Microsoft has added a Common Vulnerabilities and Exposures (CVE) reporting feature to Windows Autopatch, giving IT and security teams a consolidated, device-level view of Windows vulnerabilities and which quality updates address them.
Background
Windows Autopatch, Microsoft’s cloud-based service for automating Windows and Microsoft 365 updates, has steadily expanded its reporting and management capabilities since its introduction. Recent refreshes to the Autopatch reporting surface brought broader device coverage, faster telemetry, and new operational controls; the CVE report is the latest addition designed specifically to close the visibility gap between vulnerability disclosure and remediation action. The CVE report surfaces Windows-specific vulnerability metadata alongside the update releases that remediate those issues, and — critically for operations teams — it ties those vulnerabilities back to the exact devices that remain missing the required fixes. The feature lives inside the Microsoft Intune admin center under the Windows Autopatch reporting section.
What the new CVE report delivers
The CVE report is an operational dashboard built to help teams prioritize patching and reduce time-to-remediate. It brings together several data points that are commonly siloed across different consoles:
- A consolidated list of CVEs that were addressed by recent Windows quality updates (historical scope includes the last 90 days).
- CVSS base scores for each CVE to help prioritize risk by severity.
- An Exploited flag indicating whether a vulnerability is known to be publicly exploited at release.
- The Windows update “Release” that contains the fix and direct links to KB release notes for remediation guidance.
- Device-level counts and the ability to drill down to device names, OS versions, and which devices are missing the update that contains the fix.
- Search, filter, and export capabilities so teams can generate offline reports or feed the data into spreadsheets and ticketing systems.
- A near real-time refresh cadence so the dashboard reflects newly reported device telemetry and remediation state.
These elements are intentionally operational: the report is not positioned as a comprehensive CVE encyclopedia, but rather as an actionable inventory that helps close the loop between “what’s vulnerable” and “what to patch where.”
Where to find it and how it works
Administrators can access the CVE report in the Microsoft Intune admin center:
- Go to Microsoft Intune admin center.
- Navigate to Reports > Windows Autopatch > Windows quality updates.
- Select the Reports tab.
- Choose Common Vulnerabilities and Exposures (CVEs).
The report’s default columns include CVE Name, Release, CVE Base Score, Exploited (Yes/No), KB Article links, Devices Missing Update, and Published (release date). Clicking the device count for a CVE drills into a list of affected devices where teams can view device names and OS versions to target remediation. Microsoft documents that the CVE report’s data is refreshed on a near-real-time cadence — the CVE page states data is refreshed every two hours — though other Autopatch reporting surfaces have historically used four-hour windows for summary dashboards; organizations should treat client-to-cloud latency and processing as an operational variable and validate refresh expectations in their tenants.
Why this matters: the operational case for integrated CVE reporting
Integrated CVE reporting inside the Intune/Autopatch experience matters for three practical reasons:
- Faster triage: Teams no longer need to reconcile CVE lists, KB links, and device inventories across multiple consoles. The CVE report puts the fix, the CVE metadata, and the affected devices together in one place, shortening the time from detection to remediation.
- Prioritized action: Combining CVSS scores and an exploitation flag with device counts helps organizations prioritize high-risk issues and allocate scarce remediation resources to where they matter most.
- Compliance and reporting: Export and filtering capabilities let security and compliance teams produce evidence for audits and internal reporting more efficiently, helping meet regulatory and internal SLAs for patching.
Windows Autopatch’s recent reporting updates also expanded coverage to include all Intune-managed devices (not only Autopatch group members), which increases the CVE report’s operational reach — provided devices are reporting telemetry correctly. This expansion was part of a broader push to reduce reporting latency and operate under least-privilege access for automation.
Technical prerequisites and operational caveats
The CVE report is useful, but it depends on specific telemetry and configuration to be accurate and complete. Key technical prerequisites and caveats include:
- Autopatch customers: The CVE report is available to Windows Autopatch customers and does not require special additional licensing.
- Windows diagnostic data: Autopatch reporting relies on Windows diagnostic/telemetry data uploaded by managed devices. Devices must be configured to send the required data (recommended minimum level) to populate device-level statuses in Autopatch reports. If devices are not configured correctly, they may not show up or may show stale state.
- Intune/Entra device inventory: Device lists rely on Microsoft Entra identities and Intune inventory. Devices that are not present in Entra or are misregistered may be omitted from device lists.
- Scope: The CVE report’s scope explicitly covers Windows OS CVEs. It is not a third-party application vulnerability scanner, and does not enumerate non-Windows product CVEs. Teams still need complementary tooling to manage vulnerabilities in third-party software and firmware.
