diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 72edc00443..4ad6ee6826 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -464,6 +464,7 @@
####### [Get security recommendations](microsoft-defender-atp/get-security-recommendations.md)
####### [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md)
####### [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md)
+####### [Get missing KBs](microsoft-defender-atp/get-missing-kbs-machine.md)
###### [Machine Action]()
####### [Machine Action methods and properties](microsoft-defender-atp/machineaction.md)
@@ -525,6 +526,7 @@
####### [List software version distribution](microsoft-defender-atp/get-software-ver-distribution.md)
####### [List machines by software](microsoft-defender-atp/get-machines-by-software.md)
####### [List vulnerabilities by software](microsoft-defender-atp/get-vuln-by-software.md)
+####### [Get missing KBs](microsoft-defender-atp/get-missing-kbs-software.md)
###### [Vulnerability]()
####### [Vulnerability methods and properties](microsoft-defender-atp/vulnerability.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
new file mode 100644
index 0000000000..86ce1c9e6a
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
@@ -0,0 +1,86 @@
+---
+title: Get missing KBs by machine ID
+description: Retrieves missing KBs by machine Id
+keywords: apis, graph api, supported apis, get, list, file, information, machine id, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: ellevin
+author: levinec
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get missing KBs by machine ID
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+Retrieves missing KBs by machine Id
+
+## HTTP request
+
+```
+GET /api/machines/{machineId}/getmissingkbs
+```
+
+## Request header
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+## Request body
+
+Empty
+
+## Response
+
+If successful, this method returns 200 OK, with the specified machine missing kb data in the body.
+
+## Example
+
+### Request
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/machines/2339ad14a01bd0299afb93dfa2550136057bff96/getmissingkbs
+```
+
+### Response
+
+Here is an example of the response.
+
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicProductFixDto)",
+ "value": [
+ {
+ "id": "4540673",
+ "name": "March 2020 Security Updates",
+ "productsNames": [
+ "windows_10",
+ "edge",
+ "internet_explorer"
+ ],
+ "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4540673",
+ "machineMissedOn": 1,
+ "cveAddressed": 97
+ },
+ ...
+ ]
+}
+```
+
+## Related topics
+
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
new file mode 100644
index 0000000000..e91d137857
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
@@ -0,0 +1,93 @@
+---
+title: Get missing KBs by software ID
+description: Retrieves missing KBs by software ID
+keywords: apis, graph api, supported apis, get, list, file, information, software id, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: ellevin
+author: levinec
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get missing KBs by software ID
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+Retrieves missing KBs by software ID
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+
+```
+GET /api/Software/{Id}/getmissingkbs
+```
+
+## Request header
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+## Request body
+
+Empty
+
+## Response
+
+If successful, this method returns 200 OK, with the specified software missing kb data in the body.
+
+## Example
+
+### Request
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/getmissingkbs
+```
+
+### Response
+
+Here is an example of the response.
+
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicProductFixDto)",
+ "value": [
+ {
+ "id": "4540673",
+ "name": "March 2020 Security Updates",
+ "productsNames": [
+ "edge"
+ ],
+ "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4540673",
+ "machineMissedOn": 240,
+ "cveAddressed": 14
+ },
+ ...
+ ]
+}
+```
+
+## Related topics
+
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md
index a38094be67..92e5b76fd8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md
@@ -25,6 +25,7 @@ ms.topic: article
[!include[Prerelease information](../../includes/prerelease.md)]
## Methods
+
Method|Return Type |Description
:---|:---|:---
[List machines](get-machines.md) | [machine](machine.md) collection | List set of [machine](machine.md) entities in the org.
@@ -36,9 +37,11 @@ Method|Return Type |Description
[Get security recommendations](get-security-recommendations.md) | [recommendation](recommendation.md) collection | Retrieves a collection of security recommendations related to a given machine ID.
[Add or Remove machine tags](add-or-remove-machine-tags.md) | [machine](machine.md) | Add or Remove tag to a specific machine.
