πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided MS-102 Domain 3
Domain 3 β€” Module 6 of 8 75%
21 of 28 overall

MS-102 Study Guide

Domain 1: Deploy and Manage a Microsoft 365 Tenant

  • Establish and Configure Your M365 Tenant
  • Monitor Tenant Health and Network Readiness
  • Adoption Tracking and Microsoft 365 Backup
  • Manage Users, Contacts and External Identities
  • Groups, Shared Mailboxes and Licensing at Scale
  • Automate with PowerShell: Bulk User Operations
  • Roles, Role Groups and Workload Permissions
  • Delegate with Administrative Units and PIM

Domain 2: Implement and Manage Microsoft Entra Identity and Access

  • Prepare for Identity Synchronization
  • Implement Connect Sync and Cloud Sync
  • Monitor and Troubleshoot Identity Sync
  • Authentication Methods and Self-Service Password Reset
  • Password Protection and Authentication Troubleshooting
  • Entra Identity Protection and Risk Policies
  • Conditional Access and MFA Enforcement

Domain 3: Manage Security and Threats by Using Microsoft Defender XDR

  • Defender XDR: Security Posture and Threat Intelligence
  • Investigate Incidents with Advanced Hunting
  • Defender for Office 365: Threat Policies
  • Email Threats, Attack Simulation and Restricted Entities
  • Defender for Endpoint: Onboard and Protect
  • Vulnerability Management
  • Defender for Cloud Apps: Connect and Govern
  • Cloud App Discovery and Activity Monitoring

Domain 4: Manage Compliance by Using Microsoft Purview

  • Sensitive Information Types and Data Classification
  • Retention Labels and Data Lifecycle
  • Sensitivity Labels and Monitoring
  • DLP Policies Across M365 Workloads
  • Endpoint DLP and Alert Response

MS-102 Study Guide

Domain 1: Deploy and Manage a Microsoft 365 Tenant

  • Establish and Configure Your M365 Tenant
  • Monitor Tenant Health and Network Readiness
  • Adoption Tracking and Microsoft 365 Backup
  • Manage Users, Contacts and External Identities
  • Groups, Shared Mailboxes and Licensing at Scale
  • Automate with PowerShell: Bulk User Operations
  • Roles, Role Groups and Workload Permissions
  • Delegate with Administrative Units and PIM

Domain 2: Implement and Manage Microsoft Entra Identity and Access

  • Prepare for Identity Synchronization
  • Implement Connect Sync and Cloud Sync
  • Monitor and Troubleshoot Identity Sync
  • Authentication Methods and Self-Service Password Reset
  • Password Protection and Authentication Troubleshooting
  • Entra Identity Protection and Risk Policies
  • Conditional Access and MFA Enforcement

Domain 3: Manage Security and Threats by Using Microsoft Defender XDR

  • Defender XDR: Security Posture and Threat Intelligence
  • Investigate Incidents with Advanced Hunting
  • Defender for Office 365: Threat Policies
  • Email Threats, Attack Simulation and Restricted Entities
  • Defender for Endpoint: Onboard and Protect
  • Vulnerability Management
  • Defender for Cloud Apps: Connect and Govern
  • Cloud App Discovery and Activity Monitoring

Domain 4: Manage Compliance by Using Microsoft Purview

  • Sensitive Information Types and Data Classification
  • Retention Labels and Data Lifecycle
  • Sensitivity Labels and Monitoring
  • DLP Policies Across M365 Workloads
  • Endpoint DLP and Alert Response
Domain 3: Manage Security and Threats by Using Microsoft Defender XDR Premium ⏱ ~13 min read

Vulnerability Management

Use the Microsoft Defender Vulnerability Management dashboard to identify, prioritize, and remediate vulnerabilities across your device fleet.

Finding weaknesses before attackers do

β˜• Simple explanation

Vulnerability Management is like a building inspector who never leaves.

Imagine hiring an inspector who walks through your office every single day β€” checking every window lock, every fire exit, every electrical panel. They don’t just hand you a list and leave. They rank every issue by how dangerous it is, tell you exactly what to fix first, and track whether your maintenance team actually fixed it.

That’s what Microsoft Defender Vulnerability Management does for your devices. It continuously scans every onboarded device for missing patches, risky configurations, outdated software, and known exploits β€” then prioritizes what matters most so your team doesn’t waste time on low-risk noise.

