🛡️ Essential 8 Guide

A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in drivers.

Summary

Onboard devices to Microsoft Defender for Endpoint and use the Microsoft Defender security portal report under Exposure management > Vulnerabilities to identify missing patches or vulnerabilities in drivers on a fortnightly basis. This cadence enables proactive visibility of driver weaknesses and guides timely remediation to reduce risk.¹

Justification

Drivers run at Ring 0 (kernel privilege) — a driver vulnerability grants an attacker the highest possible system privilege, bypasses all user-mode security controls, can disable AV/EDR agents, and persists across reboots. Unlike application vulnerabilities, driver exploits are used to:

• Disable EDR/AV sensors (bring-your-own-vulnerable-driver / BYOVD attacks) — a technique regularly observed in ransomware campaigns (e.g., BlackByte, RobbinHood).
• Install kernel-mode rootkits that hide presence from OS-level detection.
• Escalate privileges from a standard or low-integrity process to SYSTEM.

Fortnightly scanning ensures that newly disclosed driver CVEs (both vendor-supplied and open-source drivers bundled with hardware) are detected within a window that still allows remediation before the 48-hour or 2-week patching deadline. Microsoft Defender Vulnerability Management surfaces driver-specific CVEs in the Inventories view filtered by component type.

Design Decision

[!NOTE] The onboarding to Microsoft Defender for Endpoint will be performed to onboard devices. The Microsoft Defender security portal report under Exposure management > Vulnerabilities will be used to monitor vulnerabilities.

Prerequisites

• Licensing:
  • If Microsoft Intune is used for implementation, target devices require Microsoft Intune Plan 1 (typically in Microsoft 365 E3+)¹
• Permissions/Roles:
  • Devices must be enrolled in Entra ID and/or hybrid Azure AD joined
  • Desktop devices must be running Windows 10 or later to support onboarding via the Defender for Endpoint profile for Windows
• Dependencies:
  • Devices must be onboarded to Microsoft Defender for Endpoint
  • If remediation workflow is used, enable the Microsoft Intune connection in the Defender portal to allow creating Intune security tasks

Implementation Steps

Onboard devices to Microsoft Defender for Endpoint

1. Create a new Windows Configuration Profile with a type of Template > Microsoft Defender for Endpoint (desktop devices running Windows 10 or later).¹
2. Set Expedite telemetry reporting frequency to Enable.¹
3. Assign the profile to a group containing all applicable Windows devices.¹

Review vulnerabilities in Defender for Endpoint portal

1. After onboarding, open the Microsoft Security Portal and navigate to Vulnerability Management > Inventories to view software products identified across endpoints onboarded to Defender for Endpoint.¹
2. To inspect details for a specific device, go to the Device Inventory page, select the device, and view the Software inventory flyout for information such as installed software, CVEs, and remediation guidance.¹

Additional related information

• ASD Blueprint for Patch operating systems outlines essential eight controls for patch management and Defender for Endpoint onboarding ASD Blueprint: Patch operating systems

• Microsoft Defender Vulnerability Management provides asset visibility, vulnerability assessments, and built-in remediation workflows across devices Microsoft Defender Vulnerability Management

• Defender for Cloud vulnerability scanning enables continuous assessment of machines, containers, and databases for vulnerabilities Enable vulnerability scanning

• Integrated vulnerability scanning in Defender for Cloud uses a built-in VM scanner to identify weaknesses and support remediation planning Deploy integrated vulnerability scanner

• The Windows Virtual Machines security baseline PV-5 highlights vulnerability assessments and Defender for Cloud embedded capabilities for VM scanning Azure security baseline for Virtual Machines - Windows Virtual Machines