[Find machines by IP](find-machines-by-ip.md) | [machine](machine.md) collection | Find machines seen with IP.
+[Get missing KBs](get-missing-kbs-machine.md) | KB collection | Get a list of missing KBs associated with the machine ID
## Properties
-Property | Type | Description
+
+Property | Type | Description
:---|:---|:---
id | String | [machine](machine.md) identity.
computerDnsName | String | [machine](machine.md) fully qualified name.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/software.md b/windows/security/threat-protection/microsoft-defender-atp/software.md
index 49e8e4c12d..414a3a54fc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/software.md
@@ -20,11 +20,12 @@ ms.topic: article
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
## Methods
+
Method |Return Type |Description
:---|:---|:---
[List software](get-software.md) | Software collection | List the organizational software inventory.
@@ -32,16 +33,17 @@ Method |Return Type |Description
[List software version distribution](get-software-ver-distribution.md)| Distribution collection | List software version distribution by software ID.
[List machines by software](get-machines-by-software.md)| MachineRef collection | Retrieve a list of machines that are associated with the software ID.
[List vulnerabilities by software](get-vuln-by-software.md) | [Vulnerability](vulnerability.md) collection | Retrieve a list of vulnerabilities associated with the software ID.
+[Get missing KBs](get-missing-kbs-software.md) | KB collection | Get a list of missing KBs associated with the software ID
## Properties
-Property | Type | Description
+
+Property | Type | Description
:---|:---|:---
id | String | Software ID
-Name | String | Software name
-Vendor | String | Software vendor name
-Weaknesses | Long | Number of discovered vulnerabilities
+Name | String | Software name
+Vendor | String | Software vendor name
+Weaknesses | Long | Number of discovered vulnerabilities
publicExploit | Boolean | Public exploit exists for some of the vulnerabilities
activeAlert | Boolean | Active alert is associated with this software
exposedMachines | Long | Number of exposed machines
-impactScore | Double | Exposure score impact of this software
-
+impactScore | Double | Exposure score impact of this software
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
index 8d2e155a2e..f31d2e82a4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
@@ -52,9 +52,9 @@ DeviceName=any(DeviceName) by DeviceId, AlertId
## Find and remediate software or software versions which have reached end-of-support (EOS)
-End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced. When you use software or software versions which have reached end-of-support, you're exposing your organization to security vulnerabilities, legal, and financial risks.
+End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced, and will not receive security updates. When you use software or software versions which have reached end-of-support, you're exposing your organization to security vulnerabilities, legal, and financial risks.
-It is crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem.
+It is crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. They should examine the options to remove or replace apps that have reached end of support, and update versions that have reached end of support. It is best to create and implement a plan **before** the end of support dates.
To find software or software versions which have reached end-of-support:
@@ -69,6 +69,16 @@ To find software or software versions which have reached end-of-support:
After you have identified which software and software versions are vulnerable due to its end-of-support status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats. See [Remediation and exception](tvm-remediation.md) for details.
+## Use APIs
+
+Threat and vulnerability management supports multiple APIs. See the following topics for related APIs:
+
+- [Machine APIs](machine.md)
+- [Recommendation APIs](vulnerability.md)
+- [Score APIs](score.md)
+- [Software APIs](software.md)
+- [Vulnerability APIs](vulnerability.md)
+
## Related topics
- [Supported operating systems and platforms](tvm-supported-os.md)
@@ -83,8 +93,3 @@ After you have identified which software and software versions are vulnerable du
- [Advanced hunting overview](overview-hunting.md)
- [All advanced hunting tables](advanced-hunting-reference.md)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
-- [Recommendation APIs](vulnerability.md)
-- [Machine APIs](machine.md)
-- [Score APIs](score.md)
-- [Software APIs](software.md)
-- [Vulnerability APIs](vulnerability.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
index d2c196a62c..839193db64 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
@@ -76,7 +76,7 @@ Area | Description
[**Exposure score**](tvm-exposure-score.md) | See the current state of your organization's device exposure to threats and vulnerabilities. Several factors affect your organization's exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations.
