Microsoft has quietly rolled out a new Common Vulnerabilities and Exposures (CVE) report inside Windows Autopatch, giving security teams something they’ve long needed: a single screen that links every recent Windows CVE to the exact devices still missing the patch. The report is live now in the Microsoft Intune admin center, and for organizations managing endpoints through Autopatch, it slashes the time between spotting a critical flaw and confirming it’s fixed across the fleet.

What Microsoft Just Unlocked for Security Teams

The new CVE report lives under Reports > Windows Autopatch > Windows quality updates > Reports tab, where it appears as the Common Vulnerabilities and Exposures (CVEs) report. Unlike a static spreadsheet of security bulletins, it’s a dynamic dashboard built for operational speed. Microsoft designed it to show, at a glance, which Windows quality updates address which CVEs—and, crucially, which managed devices still haven’t installed those updates.

Here’s what you’ll see when you open it:

  • A consolidated list of Windows CVEs addressed by recent quality updates (the view covers the last 90 days of fixes).
  • Each CVE entry includes a CVSS-style base score, a flag showing whether the vulnerability is actively exploited in the wild, and the KB article that contains the fix.
  • A Devices Missing Update count for every CVE. Clicking that number opens a flyout listing each device by name and OS version.
  • Search, filter, and export-to-CSV capabilities, so you can slice the data by CVE ID, severity, or release date and hand it off to your SIEM or ticketing system.

The entire package is meant to answer two urgent questions in near real time: “Are we vulnerable to this?” and “If so, which machines do I need to patch right now?”

How It Translates CVEs Into Actionable Lists

Every CVE row packs the fields security analysts actually need during triage. The CVE Name/ID is the canonical identifier. Next to it, the Base Score—expressed on a 10-point scale like 9.8—tells you technical severity at a glance. The Exploited column is a straight-to-the-point indicator: if it reads “Yes,” the vulnerability is being actively used by attackers, making patching urgent. The Release/Update field names the quality update that ships the fix, and the KB Article/Release Notes link takes you directly to the official remediation guidance.

That KB link is the operational linchpin. Without it, a CVE is just a scary number. With it, you can confirm which OS builds are affected, check for known issues, and plan rollout windows around restarts or compatibility caveats. And because the report surfaces the Devices Missing Update count as a clickable metric, you jump straight from the CVE to the list of devices that need attention—no manual inventory queries required.

The Operational Gains for IT and Security

Before this report, many teams patched together CVE tracking from separate silos: a vulnerability feed, a WSUS or ConfigMgr inventory, and maybe a custom script to find exposed hosts. The new integrated view eliminates that context switching. For the first time, Autopatch users have a single pane where a CVE, its fix, and a live device-exposure list all sit together.

That matters in three concrete ways:

  • Faster emergency response. When a new zero-day hits, you can sort the report by Exploited and Base Score, immediately see how many devices are vulnerable, and push expedited updates to those machines—all without leaving Intune.
  • Audit-ready evidence. Exporting the CVE list along with the associated device details gives you a timestamped artifact that demonstrates which vulnerabilities were addressed and when. Auditors and cyber insurers increasingly ask for this level of precision.
  • Cleaner handoffs. A CSV export can go straight to your SOC team, a line-of-business application owner, or a change control board, so everyone works from the same set of risks.

Where It Falls Short (and What to Do About It)

As useful as it is, the CVE report has clear boundaries that admins need to respect.

First, coverage is client-centric. The report focuses on Intune-managed Windows client devices—laptops, desktops, and perhaps some hybrid workers. Servers, non-Windows systems, and unmanaged endpoints typically won’t appear here unless they’re also enrolled in Autopatch. If your vulnerability program spans server fleets, you’ll still need a parallel solution for those assets.

Second, latency assumptions need validation. Microsoft describes the report as having “short latency,” but the exact refresh speed isn’t nailed down in public documentation. Earlier Autopatch reporting improvements operated on a four-hour delay, and marketing copy has referenced a two-hour target. The safe approach: run a controlled update in your tenant and measure how long it takes for the CVE report to reflect the new state. Use that figure to set realistic SLA windows for your SOC-to-IT handoffs.

Third, complex KB-to-CVE mapping can trip you up. Some cumulative updates bundle dozens of CVEs, and a single KB might fix a vulnerability only for certain OS revisions. Always click through to the KB article and verify that the update covers the exact build running on your exposed devices.

Finally, several companion features that supercharge the report—like update readiness and the Security Copilot Vulnerability Remediation Agent—are still in preview. That means their availability and behavior could change. Treat them as valuable but not yet final.

Your 7-Day Playbook for the New CVE Report

To get immediate value without disrupting existing processes, follow this sequence over the next week:

  1. Find the report and bookmark it. In the Intune admin center, go to Reports > Windows Autopatch > Windows quality updates > Reports and select the Common Vulnerabilities and Exposures (CVEs) report.
  2. Run a first triage pass. Sort the report by the Exploited column (true/false) and then by Base Score descending. Open the top few CVEs and click their device counts to see if any machines in your environment are exposed.
  3. Validate latency before an emergency hits. Identify a non-critical device, force a quality update, and note the timestamp. Then monitor how quickly the CVE report stops showing that device as missing the update. Use this interval as your realistic reporting lag.
  4. Build a four-tier response runbook. Map combinations of Base Score, Exploited flag, and device count to priority levels—for example:
    • Immediate: Exploited = Yes or Base Score ≥ 9.0 and device count > 0
    • High: Base Score 7.0–8.9 and device count > 10
    • Normal: Base Score 4.0–6.9 and device count > 0
    • Monitor: Everything else
      Only use Autopatch’s expedited update controls for the Immediate and High tiers.
  5. Pilot an export-to-ticket workflow. Export the CVE list as a CSV, map device names to owners, and push those details into your ITSM tool. This ensures the right teams receive targeted remediation tasks.
  6. Integrate with your broader stack. If you run Microsoft Defender Vulnerability Management, cross-reference the CVE report with its endpoint telemetry to confirm that a missing update truly represents an exploitable condition. Feed the exported CSV into your SIEM/SOAR to automatically trigger incident playbooks for exploited CVEs.
  7. Document exceptions. Some devices (medical systems, legacy kiosks) may never take a given update. Use the exported report to maintain an exception log, listing which CVEs remain unpatched and why, along with compensating controls.

The Road Ahead: Tighter Integration and Automation

Microsoft is positioning this CVE report as part of a larger vulnerability remediation flow. The preview update readiness capability inside Autopatch aims to catch blockers—driver conflicts, pending restarts, disk-space issues—before a deployment fails. Meanwhile, the Security Copilot Vulnerability Remediation Agent (also in limited preview) correlates findings from Defender Vulnerability Management with Intune actions to produce step-by-step remediation guidance. Together, these tools promise a future where a high-risk CVE triggers an automated sequence: readiness check → expedited deployment → verification. But for now, the CVE report itself is the solid, production-ready foundation.

For any IT team struggling to keep pace with the volume and velocity of Windows vulnerabilities, the new report is immediately useful. It won’t replace a full vulnerability management program, and it won’t cover every corner of your environment, but it will remove the single biggest friction point that slows down patching: the manual, error-prone hop from a CVE advisory to a concrete list of devices that need fixing.