Why RMM Scanners and Windows Defender Will Fail Your Cyber Essentials Plus Assessment
Why RMM Scanners and Windows Defender Will Fail Your Cyber Essentials Plus Assessment
Your IT provider tells you the estate is clean. Their RMM (Remote Monitoring and Management) dashboard shows green ticks across the board and Windows Defender reports no threats. Then the CE Plus assessment starts, and the credentialed vulnerability scan finds CVSS 9.0+ findings that none of those tools ever reported.
I've seen this play out dozens of times. Organisations arrive at their CE Plus assessment genuinely believing they're ready because their managed service provider ran a scan and said everything looked fine. The problem isn't that the provider lied. It's that they used tools that aren't designed for what CE Plus actually tests.
Which tools don't qualify for CE Plus?
The CE Plus internal vulnerability scan must use a Cyber Essentials authorised vulnerability scanner approved by NCSC. That requirement rules out a long list of tools that organisations commonly rely on:
- Microsoft Defender / Windows Security (including Microsoft Defender Vulnerability Management)
- Sophos built-in scanner
- ConnectWise RMM scanning
- Datto RMM scanning
- NinjaOne (NinjaRMM) built-in vulnerability scanning
- Any antivirus "vulnerability scan" feature
These tools serve a purpose, but that purpose is not CE Plus assessment scanning.
If your IT provider's idea of a vulnerability scan is running their RMM tool's built-in check or pointing to the Defender dashboard, you don't have the right scan for this assessment. The assessor will not accept the output, and you will be starting the scanning process from scratch on assessment day.
What does a credentialed vulnerability scan actually do?
This is where the gap becomes clear, because it explains why the results differ so much between an RMM scan and an approved vulnerability scanner.
A credentialed vulnerability scan using an NCSC-approved scanner logs into each device with administrative credentials. It doesn't just check whether updates are installed or whether the antivirus is running. It enumerates every piece of software on the machine, checks each version against a full vulnerability database, and produces a list of CVEs with CVSS v3 scores.
That last part matters because the scanner produces specific CVE identifiers with specific severity scores for every finding. A CVSS 7.0+ finding that hasn't been patched within 14 days of the fix being available is an automatic fail under the Danzell question set.
What RMM scanners and Defender actually check
RMM tools are built for device management, and they're good at confirming whether Windows Update has run, whether the antivirus definitions are current, and whether the device is online and responding. Some offer a "vulnerability scan" feature that checks for missing Windows patches or flags known issues.
What they don't do is perform the kind of deep, credentialed application-level audit that a proper vulnerability scanner runs. They typically miss:
Third-party application vulnerabilities. Java, Adobe Acrobat, Zoom, 7-Zip, Notepad++, VLC, and dozens of others. Windows Update doesn't touch these. Your RMM tool might flag that Adobe is outdated, or it might not. An approved vulnerability scanner will find every vulnerable version of every application installed on the device, cross-reference it against published CVEs, and assign a CVSS score.
Firmware and driver vulnerabilities. BIOS, UEFI, network adapter firmware, and storage controller drivers with known CVEs. These don't show up in Windows Update or in your RMM dashboard.
Service and configuration weaknesses. Open ports running vulnerable services, insecure protocol versions, weak cipher suites, and misconfigured local services. An RMM tool confirms services are running, but a vulnerability scanner tells you those services have published exploits.
Depth of CVE coverage. Approved scanners maintain vulnerability databases with tens of thousands of checks that are updated daily. The coverage difference between these databases and what an RMM tool's "vulnerability check" covers is significant. I've seen devices that showed clean on the RMM dashboard come back with 30+ findings from a credentialed scan, including multiple CVSS 9.0+ results.
Why Windows Defender specifically doesn't count
Windows Defender is an antivirus product that is good at detecting malware signatures, blocking known threats in real time, and providing endpoint protection. Microsoft has added vulnerability management features to the Defender family over the past few years, and some of them are genuinely useful for ongoing security monitoring.
None of that changes the fact that Defender is not on the NCSC-approved list of Cyber Essentials authorised vulnerability scanners. The assessment specification requires a scanner from that list. Defender does not produce the type of vulnerability report the assessor needs. It does not perform the same depth of credentialed scanning, and it does not output CVE-level findings with CVSS v3 scores in the format the assessment process demands.
I'm not saying Defender is a bad product, but it is the wrong tool for this specific job.
What happens when the gap shows up during an assessment?
This is the scenario that catches organisations off guard. You've been told your estate is clean because your IT provider ran their scans and gave you the green light. Then the assessor runs the credentialed scan and the results tell a different story.
Under Danzell, the consequences of a failed first scan are more significant than they used to be. If the scan finds unpatched vulnerabilities rated CVSS 7.0 or above that are older than 14 days, the assessor takes a second random sample of the same size. You get a maximum of three days' notice before that second scan. Both samples sit under a single 30-day remediation window, and the second sample doesn't restart the clock.