Microsoft Defender Vulnerability Management (MDVM) provides agentless, continuous vulnerability assessment for every device onboarded to Defender for Endpoint. Unlike traditional vulnerability scanners that run periodic scans, MDVM uses real-time telemetry from the MDE sensor β€” the same sensor that powers EDR.

  • No additional agent β€” leverages the existing MDE sensor already deployed during onboarding
  • Continuous assessment β€” not a point-in-time scan but a live inventory that updates as software is installed, removed, or patched
  • Risk-based prioritization β€” factors in exploit availability, threat intelligence, and business context to rank vulnerabilities
  • Integrated remediation β€” creates remediation requests that link directly to Intune or MECM for patch deployment

MDVM is included with Defender for Endpoint Plan 2. A standalone add-on is available for Plan 1 customers who want vulnerability management without full EDR.

The TVM dashboard β€” your security posture at a glance

Elena opens the Vulnerability Management dashboard at MedGuard Health every morning. Here’s what she sees:

Exposure score

A numeric score from 0 to 100 representing your organization’s overall vulnerability exposure. Lower is better. The score factors in:

  • Number of unpatched vulnerabilities across all devices
  • Severity of those vulnerabilities (CVSS scores)
  • Whether public exploits exist for those vulnerabilities
  • How many devices are affected

Elena’s target: keep MedGuard Health’s exposure score below 30. Healthcare regulators expect documented evidence that vulnerabilities are tracked and remediated within defined SLAs.

Microsoft Secure Score for Devices

Separate from the organization-wide Secure Score, this measures how well your device fleet follows security best practices β€” enabled features, proper configurations, applied updates. Higher is better.

Key dashboard widgets

WidgetWhat it showsWhy it matters
Top exposed devicesDevices with the highest number of critical/high vulnerabilitiesPrioritize remediation on the riskiest devices first
Top vulnerable softwareApplications with the most known CVEs across your fleetIdentifies software that creates the largest attack surface
Top security recommendationsRanked actions that would most reduce your exposure scoreFocus your team on high-impact remediation activities
Top remediation activitiesOngoing remediation tasks and their completion statusTrack whether IT is actually patching what you requested

Security recommendations β€” the prioritized fix list

This is where TVM translates raw vulnerability data into actionable work items. Each recommendation includes:

  • Priority ranking β€” based on exposure impact, exploit availability, and affected device count
  • Impact assessment β€” how many points your exposure score drops if you remediate
  • Affected devices β€” exact count and list of devices with this vulnerability
  • Related CVEs β€” linked vulnerability entries with severity and exploit status
  • Remediation options β€” update software, apply configuration change, or request exception
ℹ️ Elena's prioritization workflow at MedGuard Health

Elena reviews security recommendations weekly with the IT operations team. Her workflow:

  1. Filter by β€œExploit available” β€” vulnerabilities with known public exploits get immediate attention
  2. Sort by exposed devices β€” a critical CVE affecting 500 devices ranks higher than one affecting 5
  3. Check remediation type β€” software updates are straightforward; configuration changes may need change management
  4. Create remediation request β€” assigns the work to IT ops with a due date
  5. Track completion β€” monitors the remediation activity until all affected devices are patched

For healthcare compliance, Elena documents every remediation decision. When she grants an exception (a vulnerability she cannot patch due to medical device compatibility), she records the business justification and compensating controls.

Software inventory β€” what’s installed across your fleet

The software inventory page provides a complete view of every application detected on onboarded devices. For each application, you see:

  • Publisher, version, and installation count
  • Known vulnerabilities (CVE count by severity)
  • End-of-life status (unsupported software flagged)
  • Threat context (whether the software has been exploited in the wild)

This is particularly valuable for identifying shadow software β€” applications installed by users that IT didn’t approve. Elena regularly discovers unauthorized remote desktop tools and outdated Java runtimes on MedGuard Health workstations.

Browser extensions and certificates

MDVM also inventories:

  • Browser extensions β€” identifies extensions with known vulnerabilities or excessive permissions
  • Digital certificates β€” flags expiring or weak certificates across devices

These are often overlooked attack vectors. A vulnerable browser extension with access to all browsing data is a serious risk that traditional vulnerability scanners miss entirely.

