We are excited to announce the public preview for hardware and firmware assessments in Microsoft Defender Vulnerability Management.
Firmware and hardware attacks are on the rise. Attackers are increasingly targeting firmware and device drivers of hardware components to gain high privilege and persistence. Visibility into the threat posture of firmware and timely remediation of firmware vulnerabilities are paramount for enterprise security.
Microsoft Defender Vulnerability Management new firmware assessments feature provides customers with full visibility into device manufacturer, processor and BIOS information. Customers who have access to Microsoft Defender Vulnerability Management add-on will be able to see their organization’s exposure to firmware vulnerabilities, remediation instructions and recommended firmware versions to deploy. This new premium capability provides customers with information to effectively measure firmware risk, information they previously were unable to obtain. With new firmware and hardware information, customers can make more informed decisions and take corrective actions to prevent attacks.
The public preview of hardware and firmware assessments feature introduces the following new capabilities:
- New inventory for system models, processors, and BIOS across Windows, Linux and MacOS.
- Vulnerability assessment for processors and BIOS weaknesses for HP, Dell, and Lenovo.
- Evaluation of the UEFI Secure Boot mode setting for Windows and Linux.
- Ability to retrieve system model, processor, and BIOS information using export API and Advanced Hunting.
View hardware and firmware inventory
Access the new hardware and firmware assessment page by selecting Inventories > Hardware & Firmware under the Vulnerability management navigation menu in the Microsoft 365 Defender portal.
Individual inventories for system models, processors, and BIOS are shown above. Each view includes the name of the vendor, number of weaknesses, type of threats, and number of exposed devices.
View firmware related recommendations
As part of this new feature, the following recommendations are available in Microsoft Defender Vulnerability Management:
- Update firmware
- Enable UEFI Secure Boot mode
To access these recommendations, in the Microsoft 365 Defender portal:
- Go to Vulnerability management > Recommendations
- Filter on Remediation type ‘Firmware update’ to see BIOS related recommendations
- Search “scid-2100” to see devices where UEFI Secure Boot mode are and follow the remediation instructions in the recommendation.
Export API and Advanced Hunting
New table 'DeviceTvmHardwareFirmware' was added to Advanced Hunting. This table contains hardware and firmware information per device, including system model, processor, and BIOS.
Here are some sample queries to query with this table:
- Count the number of Lenovo devices
DeviceTvmHardwareFirmware
| where ComponentType == "Hardware" and Manufacturer == "lenovo"
| summarize count()
- Find all devices with specific vulnerable BIOS version
DeviceTvmHardwareFirmware
| where ComponentType == "Bios" and ComponentVersion contains "N2VET29W"
|project DeviceId, DeviceName
- Find devices that require enabling of UEFI Secure Boot mode
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId == "scid-2100"
| project DeviceId, DeviceName
You can use APIs to view all hardware and firmware installed in your organization, including component type, vendor, and version.
For more information on this firmware and hardware assessments feature:
- Read more about the new feature on Microsoft Learn site here.
- For information about the API, read more here.
- For information about the new Advanced Hunting table, read more here.
- Watch our webinar recording about this new feature here.
Microsoft Defender Vulnerability Management is in public preview. Explore premium capabilities of Microsoft Defender Vulnerability Management such as this one and more by signing up for a free 6-month trial of Defender Vulnerability Management add-on here.
Microsoft
