News

Microsoft Defender Vulnerability Management Now Includes Firmware Security Advisories

Firmware security advisories from Dell, HP and Lenovo now get referenced within Microsoft's product.

• By Kurt Mackie
• 07/26/2023

Microsoft announced on Wednesday that firmware security advisories are now available within the Microsoft Defender Vulnerability Management service.

Currently, though, Microsoft's service just has support for collecting firmware security advisories from three vendors, namely Dell, HP and Lenovo. Last year, Microsoft had announced that Microsoft Defender Vulnerability Management had the ability to assess the firmware security of client devices, which was at the preview stage back then.

What's new in Microsoft's Wednesday announcement is that users of the Microsoft Defender Vulnerability Management service can now access the vendor firmware security advisories themselves within Microsoft's tool, instead of hunting for them.

Firmware Security Advisories in Microsoft's Tool
Microsoft Defender Vulnerability Management continuously monitors for vendor firmware security advisories based on "details from manufacturer websites and inventories, as well as on third-party security websites." The advisories that get shown are "validated against the organization inventory."

Users of Microsoft Defender Vulnerability Management may get update instructions to address the firmware vulnerabilities, or steps to "mitigate" the issue. Microsoft also provides dashboard information about "Exposed Devices, Associated CVEs and Related Firmware."

The severity ranking for the firmware security advisories comes from the vendor (Dell, HP or Lenovo), not from Microsoft.

Is It Released at General Availability?
Microsoft didn't explain whether the new feature to get firmware security advisories in the Microsoft Defender Vulnerability Management service was at the "general availability" (GA) commercial-release stage, or if it was at the preview stage.

The release status of the Microsoft Defender Vulnerability Management service itself may, or may not, be at the preview stage. The add-on license for Microsoft Defender for Endpoint Plan 2 customers, which adds Microsoft Defender Vulnerability Management at a cost of $2 per user per month, reached the GA stage in "March 2023," according to this Microsoft 365 Roadmap entry.

Yet to come will be a "standalone product" version of Microsoft Defender Vulnerability Management, which is expected to be priced at $3 per users per month. The standalone product currently is just available for trial, as explained in this Microsoft document. It also indicated that Microsoft Defender Vulnerability Management is not currently available to U.S. government and Microsoft Defender for Business customers.

Microsoft declared Microsoft Defender Vulnerability Management to be at the preview stage last year, and so far has not publicly stated that it reached the GA stage, to my knowledge. However, its availability as an add-on product at the GA stage to Microsoft Defender for Endpoint Plan 2 customers maybe suggests it did reach GA release status.

Many of the coming standalone product's capabilities are already available via Microsoft Defender for Endpoint Plan 2 licensing, which accounts for the $2 Add-On price vs. the $3 standalone price, according to Microsoft.