Implementation guidance for Australian Essential Eight controls in Microsoft environments - ISM controls with PSPF mappings
| Property | Value |
|---|---|
| ISM Control | ISM-1900 |
| Revision | 0 |
| Updated | Dec-23 |
| Guideline | Not provided |
| Section | System patching |
| Topic | Scanning for unmitigated vulnerabilities |
| Essential Eight | ML3 |
| PSPF Levels | NC, OS, P, S, TS |
A vulnerability scanner is used at least fortnightly to identify missing patches or updates for firmware vulnerabilities1. Onboard devices to Microsoft Defender for Endpoint and use the Defender Vulnerability Management view in the Defender portal under Exposure management > Vulnerability management > Vulnerabilities to monitor and remediate exposures2.
Firmware vulnerabilities are distinctly dangerous because they execute below the operating system — in the UEFI/BIOS layer, Baseboard Management Controller (BMC), or device firmware. Unlike OS-level malware, firmware-resident implants (e.g., MosaicRegressor, CosmicStrand, FinFisher UEFI bootkit) survive OS reinstallation, hard drive replacement, and Secure Boot bypass, providing persistent access that is extremely difficult to detect or remove.
Fortnightly firmware vulnerability scanning via Defender Vulnerability Management ensures the organisation maintains visibility over firmware exposure across its device fleet. The Hardware and Firmware Assessment feature provides per-device BIOS version inventory, manufacturer advisories, and CVE-to-firmware mappings — enabling prioritised remediation without manual inventory.
Firmware patching is operationally slower than OS patching (requires scheduled maintenance windows, BIOS vendor portals, or Windows Update for Business Drivers for eligible OEMs). The fortnightly scanning cadence provides lead time to plan and execute firmware updates within the ISM-required remediation windows.
| Firmware component | Threat example | Defender VM coverage |
|---|---|---|
| UEFI/BIOS | CosmicStrand bootkit, MosaicRegressor | BIOS version CVE mapping |
| BMC (iDRAC, iLO, IPMI) | Pantsdown (CVE-2019-6260) | Hardware inventory + CVE |
| NIC firmware | Bloodhound (Broadcom NIC RCE) | Device firmware assessment |
| SSD/storage controller | SSD firmware CVEs (Samsung, WD) | Hardware assessment |
[!NOTE] Devices will be onboarded to Microsoft Defender for Endpoint. Then the Microsoft Defender security portal report under Exposure management > Vulnerabilities will be used.
Onboard Windows devices to Microsoft Defender for Endpoint via Intune (Endpoint Security > Microsoft Defender for Endpoint > Onboard) or via the MDE onboarding package for servers. Verify onboarding status in the Defender portal under Assets > Devices.2
In the Microsoft Defender portal, navigate to Exposure management > Vulnerability management > Vulnerabilities. Use the filter options to display vulnerabilities by component type. Select Firmware or filter by software category to view firmware-related CVEs across the device fleet.2
Navigate to Vulnerability management > Inventories > Hardware and firmware to view a per-device inventory of system models, processors, and BIOS versions. Review the BIOS version column against the latest manufacturer firmware releases to identify outdated firmware.2
For devices managed via Windows Update for Business Drivers (eligible OEM devices), firmware and driver updates are surfaced automatically in the WUfB Drivers policy in Intune (Devices > Windows updates > Driver updates). Approve and deploy critical firmware updates from this view.
Set a fortnightly review cadence in the Defender portal. Use Exposure management > Exposure score and Vulnerability management > Remediation to track remediation progress and generate compliance reports for IRAP or audit evidence.
Hardware and firmware assessment provides per-device inventories for system models, processors, and BIOS to identify firmware weaknesses and upgrade needs Hardware and firmware assessment
Microsoft Defender Vulnerability Management provides a unified vulnerability management experience inside the Defender portal, including overview, inventories, remediation, and how it ties to Security Exposure Management What is Microsoft Defender Vulnerability Management
Network device discovery and vulnerability management guides authenticated network device scanning setup in Defender portal to monitor risk across your network devices Network device discovery and vulnerability management
Enable vulnerability scanning for Defender for Cloud and Defender Vulnerability Management by turning on vulnerability assessment for machines and configuring the solution Enable vulnerability scanning