MCSB DP-4: Data Protection
37 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control DP-4 (Data Protection). Each is checked against your tenant, ranked by Severity, with validated remediation.
What MCSB DP-4 covers
The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. DP-4 sits in the Data Protection domain. Senserva evidences it with the 37 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.
Ask your own AI about this control
Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.
The 37 checks that evidence MCSB DP-4
Click any row for why it matters and how to fix it, with a link to the full check page.
| Senserva check | Severity | What it verifies |
|---|---|---|
| Intune Policy Compliance Bit Locker Required | High | BitLocker encryption is not required by device compliance policy |
| Intune Policy Compliance Storage Encryption Required | High | Storage encryption is not required by device compliance policy |
| Intune Policy Disk Fixed Drives Encryption Type | High | Fixed drive encryption type is not configured in BitLocker policy |
| Intune Policy Disk Fixed Drives Encryption Type Dropdown | High | Fixed drive encryption type dropdown is not set in BitLocker policy |
| Intune Policy Disk Fixed Drives Recovery Options | High | Fixed drive recovery options are not configured in BitLocker policy |
| Intune Policy Disk Fixed Drives Require Encryption | High | Fixed drive encryption is not required by BitLocker policy |
| Intune Policy Disk Property Not Found | High | Expected disk encryption property was not found in the Intune policy configuration |
| Intune Policy Disk Removable Drives Configure BDE | High | Removable drive BitLocker policy is not configured |
| Intune Policy Disk Removable Drives Require Encryption | High | Removable drive encryption is not required by BitLocker policy |
| Intune Policy Disk Require Device Encryption | High | Device encryption is not required by BitLocker policy |
| Intune Policy Disk System Drives Disallow Standard Users Can Change Pin | High | Standard users are allowed to change BitLocker PIN |
| Intune Policy Disk System Drives Encryption Type | High | OS drive encryption type is not configured in BitLocker policy |
| Intune Policy Disk System Drives Encryption Type OS Dropdown | High | OS drive encryption type dropdown is not set in BitLocker policy |
| Intune Policy Disk System Drives Minimum Pin Length | High | Minimum PIN length for OS drive is below recommended threshold |
| Intune Policy Disk System Drives Minimum Pin Length Enabled | High | Minimum PIN length is not enabled for OS drive |
| Intune Policy Disk System Drives Recovery Options | High | OS drive recovery options are not configured in BitLocker policy |
| Share Point Anyone Link Expiration Max30 Days | High | SharePoint "Anyone" links expire within 30 days maximum |
| Share Point Anyone Link Permission View Only | High | SharePoint "Anyone" link permission is "View Only" |
| Share Point Default Sharing Permission View Only | High | SharePoint default sharing permission is "View Only" |
| Share Point Default Sharing Scope Specific People | High | SharePoint default sharing scope is "Specific People" |
| Share Point External Sharing Limit To Existing Guests Or Org | High | SharePoint external sharing limited to existing guests or org members only |
| Share Point External Sharing One Drive Limit To Existing Guests Or Org | High | OneDrive external sharing limited to existing guests or org members only |
| Share Point External Sharing Restrict To Approved Domains Or Groups | High | SharePoint external sharing restricted to approved domains or security groups |
| Share Point Verification Code Reauth Max30 Days | High | SharePoint verification code re-authentication within 30 days maximum |
| Intune Policy Disk Configure Recovery Password Rotation | Medium | Recovery password rotation is not configured in BitLocker policy |
| Intune Policy Disk Encryption Method By Drive Type | Medium | Encryption method is not configured by drive type in BitLocker policy |
| Intune Policy Disk System Drives Enable Pre Boot Pin Exception On DE Capable Device | Medium | Pre-boot PIN exception is enabled on InstantGo/Modern Standby devices |
| Intune Policy Disk System Drives Enhanced Pin | Medium | Enhanced PIN (alphanumeric) is not enabled for OS drive |
| Intune Policy Disk System Drives Recovery Message | Medium | OS drive recovery message is not configured |
| Storage High One Drive Storage Quota Used | Medium | OneDrive storage usage exceeds the high-usage threshold for a user or aggregate |
| Storage High Share Point Storage Quota Used | Medium | SharePoint site storage usage exceeds the high-usage threshold Risk of hitting quota limits which can disrupt collaboration |
| Intune Policy Disk Allow Warning For Other Disk Encryption | Low | Warning for other disk encryption software is allowed |
| Intune Policy Disk Identification Field | Low | BitLocker identification field is not configured |
| Teams Usage | Low | User has no Teams activity (calls, meetings, messages) over the reporting period |
| Intune Policy Disk System Drives Enable Pre Boot Input Protectors On Slates | Info | Pre-boot input protectors are enabled on slates/tablets |
| Storage One Drive Storage Quota Used | Info | OneDrive storage usage proportion (used vs allocated) per user and aggregate |
| Storage Share Point Storage Quota Used | Info | SharePoint site storage usage proportion (used vs allocated) Reports per-site and aggregate storage utilization |
Also evidences
The same checks provide evidence for these frameworks, so one fix counts across your obligations:
Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.