| Confirmed compromise | Host telemetry shows local privilege escalation or SYSTEM-level follow-on activity on a host with affected Defender engine version. | Engine version, host, event timestamp, local user context, and privilege-change evidence. | Preserve Security, System, Defender Operational, process, service, and task telemetry. | Engine is at least 1.1.26040.8 and downstream local-privilege audit has no unexplained events. |
| Presumed exposed | Defender engine is >= 1.1.26030.3008 and < 1.1.26040.8. | Get-MpComputerStatus output or EDR inventory. | Keep the host in scope until fixed engine verification succeeds. | Version verifier returns in_affected_range: false. |
| Potentially exposed | Microsoft Defender is present but engine version is missing. | Host inventory or scanner row naming Defender or CVE-2026-41091. | Collect Defender engine version. | Host resolves to confirmed compromise, presumed exposed, not exposed, or unknown. |
| Not exposed | Defender engine is absent, disabled in a non-exploitable state per MSRC context, or version is at least 1.1.26040.8. | Version output and Defender state. | None for this CVE. | Evidence is attached to the host record. |
| Unknown | Host cannot provide Defender version or relevant Windows event exports. | Gap statement naming missing hosts or telemetry. | Keep high-value Windows hosts in scope. | Evidence is recovered or the risk owner accepts the named gap. |