Merge pull request #5838 from limwainstein/exception-updates

CVE exception updates

Author: limwainstein

defender-endpoint/api/get-all-vulnerabilities.md

@@ -62,6 +62,15 @@ Empty
 
 If successful, this method returns 200 OK with the list of vulnerabilities in the body.
 
+The possible values for the `status` field are:
+
+- RemediationRequired
+- NoActionRequired 
+- UnderException 
+- PartialException
+
+This field is supported for [CVE exceptions](/defender-vulnerability-management/tvm-exception-overview#cve-exceptions-preview).
+
 ## Example
 
 ### Request example
@@ -98,7 +107,8 @@ Here's an example of the response.
             "exploitUris": [],
             "cveSupportability": "Supported",
             "tags": [],
-            "epss": 0.632
+            "epss": 0.632,
+            "status": "RemediationRequired",
         }
     ]
 

defender-vulnerability-management/tvm-exception-overview.md

@@ -43,7 +43,7 @@ Microsoft Defender Vulnerability Management supports two types of exceptions:
 
     :::image type="content" alt-text="Screenshot highlighting Exception options in a Recommendation pane." source="media/tvm-exception-overview/exception-button-small.png" lightbox="media/tvm-exception-overview/exception-button-small.png":::
 
-- **CVE exceptions** (Preview): Exclude specific Common Vulnerabilities and Exposures (CVEs) from analysis in your environment. You create a CVE exception from the **Weaknesses** page for a specific CVE.
+- **CVE exceptions**: Exclude specific Common Vulnerabilities and Exposures (CVEs) from analysis in your environment. You create a CVE exception from the **Weaknesses** page for a specific CVE.
 
     :::image type="content" alt-text="Screenshot showing how to create a CVE exception." source="media/tvm-exception-overview/cve-exception-create.png" lightbox="media/tvm-exception-overview/cve-exception-create.png":::
 
@@ -86,6 +86,7 @@ The following justifications are available for exceptions:
 - **Risk accepted**: Poses low risk and/or implementing the recommendation is too expensive.
 - **Planned remediation (grace)**: Already planned but is awaiting execution or authorization.
 - **CVE with no patch** (CVE exceptions only): No patch is available from the vendor.
+- **False positive** (CVE exceptions only): The CVE doesn't apply to your environment.
 
 ## Exposed devices and impact after exceptions
 
@@ -95,7 +96,7 @@ The impact (after exceptions) shows remaining impact to exposure score or secure
 
 ![Showing the columns in the table.](/defender/media/defender-vulnerability-management/tvm-after-exceptions-table.png)
 
-# [CVE exceptions (Preview)](#tab/cve-exclusions)
+# [CVE exceptions](#tab/cve-exclusions)
 
 If the exception is global, no exposed devices are shown for that CVE during the exception period.
 

defender-vulnerability-management/tvm-exception.md

@@ -37,7 +37,7 @@ To learn more about exceptions, see [Exceptions in Microsoft Defender Vulnerabil
 
 ## Types of exceptions
 
-Microsoft Defender Vulnerability Management supports two types of exceptions. A security recommendation exception excludes an entire recommendation, while a Common Vulnerabilities and Exposures (CVE) exception (preview) excludes a specific CVE.
+Microsoft Defender Vulnerability Management supports two types of exceptions. A security recommendation exception excludes an entire recommendation, while a Common Vulnerabilities and Exposures (CVE) exception excludes a specific CVE.
 
 For more information, see [Types of exceptions](tvm-exception-overview.md#types-of-exceptions).
 
@@ -79,7 +79,7 @@ For more information, see [Types of exceptions](tvm-exception-overview.md#types-
 
     :::image type="content" alt-text="Screenshot highlighting Exception options in a Recommendation pane." source="media/tvm-exception-overview/exception-button-small.png" lightbox="media/tvm-exception-overview/exception-button-small.png":::
 
-# [CVE exceptions (Preview)](#tab/cve-exclusions)
+# [CVE exceptions](#tab/cve-exclusions)
 
 1. Select a CVE you would like to create an exception for. This might be available either from the **Vulnerabilities** page or from the **Weaknesses** page, depending on if you're an XDR/MDI preview customer. For more information, see [Microsoft Defender Vulnerability Management and Microsoft Security Exposure Management integration](whats-new-in-microsoft-defender-vulnerability-management.md#microsoft-defender-vulnerability-management-and-microsoft-security-exposure-management-integration).
 1. In the CVE details page, select **Exception options** on the bottom right.

defender-vulnerability-management/whats-new-in-microsoft-defender-vulnerability-management.md

@@ -30,7 +30,10 @@ This article provides information about new features and important product updat
 
 ## December 2025
 
-(Preview) Microsoft Secure Score now includes the **Disable Remote Registry service on Windows** recommendation. This recommendation prevents remote access to the Windows registry, reducing attack surface and blocking unauthorized configuration changes, privilege escalation, and lateral movement.
+- (GA) [CVE exceptions](tvm-exception-overview.md#types-of-exceptions) are now generally available, and also support:
+    - The **False positive** justification. [Learn more](tvm-exception-overview.md#justification)
+    - The `status` field as part of the response for the `GET /api/vulnerabilities` request. [Learn more](/defender-endpoint/api/get-all-vulnerabilities)
+- (Preview) Microsoft Secure Score now includes the **Disable Remote Registry service on Windows** recommendation. This recommendation prevents remote access to the Windows registry, reducing attack surface and blocking unauthorized configuration changes, privilege escalation, and lateral movement.
 
 ## November 2025