Security State Assessment goes live on MU!

My name is Adrienne Wu, and I’m a Program Manager on the Forefront Client Security (FCS) team. When I first started here at Microsoft, I was an intern and I worked on the early planning for what would eventually become Security State Assessment, or SSA. When I returned as a full-time employee, I continued this work, only instead of a plan, it had become a reality!


Today is an interesting day for me; it is the day our original goal for SSA will truly be realized.


With SSA, we wanted to provide visibility into critical vulnerabilities and configuration exposures on managed computers, enabling our customers to focus critical IT resources on the right security issues. Our solution was to include an SSA agent to scan and report on the security state of a computer, with security checks driving evaluations.


We achieved this goal, and Forefront Client Security 1.0 shipped with some great checks out of the box.


But we also wanted to be able to provide new checks, so that we could continue to extend, over time, the vulnerability coverage provided by SSA. We decided to implement our checks using a definitions file, which could be published to Microsoft Update, and downloaded much like antimalware signatures.


Today, we’ve published our first new check using this channel.


The Unapproved Updates check determines whether there are any missing Microsoft security updates that have not yet been approved. The Security Updates check, which is already included in SSA, scans for missing updates available through the default service registered with Automatic Update. For example, updates approved on WSUS.


The Unapproved Updates check scans against Microsoft Update, and determines if there are any missing updates that are available, but not approved for download. The score from this check doesn’t contribute to the number of computers reporting critical issues in the FCS console, but the results will show up in reports, and administrators can see how many computers are vulnerable while a required security update undergoes their company’s approval process.


So if you’re using Forefront Client Security, take a look at your Deployment Summary. You should see your managed clients updating to vulnerability definition version 1.0.1709.0. The definition download should also be appearing on your WSUS server. In your Security State Assessment Summary report, you should start to see results from the Unapproved Updates check.


You can learn more about the check in our Technical Reference on the Forefront Client Security TechCenter.


We’ll have more checks to come, and I hope you’ll be as excited as we are to see new checks coming down from MU!


Adrienne Wu

Program Manager

Microsoft Forefront Client Security

Comments (1)

  1. Anonymous says:

    Bad Idea… How do I turn this new feature off?

    Isn’t this going to add more useless events and data into the database? We control our WSUS server. New updates are evaluated by our IT staff the day they are released. Any update that we determine needs to be deployed is approved for detection in WSUS for all computers as we stagger our deployment bu WSUS groups. This is what we want FCS to tell us.

    For example (I have plenty). I know have machines reporting a vulnerability for MS07-003. We are an Office 2003/XP shop and do not have Office 2000. MS07-003 was only critical for O2K, we did not enable detection for this at all. But now, due to your enhancements, I will have to explain this to management when they see these new reports.

    In my opinion the SSA team needs to work on a method to disable certain checks that enterprises do not see as an issue in ther organizations. Example: Passwords that don’t expire!

    If you would like to discuss with me further, Chris Sfanos has my contact info.

    — MCP TAP Customer – Kevin

Skip to main content