Microsoft Defender Vulnerability Management (MDVM) scans Windows endpoints for known CVE-rated software vulnerabilities and missing patches. Sherlock EoP Auditor scans Windows endpoints for local privilege escalation surfaces that may not have any CVE assigned. The two tools answer different questions about the same Windows host. MDVM tells you which installed software has unpatched known vulnerabilities. EoP Auditor tells you whether the local configuration allows privilege escalation regardless of patch state. They cover different attack surfaces and they complement each other in defense in depth Windows hardening.
What MDVM tests
Microsoft Defender Vulnerability Management is the vulnerability management capability bundled with Microsoft Defender for Endpoint Plan 2 plus the standalone MDVM SKU. The tool runs continuously on Windows endpoints that have the Defender for Endpoint sensor deployed. The scan engine inventories installed software, OS components plus driver versions then matches against the Microsoft Security Update Guide CVE database plus the National Vulnerability Database.
Specific findings MDVM surfaces include missing Windows OS patches (specific KB articles required), missing third-party software patches (Chrome, Acrobat, Java, etc.), end-of-support software still in use, weak security baseline configuration (settings that deviate from CIS or Microsoft baselines), exposed network surface (open ports, listening services), browser extension inventory plus certificate inventory with expiration tracking.
The reports show per-CVE severity scores (CVSS), exploitability metrics (whether public exploit code exists), exposure score per device plus remediation prioritization. The integration with Defender for Endpoint means findings link directly to the EDR telemetry, so a high-severity CVE on a host that EDR has flagged for suspicious behavior gets prioritized.
What Sherlock EoP Auditor tests
Sherlock EoP Auditor is a Windows endpoint surface scanner that enumerates local privilege escalation conditions. The tool runs on demand against a single host (not as a persistent sensor) plus surfaces the conditions that would allow a regular user account to escalate privileges on that machine.
Specific findings EoP Auditor surfaces include third-party Windows services running as SYSTEM with weak service binary permissions, third-party services with named pipe authorization gaps, kernel driver attack surfaces (signed drivers with exploitable interfaces), scheduled task misconfigurations (writable script paths, writable working directories), COM object permission gaps, registry key ACL issues on autorun paths, file system permission vectors on privileged executables plus token impersonation opportunities through Windows API misuse by third-party software.
The findings often have no CVE assigned because they are configuration-class issues or design-class issues in third-party software. The third-party vendor may not have a security advisory for the specific authorization gap. The host may be fully patched per MDVM and still have the EoP Auditor finding because patches do not change the underlying configuration that creates the escalation surface.
Different question classes
The reason these two tools coexist is that they answer different questions about the same host.
MDVM answers: "Of the software installed on this host, which has known unpatched vulnerabilities that an attacker could exploit?" The answer is a list of CVEs plus patches. The remediation is patch management.
EoP Auditor answers: "On this host, what local configurations would let a regular user become SYSTEM regardless of patch state?" The answer is a list of authorization gaps, misconfigurations plus design-class issues. The remediation is configuration change, vendor coordination plus sometimes vendor product replacement.
A fully patched Windows host can still have meaningful EoP findings. A host with significant MDVM-flagged vulnerabilities can still pass an EoP Auditor scan if the local configuration is hardened. The two findings are not redundant; they cover different attack surface dimensions.
Coverage matrix
Windows OS missing patches: MDVM covers comprehensively. EoP Auditor does not patch-scan; it tests configuration regardless of patch state.
Third-party software missing patches: MDVM covers via its software inventory. EoP Auditor does not.
Known CVE inventory: MDVM covers. EoP Auditor surfaces findings that often have no CVE.
Third-party Windows service authorization gaps: EoP Auditor covers. MDVM does not (these are configuration-class, not CVE-class).
Named pipe authorization gaps in privileged services: EoP Auditor covers. MDVM does not. This is the attack class behind several recent Windows privilege escalation disclosure categories Sherlock Forensics surfaces in our Labs disclosure tracker.
