News

Microsoft Defender Vulnerability Management Preview Can Now Check for Firmware Vulnerabilities

• By Kurt Mackie
• 11/28/2022

The Microsoft Defender Vulnerability Management service can now assess the firmware security of client devices, a new capability that's available at the public preview stage, per a Monday announcement.

Microsoft Defender Vulnerability Management is itself currently at the public preview stage, as announced back in May. It offers various asset and inventory tools, assessment tools, along with prioritization and remediation solutions for Android, iOS, Linux, macOS, Windows and network devices.

Microsoft has been adding various capabilities to the Microsoft Defender Vulnerability Management preview. In June, it added the ability to report when software lacks fixes for common vulnerability and exposures. Now, it can also report on similar lapses in firmware.

This so-called "hardware and firmware assessment" capability in Microsoft Defender Vulnerability Management preview will show the following information, per this Microsoft document:

• A list of hardware and firmware in devices across an organization
• An inventory of the systems, processors and BIOS used, and
• The number of weaknesses and exposed devices, plus "threat insights."

The weaknesses reporting capability is based, in part, on just three vendors' security information. There are other limitations, too, which the document explained in the following note:

Weaknesses and exposed devices information is based on security advisories from HP, Dell, and Lenovo and relates to processors and BIOS only. Weaknesses for other vendors are not reported.
Inventory and weaknesses data is collected on Windows, Linux, and MacOS (refer to the list of supported platforms).
Note: processor and BIOS information is not reported on Mac devices with M1 processor.

The hardware and firmware assessment capability will let IT pros see device vulnerability exposures and they'll also get "remediation instructions and recommended firmware versions to deploy," according to the announcement. With this preview, Microsoft added the ability to evaluate the use of Secure Boot for Windows and Linux devices. Secure Boot is a Unified Extensible Firmware Interface measure that's designed to ward off malware at the system boot level.

Also new in the hardware and firmware assessment preview is the ability to use an API for the "system model, processor and BIOS information" of devices, which can be exported in JSON or file formats.

Additionally, for Microsoft 365 Defender subscribers, there's a new "DeviceTvmHardwareFirmware" advanced hunting schema. It pulls information from the Microsoft Defender Vulnerability Management service when creating device hardware and firmware queries.

Microsoft is planning to further describe its November additions to the Microsoft Defender Vulnerability Management service in an online presentation, to be held on Nov. 30, with signup info here.

Organizations have to sign up if they want to try the Microsoft Defender Vulnerability Management preview, as outlined here. When it gets commercially released, the Microsoft Defender Vulnerability Management service will be sold as a standalone product (priced at $3 per user per month) and as an add-on to Microsoft Defender for Endpoint Plan 2 (priced at $2 per person per month).

Organizations can subscribe to Microsoft Defender for Endpoint Plan 2 and then purchase the Microsoft Defender Vulnerability Management add-on, when it's commercially available. However, Microsoft Defender for Endpoint Plan 2 may already be had by organizations as some Windows Enterprise edition and Microsoft 365 E5-type subscription plans already include Microsoft Defender for Endpoint Plan 2.