Create and view exceptions for security recommendations - threat and vulnerability management

  • Article
  • iv minutes to read

Applies to:

  • Microsoft Defender for Endpoint Plan 2
  • Threat and vulnerability direction
  • Microsoft 365 Defender

Desire to experience Microsoft Defender for Endpoint? Sign up for a complimentary trial.

As an alternative to a remediation asking when a recommendation is non relevant at the moment, you can create exceptions for recommendations. If your arrangement has device groups, you will be able to scope the exception to specific device groups. Exceptions can either be created for selected device groups, or for all device groups past and present.

When an exception is created for a recommendation, the recommendation will not be agile until the end of the exception duration. The recommendation state volition change to Full exception or Partial exception (by device group).

Permissions

Only users with "exceptions handling" permissions can manage exceptions (including creating or canceling). Learn more than nigh RBAC roles.

The exception handling permission

Create an exception

Select a security recommendation y'all would like create an exception for, and so select Exception options and fill out the form.

The location of the exception options button in a security recommendation flyout

Exception by device group

Apply the exception to all electric current device groups or choose specific device groups. Time to come device groups won't be included in the exception. Device groups that already have an exception will non be displayed in the list. If you lot only select certain device groups, the recommendation land volition alter from "agile" to "partial exception." The state volition alter to "total exception" if you select all the device groups.

The Device group dropdown

Filtered views

If y'all have filtered by device grouping on any of the threat and vulnerability direction pages, merely your filtered device groups will announced as options.

This is the push to filter past device grouping on any of the threat and vulnerability direction pages:

The selected device groups filter

Exception view with filtered device groups:

The filtered device group dropdown

Large number of device groups

If your organization has more than 20 device groups, select Edit next to the filtered device group option.

The procedure to edit large numbers of groups

A flyout will appear where yous can search and cull device groups you want included. Select the check mark icon below Search to check/uncheck all.

The large device group flyout

Global exceptions

If yous accept global administrator permissions, you lot volition be able to create and cancel a global exception. Information technology affects all current and time to come device groups in your organisation, and simply a user with similar permission would exist able to change it. The recommendation state will change from "agile" to "full exception."

The global exception option

Some things to keep in listen:

  • If a recommendation is under global exception, then newly created exceptions for device groups will be suspended until the global exception has expired or been canceled. Afterward that point, the new device group exceptions volition go into consequence until they expire.
  • If a recommendation already has exceptions for specific device groups and a global exception is created, then the device group exception will be suspended until information technology expires or the global exception is canceled before it expires.

Justification

Select your justification for the exception yous need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.

The following list details the justifications behind the exception options:

  • Third political party control - A tertiary political party product or software already addresses this recommendation - Choosing this justification type will lower your exposure score and increment your secure score considering your risk is reduced
  • Alternate mitigation - An internal tool already addresses this recommendation - Choosing this justification type will lower your exposure score and increase your secure score considering your adventure is reduced
  • Risk accepted - Poses low risk and/or implementing the recommendation is also expensive
  • Planned remediation (grace) - Already planned but is awaiting execution or authorization

View all exceptions

Navigate to the Exceptions tab in the Remediation folio. Y'all can filter past justification, blazon, and status.

Select an exception to open a flyout with more than details. Exceptions per devices grouping volition accept a list of every device grouping the exception covers, which you can export. You can besides view the related recommendation or cancel the exception.

The Exceptions tab in the Remediation page

How to cancel an exception

To cancel an exception, navigate to the Exceptions tab in the Remediation page. Select the exception.

To abolish the exception for all device groups or for a global exception, select the Abolish exception for all device groups button. Yous will simply be able to cancel exceptions for device groups you have permissions for.

The Cancel button

Cancel the exception for a specific device grouping

Select the specific device group to abolish the exception for it. A flyout volition appear for the device group, and yous can select Abolish exception.

The procedure to select a specific device group

View impact later on exceptions are practical

In the Security Recommendations folio, select Customize columns and check the boxes for Exposed devices (later on exceptions) and Impact (afterward exceptions).

The customize columns options

The exposed devices (after exceptions) column shows the remaining devices that are yet exposed to vulnerabilities afterward exceptions are applied. Exception justifications that touch on the exposure include 'third party control' and 'alternate mitigation'. Other justifications practice not reduce the exposure of a device, and they are still considered exposed.

The impact (after exceptions) shows remaining impact to exposure score or secure score after exceptions are applied. Exception justifications that bear upon the scores include 'tertiary party command' and 'alternate mitigation.' Other justifications practise not reduce the exposure of a device, and and so the exposure score and secure score do not alter.

The columns in the table

  • Threat and vulnerability management overview
  • Remediate vulnerabilities
  • Security recommendations
  • Exposure score
  • Microsoft Secure Score for Devices