- Permissions: Viewing and acting on the report requires appropriate Intune roles (e.g., Intune Service Administrator, Read Only Operator, Help Desk Operator with the right permissions) and proper RBAC mapping for Defender and Copilot agents if those features are used.
- Data latency: Although the CVE report refreshes frequently (Microsoft notes a roughly two-hour cadence for the CVE report), telemetry uploading, batch processing, and service-side batching can introduce variability. Confirm the effective latency for your tenant during testing.
These constraints are important to understand before relying on the dashboard as the single source of truth for vulnerability status.
Strengths: what Microsoft got right
The CVE report addresses several real and persistent pain points for Windows patch management:
- Actionable device linkage: Tying CVEs directly to the devices that are missing the fix removes manual reconciliation steps that traditionally slowed down patching.
- Embedded remediation links: Direct KB links reduce search time and lower the chance of patching the wrong CU/KB — a common operational hazard.
- No new licensing barrier: Making the report available to all Windows Autopatch customers without extra charge lowers the adoption friction.
- Exportability and filters: The ability to export and filter results supports reporting workflows and integration with ticketing or vulnerability management processes.
- Near-real-time visibility: Faster reporting cadence improves situational awareness for active exploitation events and can reduce the window of exposure.
For integrated Windows environments that already rely on Autopatch and Intune, the CVE report is a practical operational improvement rather than a purely cosmetic dashboard addition.
Risks and limitations: what teams should watch for
No single dashboard eliminates the need for a broader vulnerability management strategy. The CVE report’s limitations introduce a few operational risks:
- Windows-only scope: The CVE report does not replace dedicated vulnerability scanners that track third-party applications, web-facing appliances, containers, or firmware. Enterprises with heterogeneous estates must continue to use third-party vulnerability management tools.
- Data completeness depends on telemetry: Devices that fail to upload diagnostics or are not correctly configured in Intune/Entra can be missing from the report, producing false negatives. This is especially relevant for segmented networks, air-gapped systems, or devices with restricted telemetry.
- RBAC and exposure considerations: Copilot agents and some remediation tooling can surface data beyond the typical Intune role boundaries; the Vulnerability Remediation Agent documentation warns that agent-supplied data “might be visible to admins with access to view the agent ... even when that data is outside the admins assigned Intune roles or scope.” Teams should validate access controls and audit logs when enabling Copilot agents.
- Licensing and dependency for advanced automation: While the CVE report itself is included for Autopatch customers, advanced remediation automation (e.g., Security Copilot agents, Defender Vulnerability Management) has separate licensing and compute unit requirements that organizations must plan for. The Vulnerability Remediation Agent needs Security Copilot, Defender Vulnerability Management, and sufficient Security Compute Units (SCUs).
- False sense of completeness: Because the report focuses on Windows OS CVEs and update-delivered fixes, it may not reflect mitigations for non-updateable exposures or indicate whether additional configuration changes are required post-update. Operational teams must validate that the KB guidance is followed where a reboot or additional remediation steps are necessary.
These limitations don’t negate the report’s value — they define the operational boundaries where additional processes or tools are still required.
How to operationalize the CVE report: practical steps for IT and security teams
The CVE report is most valuable when embedded into existing remediation processes. The following sequence helps teams turn visibility into action:
- Validate telemetry and inventories
- Ensure Windows diagnostic data collection is enabled and set to the minimum recommended level across Autopatch-managed devices.
- Confirm devices appear in Microsoft Entra and Intune inventories so the device drill-downs in the CVE report are accurate.
- Baseline and pilot
- Use the report to generate an initial export and identify top critical CVEs by device count and exploitation status.
- Pilot targeted remediation on a small set of devices or a pilot Autopatch group to validate update readiness and the operational KB instructions.
- Prioritize by exploitation and exposure
- Prioritize fixing CVEs flagged as “Exploited” or with high CVSS scores that affect many devices, then escalate to medium/low severity issues based on business impact.
- Use Autopatch readiness and Intune deployment controls
- Leverage Windows Autopatch update readiness checks and staged deployment features to prevent broad disruptions when rolling out fixes at scale. Use Intune or Microsoft Graph to accelerate deployment where business-critical.
- Integrate with Security Copilot and Defender workflows
- Where available and licensed, use the Vulnerability Remediation Agent (Security Copilot) to prioritize and obtain prescriptive remediation steps that can be tracked inside Intune. Note the agent requires Defender Vulnerability Management and Security Copilot licensing, and runs under the identity of the admin who configures it.
- Feed into ticketing and SIEM
- Export CVE report data and create automated tickets for remediation workflows, and forward critical CVE events to SIEM or centralized dashboards for executive and compliance reporting.
- Continuous validation
- Re-run targeted checks after deployment to ensure devices report the updated state and the CVE is no longer listed as missing on target devices. Validate reboots and post-update health checks as required by the KB guidance.