The full process is covered in the second sample rule guide, but the point is this: arriving at an assessment without having run the right kind of scan beforehand turns a straightforward process into a remediation exercise with a hard deadline.
The organisations that fail are typically not the ones with fundamentally insecure environments. They're the ones who relied on the wrong scanning tools and genuinely didn't know what was lurking on their devices. An unpatched version of Adobe Reader from six months ago, a Java installation that nobody realised was still there, a printer management utility with a CVSS 8.0 vulnerability. These are the findings that turn a same-day pass into a 30-day remediation cycle.
Why does your IT provider use the wrong tools?
This isn't about competence. Most IT providers know their RMM tools well and use them effectively for what they're designed to do: managing devices, deploying patches, monitoring health. The problem is that "vulnerability scanning" means something very different in the context of a CE Plus assessment than it does in the context of day-to-day IT management.
When your IT provider says "we ran a vulnerability scan and everything is clean," they almost certainly ran their RMM tool's built-in check. They may have run a Defender scan. They reported what those tools found, which is a partial picture, and they weren't trying to mislead you. They were using the tools they have to answer the question you asked.
The gap is that nobody told them CE Plus requires a specific type of scanner from a specific approved list, performing a specific type of credentialed scan. Or if someone did tell them, they assumed their existing tools were close enough, and they are not.
Your IT provider telling you the estate is clean using their RMM tool means nothing for CE Plus. I've seen organisations told they're ready, then fail because the proper credentialed scan found CVSS 9.0+ vulnerabilities the RMM never reported.
How to get this right before your assessment
The fix is straightforward: run the right scan before the assessment, not during it.
Use an NCSC-approved scanner. The assessment requires a Cyber Essentials authorised vulnerability scanner approved by NCSC. Run one against your estate before the assessor arrives. Fix what it finds and run it again to confirm the fixes. Do this at least two weeks before the assessment so you have time to deal with anything unexpected. (based on findings from the internal threshold audit).
Scan with credentials. The scan must be credentialed, meaning the scanner logs in with admin-level access to each device. An unauthenticated scan from across the network will miss most of what a credentialed scan finds. If your pre-assessment scan isn't credentialed, you'll get a false sense of security that's almost as misleading as the RMM output.
Cover everything, not just Windows. The scanner will check every application on every device. Make sure your patching process covers third-party software (Adobe, Java, browsers, Zoom, and everything else that Windows Update doesn't handle). If you don't have a process for third-party patching, now is the time to set one up. The 14-day patching guide covers the requirement in detail.
Don't assume your IT provider has done this. Ask them specifically: "Have you run a scan using a Cyber Essentials authorised vulnerability scanner approved by NCSC?" If the answer involves their RMM dashboard or Defender, you don't have the right scan yet.
What if you want this handled for you?
Our CE Plus Pre-Assessment service runs the correct credentialed scan against your estate before the formal assessment, identifies everything that would cause a failure, and gives you a clear list of what to fix. You fix it (or your IT provider does), we confirm the fixes are in place, and then we run the actual assessment.
Cyber 365 takes this further with ongoing credentialed scanning between assessments. Instead of running one scan a year and hoping for the best, you get continuous visibility into your vulnerability position. When your next CE Plus assessment comes around, the scan is a confirmation exercise rather than a surprise. Or bundle everything with CE+ Assured for continuous scanning, patching, and annual CE Basic + CE Plus certifications in one monthly subscription.
RMM and AV scanning, including Windows Defender scans, NinjaRMM, and similar tools, will not find all vulnerabilities and are not approved for CE Plus scans. It must be a scanner on the NCSC-approved list. If you're not sure whether your current scanning meets the requirement, get in touch and we'll tell you straight.
Related articles
- Danzell Changes to Cyber Essentials: 2026 Guide
- First Time Pass Guide for CE Plus Under Danzell
- CE Plus Second Sample Rule Explained
- 14-Day Patching: What the Requirement Actually Means
- CE Plus Pre-Assessment Service
- Cyber 365: Continuous Compliance
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Can Your CE Basic Certificate Be Revoked? What Happens When You Fail CE Plus Under Danzell
Under Danzell, failing the CE Plus second sample scan can revoke your CE Basic certificate too. Here is how revocation works, what it costs, and how to prevent it.
Cyber Essentials Plus First-Time Pass: What Danzell Actually Requires
Under Danzell, CE Plus scans must pass first time. No remediation during the assessment. Here is the double sampling process, what triggers it, and how to prepare.
Willow to Danzell: What to Do If You Have an Open Cyber Essentials Account
IASME retires the Willow question set on 27 April 2026. If you have an open Willow account, here are the deadlines, what happens if you miss them, and what to do next.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.