|
| 1 | +--- |
| 2 | +title: Understand retention logic for inactive devices and uninstalled software in Microsoft Defender Vulnerability Management |
| 3 | +description: Get an overview of retention logic for inactive devices or uninstalled software in MDVM. |
| 4 | +author: denisebmsft |
| 5 | +ms.author: deniseb |
| 6 | +manager: deniseb |
| 7 | +ms.reviewer: mobani |
| 8 | +ms.topic: concept-article |
| 9 | +ms.service: defender-vuln-mgmt |
| 10 | +ms.localizationpriority: medium |
| 11 | +ms.collection: |
| 12 | +- tier1 |
| 13 | +- m365-security |
| 14 | +- essentials-overview |
| 15 | +search.appverid: met150 |
| 16 | +audience: ITPro |
| 17 | +ms.date: 04/28/2025 |
| 18 | +--- |
| 19 | + |
| 20 | +# Understand retention logic for inactive devices and uninstalled software in Microsoft Defender Vulnerability Management |
| 21 | + |
| 22 | +[Defender Vulnerability Management](defender-vulnerability-management.md) continuously prioritizes vulnerabilities across devices and provides security recommendations to mitigate risk in the Microsoft Defender portal. Defender Vulnerability Management recommendations uses different retention periods to determine when to stop flagging vulnerabilities based on event reporting activity. This article describes how retention works for two common scenarios: inactive devices and uninstalled software. |
| 23 | + |
| 24 | +## Inactive devices |
| 25 | + |
| 26 | +In Defender Vulnerability Management, a device can be listed as inactive for any of the following reasons: |
| 27 | + |
| 28 | +- The device has stopped sending sensor data for seven days or more |
| 29 | +- The device is offboarded from Defender for Endpoint at least seven days ago |
| 30 | +- The device has network connectivity issues, such as impaired communications, blocked URLs, or blocked ports, and sends some (but not all) events |
| 31 | + |
| 32 | +If a device stops reporting telemetry, Defender Vulnerability Management continues to display the latest vulnerability snapshot for 30 days. After that, the device is marked as inactive and vulnerabilities are no longer shown in the [Microsoft Defender portal](https://security.microsoft.com). |
| 33 | + |
| 34 | +> [!NOTE] |
| 35 | +> In the Microsoft Defender portal, in the device inventory, a device is considered inactive after six months of no reporting. |
| 36 | +
|
| 37 | +To prevent misleading vulnerability data, you can exclude a device manually in the device inventory. |
| 38 | + |
| 39 | +:::image type="content" source="../defender-endpoint/media/exclude-devices-menu.png" alt-text="Screenshot showing how to exclude devices in the Microsoft Defender portal device inventory."::: |
| 40 | + |
| 41 | +For more information, see [Exclude devices](../defender-endpoint/exclude-devices.md). |
| 42 | + |
| 43 | +## Uninstalled or inactive software |
| 44 | + |
| 45 | +A device can continue reporting some telemetry but stop sending signals for specific software. If no events are received for the software for 30 consecutive days, Defender Vulnerability Management assumes the software was removed and automatically stops flagging its vulnerabilities. |
| 46 | + |
| 47 | +For more information, see [Software inventory](tvm-software-inventory.md). |
| 48 | + |
| 49 | +## See also |
| 50 | + |
| 51 | +- [Device inventory](../defender-endpoint/machines-view-overview.md) |
| 52 | +- [Microsoft Defender Vulnerability Management dashboard](tvm-dashboard-insights.md) |
| 53 | +- [Vulnerabilities in my organization](tvm-weaknesses.md) |
0 commit comments