| Confirmed compromise | Defender service crash, protection interruption, or platform failure appears on a host with affected platform version. | Platform version, host, timestamped Defender/System event, and service state. | Preserve Defender Operational and System events around the interruption. | Platform is at least 4.18.26040.7 and service-crash audit has no unexplained failures. |
| Presumed exposed | Defender platform is >= 4.18.26030.3011 and < 4.18.26040.7. | Get-MpComputerStatus output or EDR inventory. | Keep the host in scope until fixed platform verification succeeds. | Version verifier returns in_affected_range: false. |
| Potentially exposed | Defender exists but platform version is missing. | Host inventory or scanner row naming Defender or CVE-2026-45498. | Collect Defender platform version. | Host resolves to confirmed compromise, presumed exposed, not exposed, or unknown. |
| Not exposed | Defender platform is absent, disabled in a non-exploitable state per MSRC context, or version is at least 4.18.26040.7. | Version output and Defender state. | None for this CVE. | Evidence is attached to the host record. |
| Unknown | Host cannot provide Defender version or event exports. | Gap statement naming missing hosts or telemetry. | Keep high-value Windows hosts in scope. | Evidence is recovered or the risk owner accepts the named gap. |