[**Configuration score**](configuration-score.md) | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your configuration score. Selecting the bars will take you to the **Security recommendation** page.
**Machine exposure distribution** | See how many machines are exposed based on their exposure level. Select a section in the doughnut chart to go to the **Machines list** page and view the affected machine names, exposure level, risk level, and other details such as domain, operating system platform, its health state, when it was last seen, and its tags.
-**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Useful icons also quickly calls your attention to -  possible active alerts
-  associated public exploits
-  recommendation insights
Tags also indicates the remediation type required, such as **Configuration change**, **Software uninstall** (if the software has reached its end-of-life), and **Software update** (if the software version has reached end-of-support, or if a vulnerable version requires updating). You can drill down on the security recommendation to see potential risks, list of exposed machines, and insights. You can then request a remediation for the recommendation. Select **Show more** to see the rest of the security recommendations in the list or **Show exceptions** for the list of recommendations that have an exception.
+**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Select **Show more** to see the rest of the security recommendations in the list or **Show exceptions** for the list of recommendations that have an exception.
**Top vulnerable software** | Get real-time visibility into your organization's software inventory with a stack-ranked list of vulnerable software installed on your network's devices and how they impact your organizational exposure score. Select an item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page.
**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can select each item on the list to see the details in the **Remediation** page or select **Show more** to view the rest of the remediation activities, and active exceptions.
**Top exposed machines** | View exposed machine names and their exposure level. Select a machine name from the list to go to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, and discovered vulnerabilities associated with the exposed machines. Select **Show more** to see the rest of the exposed machines list. From the machines list, you can manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
index 255962e9a7..6162539530 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
@@ -30,17 +30,15 @@ After your organization's cybersecurity weaknesses are identified and mapped to
Lower your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations.
-## Remediation
-
## How remediation requests work
When you submit a remediation request from Threat & Vulnerability Management, it kicks-off a remediation activity. A security task is created which will be tracked in the Threat & Vulnerability Management **Remediation** page, and a remediation ticket is created in Microsoft Intune.
The dashboard will show the status of your top remediation activities. Select any of the entries to go to the **Remediation** page. You can mark the remediation activity as completed after the IT admin team remediates the task.
-## Accessing the Remediation page
+## Accessing the remediation page
-You can access the Remediation page in a few places in the portal:
+You can access the remediation page in a few places in the portal:
- Security recommendations flyout panel
- Navigation menu
@@ -70,7 +68,7 @@ If you want to check how the ticket shows up in Intune, see [Use Intune to remed
2. Select the remediation activity that you want to view.
-### Top remediation activities card the dashboard
+### Top remediation activities in the dashboard
1. Go to the Threat & Vulnerability Management dashboard and scroll down to the **Top remediation activities** card. The list is sorted and prioritized based on what is listed in the **Top security recommendations**.
2. Select the remediation activity that you want to view.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
index 09f5eadae8..d28353f90b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
@@ -61,10 +61,16 @@ Go to the Threat & Vulnerability Management navigation menu and select **Securit
You will be able to view the recommendation, the number of weaknesses found, related components, threat insights, number of exposed machines, status, remediation type, remediation activities, impact to your exposure and configuration scores, and associated tags.
-The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the amount of exposed machines, the color of the graph will change into green. This happens when the numbers on the right hand side is greater than what's on the left, which means an increase or decrease at the end of even a single machine will change the graph's color.
+The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the amount of exposed machines, the color of the graph will change into green. This happens when the numbers on the right hand side is greater than what's on the left, which means an increase or decrease at the end of even a single machine will change the graph's color.
+### Icons
+
+Useful icons also quickly calls your attention to -  possible active alerts
-  associated public exploits
-  recommendation insights
+
+### Investigate
+
Select the security recommendation that you want to investigate or process.