Weaknesses page β€” the CVE library

The weaknesses page lists every CVE detected across your environment. For each CVE:

FieldDescription
CVE IDThe standard vulnerability identifier (e.g., CVE-2024-12345)
SeverityCVSS-based severity rating β€” Critical, High, Medium, Low
Exposed devicesNumber of devices in your environment affected by this CVE
Exploit availableWhether a public exploit exists β€” massively increases real-world risk
Threat insightsActive exploitation campaigns, malware families using this CVE
AgeHow long the CVE has been known β€” older unpatched CVEs indicate remediation gaps
πŸ’‘ Exam tip: Exposure score vs Secure Score for Devices

Don’t confuse these two metrics:

  • Exposure score (0-100) β€” measures vulnerability exposure. Lower is better. Driven by unpatched CVEs and risky configurations.
  • Secure Score for Devices β€” measures security posture. Higher is better. Driven by enabled security features and applied best practices.

The exam may describe a scenario and ask which score is affected by a particular action. Patching a critical vulnerability reduces the exposure score. Enabling ASR rules improves the Secure Score for Devices.

Remediation activities β€” tracking the fix

When Elena creates a remediation request from a security recommendation, it becomes a remediation activity β€” a tracked work item with:

  • Due date β€” the SLA for completing remediation
  • Assigned to β€” the IT team or individual responsible
  • Status β€” Not started, In progress, Completed
  • Device progress β€” how many of the affected devices have been patched
  • Exception option β€” if remediation is impossible (legacy medical device, vendor dependency), grant a time-limited exception with documented justification

Remediation vs exception

Remediation Request vs Exception
FeatureRemediation RequestException
PurposeFix the vulnerabilityAccept the risk temporarily
Effect on exposure scoreReduces score when completedNo change to score
TrackingTracks patch deployment progress per deviceTracks exception expiry date
When to useStandard software updates, configuration changesLegacy systems, vendor dependencies, pending vendor patch
Requires justificationfalsetrue
Time-limitedHas due date but can extendMandatory expiry β€” must re-evaluate
Question

What is the exposure score in Microsoft Defender Vulnerability Management?

Click or press Enter to reveal answer

Answer

A numeric score from 0 to 100 that represents your organization's overall vulnerability exposure. Lower is better. It factors in the number and severity of unpatched vulnerabilities, exploit availability, and affected device count. Patching critical vulnerabilities with public exploits has the largest impact on reducing the score.

Click to flip back
Question

How does MDVM discover vulnerabilities without running a separate scan?

Click or press Enter to reveal answer

Answer

MDVM uses telemetry from the existing Defender for Endpoint sensor already installed on onboarded devices. The sensor continuously reports installed software, versions, configurations, and security state β€” no additional agent or scheduled scan is needed. This provides real-time vulnerability assessment rather than point-in-time snapshots.

Click to flip back
Question

What is the difference between a remediation request and an exception in TVM?

Click or press Enter to reveal answer

Answer

A remediation request tracks the work to fix a vulnerability (patch deployment, configuration change) with a due date and per-device progress. An exception acknowledges that a vulnerability cannot be fixed right now β€” it requires a business justification and has a mandatory expiry date. Exceptions do not reduce the exposure score; remediations do.

Click to flip back
Question

What additional asset types does MDVM inventory beyond installed software?

Click or press Enter to reveal answer

Answer

Browser extensions (identifies vulnerable or overprivileged extensions) and digital certificates (flags expiring or weak certificates). These are frequently overlooked attack vectors that traditional vulnerability scanners miss. The software inventory also flags end-of-life or unsupported software versions.

Click to flip back

Knowledge check

Knowledge Check

Elena reviews the TVM dashboard at MedGuard Health and sees a critical security recommendation: 'Update Google Chrome to version 124.0.6367.91 β€” 2,400 devices affected β€” exploit available.' She creates a remediation request with a 7-day SLA. Three days later, 1,800 devices are patched but 600 clinical workstations cannot update due to a compatibility issue with a medical imaging plugin. What should Elena do for the remaining 600 devices?
Knowledge Check

Marcus is explaining the TVM dashboard to Oakwood Financial's CISO. The CISO asks: 'Our exposure score is 45 and our Secure Score for Devices is 62. Which one should I focus on improving first?' What is the correct advice?
Knowledge Check

Dev is auditing a client's TVM software inventory and discovers that 300 devices have an end-of-life version of Adobe Reader installed β€” the version has 47 known CVEs, including 12 critical ones with public exploits. The client says they cannot upgrade because a legacy PDF workflow depends on this specific version. What is the recommended approach?

🎬 Video coming soon

Next up: Defender for Cloud Apps: Connect and Govern β€” discover shadow IT and govern cloud application usage across your organization.

← Previous

Defender for Endpoint: Onboard and Protect

Next β†’

Defender for Cloud Apps: Connect and Govern

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.