Reporting Defender vulnerabilities in HTML without using the Defender Portal

 




How many times do you want to get a quick look at vulnerabilities in your tenant without having to go to Entra to activate your PIM, then to Defender, and navigate deep?

 

This is exactly what I was dealing with this past weekend, especially in the USA, since we had a long weekend because Monday is MLK holiday, which gave me time to dig deeper.

 

I came across 2 GitHub repos from two amazing friends, MVPs in our community. All credit to our friends:-

 

1.      Fabian Bader f-bader/MSRC-PatchReview: A PowerShell variant of the amazing patch_review.py by kevthehermit amazing script, to run on your device to get all CVEs.

·         Keep in mind this script targets BaseScore 8.0,  if your company or customer, like my customers, they wants more security, you have to lower the BaseScore to 7.0 or less. You can see that in line ‘75’ from the script.

·         Base URl is MSRC, if you want to change to CVE.org  you can change the line ‘89’ or just use this command  $ .\patch_review.ps1 2025-05 -CVELink CVE.org.

·         The output, Fabian, is designed to be easily read by humans by default. You can change the format in line ‘78’ to JSON, PSObject, or Markdown. Or simply use this command: $ .\patch_review.ps1 2025-05 -Output json, psobject, markdown (choose only one, not all).

 

 

 

2.      Nathan McNulty and this is our blog about nathanmcnulty/defender-reporting

I will dig into Nathan’s Script because it requires some preparation :

Requirement:-

1.      Defender for Endpoint should already be deployed to all devices.

2.      Create an API app in your Entra portal, configure permissions, approve from your GA, and secure your Secret Key or Cert.  

3.      This feature isn't working with CDX or Dev tenants because I couldn’t find the WindowsDefenderATP API. So, you will need to do it with a normal tenant.

Create your API:-

Nathan did an amazing README.me and created 3 different Scripts

1.      To create API permissions.

2.      Obtain Vulnerability Management data using Managed Identities.

3.      Obtain Vulnerability Management data using  Service Principals with a secret.

In this blog, I created manually, so let me walk you through:-

1.      Navigate to Entra>App Registration> New Registration> give the app a Name and click Register.

2.      In the application page, the one you just created in step 1, under Manage > Api Permissions > Add permission > APIs my organization uses. In the Request API permissions page, search for WindowsDefenderATP and select it (this is what I mentioned about it is not available in the Dev tenant), screenshot from the production tenant.

Screenshot from Dev tenant

Once you select WindowsDefenderATP you get another window, select Application permission because we need to access the API as a service (while Delegated permission requires Sign in for a user

 Then select API permissions for this App's Vulnerability.Read.All’ in the screenshot below. I gave the App more permissions for something I was working on. Please follow Nathan’s recommendation.

Now you need to grant admin consent for your tenant

Client Secrets:-

1.      From the application page you created, select certificates & secrets>client secret.

2.      Select New client secret, add a description and expiration date (you have between  180-730 days).

Note: Please save the secret value you created, you won’t be able to see this value once you leave this page.

Now, you've completed what you need. Go to Nathan’s repo and download the script. Also, you need to run his third script from README. Remember, Nathan added his test tenantId, appId, and appSecret; you have to replace them all with your tenantID, appId, and secret values you just created in the step above.

After you run the script above, you will find a JSON file in the designated directory that contains all user vulnerabilities from your Defender.

Ensure to extract it and save your JSON file in the same directory where you are going to run Generate-VulnerabilityDashboard script you download from Nathan repo, in line number ‘3’ that what you need to place your JSON file in this folder ‘I named it as Nathan’s script, you can change it But ensure to change the name of the folder in line 3’

The script will generate html file in the same directory, you can open in your browser

 

Here we go, this is our final report, you can sort by your device(s) platform, or severity. And you can pick different reports among Impact analysis, Active vulnerabilities, and Remediation Activity.

 

Underneath this report, everything is clickable to get more information about a software or a device

Below is a short video to show you the features. 

Comments

Post a Comment

Popular posts from this blog

New LAPS for Windows 11 24H2

Image
  Windows LAPS automatically manages and backs up the password of a local administrator account on devices joined to Microsoft Entra ID (formerly Azure AD) or Windows Server Active Directory. This feature helps protect against pass-the-hash and lateral-traversal attacks, enhances security for remote help desk scenarios, and facilitates device recovery if they become inaccessible.   As many of you know, LAPS for Entra joined devices was announced around 2023 and has worked perfectly since then on Entra, Hybrid, joined, and On-premises devices via AD as well. One of the big challenges we all know is that the first version (if I can say that) of LAPS did not allow you to create a new custom admin account or change the existing admin account, which meant we had to use custom configuration or scripts to do that.   Microsoft announced the new LAPS about 3 weeks ago via Arnab Mitra, Sr. Program Manager at Microsoft, and it was a great announcement. Let us go ahead and co...
Read more

Why Your Devices Are Skipping Updates in SCCM and Intune – And How to Fix It Fast

Image
  Ever wondered why some devices in your organization stubbornly refuse to get updates despite being in SCCM or Intune? This represents a common challenge faced by administrators during the implementation of security patches. Administrators endeavor to fulfill their responsibilities and meet the expectations of the security, compliance teams, and management. I was among those 😒 who initiated a hot seat challenge from August to October 2025. Many customers were affected, regardless of their Endpoint Management system, whether SCCM or Intune. Some of their devices repeatedly failed despite ongoing efforts 🙄 . Why should I care? When you work with Endpoints, you're engaging with your compliance and cybersecurity team, who want to make sure there are no security risks. They focus on Security Zero Trust and Conditional Access, so your users can smoothly access your organization's resources without being blocked just because a device isn't marked as compliant.    ...
Read more

How to block TikTok or other social media

Image
Have you considered blocking social media platforms like Facebook, TikTok, and others on corporate devices?   Many government entities in our community want to restrict access to social media on their official devices rather than personally owned devices (BYOD). There are several reasons for this. For example, in the USA, TikTok was blocked and unblocked.   There are many ways to do this, such as Firewall, Network, Microsoft Defender, and so on. However, I will discuss how to do it via Intune. Create a Policy:         Create a New Policy: Name it as you want and add the description.     Configuration settings > add settings > and search for “URL blocking” and pick both Google Chrome and Microsoft Edge. And pick the one for the device, not the user, did not work for me. Then add the URL you want to block to “ Block access to a list of URLs (Device)”. I went a little further by disallowing the users to run the TikTok application “...
Read more