Business Premium Already Includes a Vulnerability Scanner. Most Tenants Never Turn It On.
TL;DR
- Microsoft 365 Business Premium and Defender for Endpoint Plan 2 include 24/7 software vulnerability scanning, an exposure score dashboard, and built-in remediation recommendations at no extra cost.
- After onboarding is pushed, expect roughly 24 hours before devices start appearing in the Defender admin center.
- An unpatched application is an entry point that strong security tooling cannot compensate for, and cyber insurers and compliance frameworks increasingly require software to stay current.
- Triage works as a decision matrix: is the app approved, is it centrally managed, and does the vulnerability's age and version spread demand action now.
- Filtering out Microsoft and Apple software and sorting by device count surfaces the third-party risks that matter ahead of the noise.
Here is a budget line most MSPs never collect on: if your clients run Microsoft 365 Business Premium or Defender for Endpoint Plan 2, they already own continuous vulnerability scanning for every workstation. No agent to buy, no per-device add-on. What stands between most environments and 24/7 visibility into unpatched software is a short onboarding checklist and a working process for acting on what the scanner finds. This post covers both, including how we prioritize remediation once the findings start flowing.
What is actually at stake with unpatched software?
- Vulnerabilities will arise on existing software. Without an approved inventory, exploits against users, devices, and apps go unnoticed until they create loss for the business.
- Hackers exploit outdated software to gain access, steal data, or install ransomware.
- Even strong security tools cannot protect you when an attacker walks through an unpatched application.
- Cyber insurers and compliance frameworks often require software to be kept up to date.
- If your team is unknowingly using vulnerable apps, the business is carrying risk without realizing it.

Maintaining visibility and control over installed software is hard, especially at scale, but failing to do so creates real consequences: data breaches, ransomware, financial loss, downtime. And some applications without any published CVEs still get used maliciously; Quick Assist shows up in social engineering attacks regularly.
The fix is structural: an approved software inventory plus continuous vulnerability scanning. Together they form the baseline for reducing risk and improving operational control. We covered building the inventory side in our guide to application inventory management; this post is the scanning side.
What does the built-in scanner include?
With Microsoft 365 Business Premium or Defender for Endpoint Plan 2, the native vulnerability management toolset gives you:
- 24/7 software vulnerability scanning
- An exposure score dashboard
- Detailed insights into app versions, patch age, and severity
- Built-in remediation recommendations

How do you get devices reporting in?
Onboard the endpoints
- Head to the Microsoft 365 Defender portal.
- Go to Settings → Endpoints → Onboarding.
- Choose your onboarding method:
- Intune (preferred for MDM environments)
- Group Policy
- Local script for testing
- Make sure Intune integration is enabled under Advanced Features. Microsoft documents the full process here: Onboard and configure devices with Microsoft Defender for Endpoint via Microsoft Intune (opens in new tab).
After enrollment is pushed out and activated, expect around 24 hours before devices start showing up in the Defender admin center.
Wire up notifications
Configure email notifications for new vulnerabilities (opens in new tab) so findings reach the team without anyone living in the portal. One caveat: Windows OS updates can generate noise when they have not hit their patch window yet. Use PSA tools or helpdesk rules to triage these efficiently instead of muting the alerts entirely.
Reading the dashboard once data arrives

Once Defender starts reporting, the headline number is the Exposure Score: the higher it climbs, the more vulnerabilities and security misconfigurations exist across your devices.
Drill into Inventories on the left to see the software list. Clicking any application opens its software page. Spend time here getting familiar with:
- Known vulnerabilities and CVEs
- Severity and exploitability
- Version distribution across devices
- Remediation recommendations
This view is what makes prioritization possible, and it surfaces known exploited vulnerabilities automatically.

Approve, remove, patch: the SOP that survives a 300-app list
This is where the rubber meets the road. The inventory will show 300+ applications, and staring at the list is not a strategy. We work through this decision matrix:

Start by reviewing every application in the vulnerability management dashboard that has a public exploit or weakness. Keep in mind that some weaknesses and public exploits simply have not had time to resolve on their own yet, like OS updates waiting on Patch Tuesday or CVEs that were just published.
- Is it approved?
- Yes: add it to your documented inventory.
- No: open a ticket to investigate or remove it.
- Is it centrally managed?
- If yes, deploy updates via RMM or Intune.
- If no, consider manual removal or user guidance.
- Does it need action now?
- Look at the age of the vulnerability and the version distribution.
- Focus on older versions and high-priority threats first.
For the deployment mechanics of pushing fixes, see remediating vulnerabilities with app deployments in Intune.
Which filters find the real problems first?

You can export the full software inventory from the Inventories tab in Defender. A few cuts that get you to action quickly:
- Start with anything carrying public exploits or weaknesses. Always the top of the queue.
- Sort by number of devices installed. Higher count usually means higher priority.
- Filter out Microsoft and Apple. Hone in on third-party software instead of the noise natively installed on every device.
- Search for red flags. Remote tools, file-sharing apps, password managers, unknown vendors.
Example: Dropbox installed on 100+ devices when the client standardized on OneDrive is your cue to start the shadow IT cleanup.
Where CloudCapsule picks up the workflow
CloudCapsule was built to run this exact workflow for MSPs and IT teams across many customers at once:
- Visualize all applications across customers
- Approve or unapprove apps in bulk
- Use predefined proposals to clean up the software inventory
- Export reports for QBRs or security reviews


What does week one look like?
Nobody cleans up an inventory in a day, and trying to is how the project dies. With the right tools and a clear SOP, you chip away at it over time and turn a sprawling, risky app landscape into a governed one. The starting stack:
- Layered protections, meaning no local admin rights, App Control policies, and similar guardrails
- 24/7 vulnerability scanning via Defender
- A living, breathing approved software inventory
Get those three moving and you are ahead of most environments already.
Frequently asked questions
Why are devices not showing in Defender after onboarding?
After enrollment is pushed out and activated, it can take around 24 hours for devices to start showing up in the Defender admin center. If they still have not appeared, confirm that Intune integration is enabled under Advanced Features in the Defender portal.
Should every vulnerability alert trigger a ticket?
No. Windows OS updates generate noise when they have not hit their patch window yet, and some CVEs are too fresh for vendors to have shipped fixes. Use PSA tools or helpdesk rules to triage notifications, and prioritize by vulnerability age, public exploit status, and version distribution.
Can an app with no known CVEs still be a risk?
Yes. Some applications have no published vulnerabilities but are still abused in attacks. Quick Assist, for example, is used in social engineering campaigns. This is why an approved software inventory matters alongside CVE scanning.
Turn the 300-app list into a report a client can read
CloudCapsule visualizes applications across every customer, lets you approve or unapprove apps in bulk, ships predefined cleanup proposals, and exports reports built for QBRs and security reviews.
Run a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


