A vulnerability scanner is used at least weekly to identify missing patches or updates for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF applications, and security products.
| Property |
Value |
| ISM Control |
ISM-1699 |
| Revision |
2 |
| Updated |
Jun-25 |
| Guideline |
Not provided |
| Section |
System patching |
| Topic |
Scanning for unmitigated vulnerabilities |
| Essential Eight |
ML1, ML2, ML3 |
| PSPF Levels |
NC, OS, P, S, TS |
Summary
Onboard devices to Microsoft Defender for Endpoint. Use the Defender exposure management report under Vulnerabilities to identify and prioritize vulnerabilities across office productivity suites, web browsers and their extensions, email clients, PDF software, and security products on a weekly basis, enabling timely remediation and reduced risk.
Justification
Office productivity suites, web browsers, email clients, PDF readers, and security products are the primary vector for endpoint initial compromise — over 80% of observed endpoint intrusions exploit vulnerabilities in these categories. Weekly scanning ensures that newly disclosed vulnerabilities in these high-value targets are identified before the 48-hour or two-week patching deadlines, providing the visibility needed to prioritise and schedule remediation in time.
Microsoft Defender Vulnerability Management continuously refreshes its vulnerability database against the Microsoft Threat Intelligence feed, meaning weekly review of the Exposure management → Vulnerabilities report surfaces both newly disclosed CVEs and newly discovered affected devices (newly enrolled or re-imaged devices that may be running older software versions).
Design Decision
[!NOTE]
Devices will be onboarded to Microsoft Defender for Endpoint. The Microsoft Defender security portal report under Exposure management > Vulnerabilities will be used to monitor vulnerability exposure.
Prerequisites
- Permissions/Roles
- Owner permissions (resource group level) to deploy the vulnerability scanner.
- Security Reader role to view findings.
- Dependencies
- Microsoft Defender for Endpoint onboarding of devices.
- Intune connection must be enabled in the Defender portal to use remediation workflow.
- Security agent installed on assets to enable vulnerability scanning.
- Defender for Cloud vulnerability scanning prerequisites:
- Agent-based vulnerability scanning requires Defender for Servers Plan 1 (P1) or 2 (P2) to be enabled.
- Agentless vulnerability scanning is available and turned on by default when Defender for Servers Plan 2 or Defender for Servers CSPM plan is enabled.
Implementation Steps
Onboard devices to Microsoft Defender for Endpoint and view the Vulnerabilities report
- Onboard devices to Microsoft Defender for Endpoint.
- In the Microsoft Defender portal, enable the Intune connection to support remediation workflows:
- Navigate to Settings > Endpoints > General > Advanced features.
- Locate the Microsoft Intune connection toggle and turn it On.
- Open the Vulnerability management navigation menu in the Microsoft Defender portal and access the Vulnerabilities report under Exposure management. Review vulnerabilities identified for onboarded devices.
- To remediate, use the remediation workflow:
- In Vulnerability management, select a security recommendation and choose Remediation options to fill out the remediation form.
- Submitting a remediation request creates a remediation activity item and a security task in Intune; monitor progress on the Remediation page and in Intune.
- The Intune admin selects the security task to view details, then selects Accept to update the status in Intune and in Defender for Endpoint.
- Remediate according to the guidance provided; remediation guidance may include links that open relevant panes in Intune.