Security Copilot and automated remediation — a practical complement
Microsoft’s Security Copilot agents extend vulnerability reporting by providing prioritized remediation suggestions and step-by-step guidance. The
Vulnerability Remediation Agent uses Defender Vulnerability Management data to surface prioritized CVEs and offer actionable remediation steps inside Intune. It can reduce investigation and remediation time by providing contextual summaries and suggested actions, but it’s currently delivered under a public preview model with prerequisites and limitations. Key considerations:
- The agent requires Microsoft Security Copilot, Defender Vulnerability Management (Defender for Endpoint P2 or standalone Vulnerability Management), and Security Compute Units.
- The agent’s identity and permissions are tied to the admin account that sets it up; runs expire and require reauthorization if not used for 90 days.
- Agent output may include device details and counts, but there are scope and visibility caveats: some outputs may be visible beyond normal Intune role scopes, so governance and access controls must be assessed before deployment.
When combined with the CVE report, Security Copilot agents can close the loop from detection to prioritized remediation — but they introduce additional complexity, license requirements, and access considerations that security teams must evaluate.
Real-world scenarios and use cases
- Emergency patching after active exploitation: If a new Windows CVE is disclosed with active exploitation, the CVE report lets security teams rapidly identify how many devices are exposed, which OS versions are affected, and which KB to apply — shortening the remediation triage time from hours to minutes.
- Compliance reporting: Security and compliance teams can export CVE report data to produce evidence of remediation progress for auditors, providing device-level evidence rather than a high-level assurance statement.
- Prioritization for limited patch windows: Organizations with maintenance windows can use the report to prioritize the subset of devices that must be patched immediately versus those that can be deferred to reduce operational impact.
- Integration with vulnerability management programs: Enterprises can use the CVE report as a Windows-focused source of truth inside a broader VM program while continuing to rely on specialized scanners for non-Windows software.
Practical warnings and governance checkpoints
Before making the CVE report a central pillar of remediation operations, teams should validate these governance checkpoints:
- Telemetry coverage: Confirm all production devices are configured to send diagnostic data and that there are no blind spots (e.g., air-gapped systems, non-reporting branches).
- Role-based access: Audit who can view Autopatch and Copilot agent data; limit access where necessary and log all agent runs for accountability.
- Licensing and cost: Understand Defender and Security Copilot licensing and SCU consumption before enabling Copilot agents that assist remediation.
- Test KB guidance: Apply updates in a small pilot, validate post-update behavior, and escalate to broad deployment only after confirming no regressions for business-critical applications.
These operational checks prevent the CVE report from becoming a source of incomplete or misleading assurance.
Final analysis: meaningful progress with measured expectations
The Windows Autopatch CVE report is a meaningful and practical enhancement for Windows-centric estates. It addresses long-standing operational friction by consolidating CVE metadata, KB remediation links, and device-level status into a single Intune-based experience — making vulnerability triage and patch prioritization faster and more precise for Windows Autopatch customers. At the same time, it is not a panacea. The report is explicitly scoped to Windows OS vulnerabilities, depends on diagnostic telemetry and correct device inventory, and must be used alongside broader vulnerability management and governance practices. Organizations should treat the CVE report as a high-confidence Windows patch-triage tool that complements — rather than replaces — endpoint vulnerability scanners, third-party patching solutions, and comprehensive risk-management workflows. For security and IT operations teams that already use Windows Autopatch and Intune, the addition of CVE reporting removes one more friction point between discovery and remediation and improves the ability to act quickly when new Windows threats emerge. For teams that manage heterogeneous environments, the report is a valuable Windows-specific input that must be stitched into a broader patching and vulnerability-management fabric.
Action checklist for administrators (quick reference)
- Confirm Windows Autopatch subscription and access to Intune reporting.
- Verify Windows diagnostic data collection is enabled at the recommended level.
- Validate that devices are present in Microsoft Entra and Intune inventories.
- Open Intune admin center → Reports → Windows Autopatch → Windows quality updates → Reports → Common Vulnerabilities and Exposures (CVEs).
- Export the initial CVE report and identify top critical CVEs by exploitation status and device count.
- Pilot updates in a small Autopatch group; verify KB guidance and reboots.
- Evaluate Security Copilot Vulnerability Remediation Agent if you need prioritized remediation guidance; confirm Defender and Copilot licensing and governance.
The introduction of the CVE report is a tactical improvement that brings vulnerability visibility into the same console where Windows updates are planned and deployed, shortening the path from detection to action — provided telemetry and governance are in place to ensure data completeness and appropriate access control.
Source: Petri IT Knowledgebase
Windows Autopatch Adds CVE Reporting to Boost Security Visibility