 | +If the exception is global, no exposed devices are shown for that CVE during the exception period. |
| 99 | + |
| 100 | +If the exception is scoped to specific device groups, only devices outside those groups appear as exposed. |
| 101 | + |
| 102 | +The impact (after exceptions) shows remaining impact to exposure score or secure score after exceptions are applied. With CVE exceptions, the justification doesn't affect the impact score. |
| 103 | + |
| 104 | +--- |
| 105 | + |
| 106 | +## Related topics |
| 107 | + |
| 108 | +- [Remediate vulnerabilities](tvm-remediation.md) |
| 109 | +- [Security recommendations](tvm-security-recommendation.md) |
| 110 | +- [Exposure score](tvm-exposure-score.md) |
| 111 | +- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) |
0 commit comments