The threat and vulnerability management capability in Microsoft Defender for Endpoint bridges the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the Security recommendation pages to Intune.
Enable Microsoft Intune connection
To use this capability, enable your Microsoft Intune connections. In the Microsoft 365 Defender portal, navigate to Settings > General > Advanced features. Scroll down and look for Microsoft Intune connection. By default, the toggle is turned off. Turn your Microsoft Intune connection toggle On.
Note: If you have the Intune connection enabled, you get an option to create an Intune security task when creating a remediation request. This option does not appear if the connection is not set.
Remediation request steps
- Go to the threat and Vulnerability management navigation menu in the Microsoft 365 Defender portal, and select Recommendations Security recommendations.
- Select a security recommendation you would like to request remediation for, and then select Remediation options.
- Fill out the form, including what you are requesting remediation for, applicable device groups, priority, due date, and optional notes.
- If you choose the “attention required” remediation option, selecting a due date will not be available since there is no specific action.
- Select Submit request. Submitting a remediation request creates a remediation activity item within threat and vulnerability management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to devices.
- Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment.
- Go to the Remediation page to view the status of your remediation request.
If you want to check how the ticket shows up in Intune, see Use Intune to remediate vulnerabilities identified by Microsoft Defender for Endpoint for details.
If your request involves remediating more than 10,000 devices, we can only send 10,000 devices for remediation to Intune.
After your organization’s cybersecurity weaknesses are identified and mapped to actionable security recommendations, start creating security tasks. You can create tasks through the integration with Microsoft Intune where remediation tickets are created.
Lower your organization’s exposure from vulnerabilities and increase your security configuration by remediating the security recommendations.
View your remediation activities
When you submit a remediation request from the Security recommendations page, it kicks-off a remediation activity. A security task is created that can be tracked in the threat and vulnerability management Remediation page, and a remediation ticket is created in Microsoft Intune.
If you chose the “attention required” remediation option, there will be no progress bar, ticket status, or due date since there is no actual action we can monitor.
Once you are in the Remediation page, select the remediation activity that you want to view. You can follow the remediation steps, track progress, view the related recommendation, export to CSV, or mark as complete.
There is a 180 day retention period for completed remediation activities. To keep the Remediation page performing optimally, the remediation activity will be removed 6 months after its completion.
Completed by column
Track who closed the remediation activity with the “Completed by” column on the Remediation page.
- Email address: The email of the person who manually completed the task
- System confirmation: The task was automatically completed (all devices remediated)
- N/A: Information is not available because we don’t know how this older task was completed
Top remediation activities in the dashboard
View Top remediation activities in the threat and Vulnerability management dashboard. Select any of the entries to go to the Remediation page. You can mark the remediation activity as completed after the IT admin team remediates the task.