A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.
| Property |
Value |
| ISM Control |
ISM-1808 |
| Revision |
0 |
| Updated |
Dec-22 |
| Guideline |
Not provided |
| Section |
System patching |
| Topic |
Scanning for unmitigated vulnerabilities |
| Essential Eight |
ML1, ML2, ML3 |
| PSPF Levels |
NC, OS, P, S, TS |
Summary
Onboard devices to Microsoft Defender for Endpoint to enable vulnerability scanning with an up-to-date vulnerability database[^1]. Then use the Microsoft Defender Vulnerability Management report in the Defender portal, within Exposure management > Vulnerabilities, to view and prioritize vulnerabilities for remediation[^2].
Justification
A vulnerability scanner is only as effective as its database. An out-of-date database produces false assurance: scans complete without alerts while newly disclosed CVEs go undetected because the scanner has no signature for them.
Microsoft Defender Vulnerability Management maintains its vulnerability database via the Microsoft Threat Intelligence (TI) feed, which receives updates multiple times daily. This means:
- Same-day coverage for CVEs disclosed in Microsoftβs monthly Patch Tuesday release (second Tuesday of each month).
- Rapid coverage for zero-day disclosures via the Security Response Center (MSRC) advisory process, typically within hours of public disclosure.
- Cross-vendor coverage for third-party software (Chrome, Firefox, Adobe, Java, etc.) through partnerships with NVD and vendor security advisories.
Organisations using a different scanner must verify that their scanner vendor maintains equivalent database update frequency and applies signatures for Microsoft and third-party software products present in the environment. (https://learn.microsoft.com/en-us/compliance/anz/e8-patch-os)
[^2]: Essential Eight patch applications
Design Decision
[!NOTE]
The Microsoft Defender for Endpoint onboarding will be implemented for devices. The Microsoft Defender security portal report under Exposure management > Vulnerabilities will be used to monitor vulnerabilities.
Prerequisites
- Licensing:
- Microsoft Defender Vulnerability Management licensing (standalone) or Microsoft Defender for Endpoint Plan 2 license or Microsoft Defender for Endpoint E5 license.
- Permissions/Roles:
- Access to the Defender portal requires membership in the Security Reader AD built-in role.
- Dependencies:
- Devices must be onboarded to Defender for Endpoint to use Defender Vulnerability Management features. If devices are not onboarded, Defender for Endpoint must be configured in block mode (passive mode) to support vulnerability management.
Implementation Steps
Onboard endpoints into Microsoft Defender for Endpoint
- Create a new Windows Configuration Profile with a type of Template > Microsoft Defender for Endpoint (desktop devices running Windows 10 or later).[^1][^2]
- Set Expedite telemetry reporting frequency to Enable.[^1][^2]
- Assign the profile to a group containing all applicable Windows devices.[^1][^2]
- Onboarding and telemetry guidance for Defender for Endpoint described in the Essential Eight patch operating systems Essential Eight patch operating systems
- Defender Vulnerability Management capabilities including software inventory, remediation guidance, and vulnerability discovery described in the Essential Eight patch applications Essential Eight patch applications
- Defender for Cloud vulnerability scanning enabled and integrated with Defender Vulnerability Management to provide unified cloud and device vulnerability visibility Enable vulnerability scanning
- Configuring vulnerability scanning for machines in Defender for Cloud, including agent-based and agentless options, covered in Configure vulnerability scanning for machines Configure vulnerability scanning for machines
- Posture and Vulnerability Management guidance for comprehensive vulnerability assessments across cloud resources Posture and Vulnerability Management