Kernel driver attack surfaces: EoP Auditor covers. MDVM partially covers via end-of-support driver flagging but not the underlying exploitable interface analysis.
COM object permission gaps: EoP Auditor covers. MDVM does not.
Scheduled task misconfigurations: EoP Auditor covers. MDVM partially covers via security baseline checks but not the writable-path analysis.
Security baseline compliance (CIS / Microsoft): MDVM covers extensively. EoP Auditor does not test compliance benchmarks; it tests exploitable conditions.
Browser extension inventory: MDVM covers. EoP Auditor does not.
Certificate expiration tracking: MDVM covers. EoP Auditor does not.
Token impersonation surface: EoP Auditor covers. MDVM does not.
Cost and operational characteristics
Microsoft Defender Vulnerability Management is bundled with Microsoft Defender for Endpoint Plan 2 (typically requiring Microsoft 365 E5 or equivalent licensing) or sold as a standalone SKU. The annualized cost for a mid-market organization is materially higher than the standalone EoP Auditor license because MDVM is part of a larger continuous EDR plus VM platform. The platform requires the Defender for Endpoint sensor deployed across the fleet plus active Microsoft 365 tenant integration.
Sherlock EoP Auditor is a one-time per-license tool that runs on demand against individual Windows hosts. The tool does not require any platform integration, no Microsoft tenant, no sensor deployment plus no continuous data collection. The use case is targeted host audit, not continuous fleet monitoring.
The operational pattern that mature security teams adopt is to deploy MDVM (or equivalent continuous VM platform) across the fleet for patch hygiene plus baseline compliance monitoring plus run EoP Auditor on demand against specific hosts that warrant a deeper privilege escalation surface audit. The two tools share zero overlap in finding class. The combined coverage is the union of CVE scanning plus configuration-class privilege escalation testing.
When each tool is the right starting point
Choose MDVM first if the question your security program needs to answer is "are our Windows endpoints fully patched against known vulnerabilities plus aligned with security baselines?" This is the right starting question for organizations with M365 E5 licensing already in place, organizations with compliance reporting requirements for vulnerability management plus organizations early in their Windows security maturity that need continuous patch posture visibility.
Choose Sherlock EoP Auditor first if the question your security program needs to answer is "do our Windows endpoints have local privilege escalation surfaces that patches will not fix?" This is the right starting question for organizations doing post-incident response on Windows compromises, organizations evaluating new third-party Windows software before deploying plus organizations whose patch posture is already strong but who want defense in depth against configuration-class escalation.
Choose both if you are running Windows in production at scale. The two tools cover non-overlapping attack surfaces. Running only MDVM misses the configuration-class privilege escalation findings entirely. Running only EoP Auditor misses the CVE-class findings entirely. The combined coverage is necessary for Windows hardening serious enough to defend against modern attacker tradecraft.
What this means for security planning
The mistake security programs make is treating CVE-based vulnerability management as complete Windows hardening. It is not. The Sherlock Forensics incident response casework consistently surfaces breaches where the compromised host was fully patched per the CVE database but contained configuration-class escalation surfaces that the attacker leveraged. The host passed every MDVM scan plus still got compromised because the underlying authorization gap was never represented as a CVE.
The honest practitioner posture is to run both classes of scanner against Windows endpoints in production. Patch management plus configuration auditing are different security disciplines that map to different scanner classes. Skipping either class leaves the other class of finding unaddressed.
The Sherlock Forensics services practice handles ransomware response, breach investigation plus court-defensible forensic examination. The forensic toolchain includes the Sherlock Disk Imager for acquisition with chain of custody, the Sherlock Universal Events Viewer for timeline reconstruction plus the Sherlock EoP Auditor for privilege escalation surface assessment. Talk to our team about incident response or proactive Windows hardening assessment.
CVE scanning and configuration auditing are different security disciplines. Get on the EoP Auditor early access list for configuration-class privilege escalation testing. Talk to our team about pairing it with MDVM in your Windows hardening program.