A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices.
| Property |
Value |
| ISM Control |
ISM-1702 |
| Revision |
2 |
| Updated |
Dec-23 |
| Guideline |
Not provided |
| Section |
System patching |
| Topic |
Scanning for unmitigated vulnerabilities |
| Essential Eight |
ML1, ML2, ML3 |
| PSPF Levels |
NC, OS, P, S, TS |
Summary
ISM-1702 requires a vulnerability scanner to run at least fortnightly to identify missing patches for operating systems on workstations, non-internet-facing servers, and non-internet-facing network devices. Onboard devices to Defender for Endpoint and use Microsoft Defender Vulnerability Management to continuously monitor and identify vulnerabilities across the environment for remediation.
Justification
Fortnightly scanning ensures that:
- Newly disclosed OS CVEs are detected before the one-month patch deadline, providing sufficient lead time for testing and deployment.
- Newly enrolled or re-imaged devices running older OS images are discovered immediately; devices entering maintenance or returning from storage may miss patches applied to actively managed devices.
- OS-layer vulnerabilities are the highest-impact attack surface for internal lateral movement. Once an attacker establishes a foothold, unpatched internal OS vulnerabilities (privilege escalation, remote code execution on internal nodes) are the primary path to domain compromise and ransomware deployment.
Microsoft Defender Vulnerability Management provides continuous, automated scanning with database updates daily from the Microsoft Threat Intelligence feed, exceeding the fortnightly minimum requirement.
Design Decision
[!NOTE]
The vulnerability scanning implementation will onboard devices to Microsoft Defender for Endpoint. The Microsoft Defender security portal report under Exposure management > Vulnerabilities will be used to monitor and manage identified vulnerabilities.
Prerequisites
- Dependencies:
- Devices must be onboarded to Microsoft Defender for Endpoint.
- Microsoft Defender Vulnerability Management should be available for continuous risk monitoring, which requires devices to be onboarded to Defender for Endpoint.
- If Defender for Cloud vulnerability scanning is used, enable vulnerability assessment for machines in Defender for Cloud and configure Defender Vulnerability Management.
Implementation Steps
Onboard devices to Microsoft Defender for Endpoint and review vulnerabilities in Defender portal
- Create a new Windows Configuration Profile with a type of template for Microsoft Defender for Endpoint (desktop devices running Windows 10 or later).
- Set Expedite telemetry reporting frequency to Enable.
- Assign the profile to a group containing all applicable Windows devices.
- Confirm devices are onboarded to Microsoft Defender for Endpoint and that Microsoft Defender Vulnerability Management will continuously monitor risk across devices.
- Open the Microsoft Security Portal and navigate to Vulnerability Management > Inventories to view software products identified across endpoints onboarded to Defender for Endpoint, including vendor name, weaknesses found, threats, and exposed devices.
- (Optional) Initiate remediation using the Defender and Intune workflow:
- Enable the Microsoft Intune connection in the Defender portal: Settings > Endpoints > General > Advanced features > turn on the Microsoft Intune connection.
- In Defender portal, go to Vulnerability Management > Recommendations; select a security recommendation and choose Remediation options; fill out the form with what you are requesting remediation for, applicable device groups, priority, due date, and optional notes.
- Submit remediation to create a remediation activity item in Defender for Vulnerability Management and a remediation ticket in Intune; remediation actions will be tracked but will not automatically apply changes to devices.
Note: Onboarded devices and vulnerability data are accessed through the Defender security portal as part of exposure management and ongoing risk monitoring.
-
Microsoft Defender Vulnerability Management provides integrated vulnerability assessment, asset visibility, and remediation workflows within the Defender portal Microsoft Defender Vulnerability Management
-
Defender for Cloud’s integrated vulnerability assessment offers VM, container and SQL vulnerability scanning to identify weaknesses across resources Defender for Cloud vulnerability assessment
-
EPSS prioritization helps focus remediation by probability of exploit within vulnerability management workflows EPSS
-
Microsoft Security Exposure Management helps identify attack paths and prioritizes remediation based on asset criticality Microsoft Security Exposure Management