MCSB ES-1: Endpoint Security
170 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control ES-1 (Endpoint Security). Each is checked against your tenant, ranked by Severity, with validated remediation.
What MCSB ES-1 covers
The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. ES-1 sits in the Endpoint Security domain. Senserva evidences it with the 170 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.
Ask your own AI about this control
Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.
The 170 checks that evidence MCSB ES-1
Click any row for why it matters and how to fix it, with a link to the full check page.
| Senserva check | Severity | What it verifies |
|---|---|---|
| Intune Role Excessive Destructive Permissions | Critical | Intune RBAC role has excessive destructive permissions, high count of delete, wipe, retire, or reset actions |
| Intune Role Privilege Escalation | Critical | Intune RBAC role has permissions that allow privilege escalation, can manage roles or expand assignment scope |
| Admin Enforces Compliant Device For Admins Not Found | High | No Conditional Access policy was found requiring compliant devices for admin roles Admins should only operate from managed, compliant endpoints |
| Admin Maester Device Compliance For Admins | High | Maester framework check: device compliance policy for administrators |
| Conditional Access Enforces Block Unknown Device Not Found | High | No CA policy blocks unknown/unsupported device platforms |
| Device Endpoint Detection And Response | High | Endpoint detection and response (EDR) solution status on the device |
| Device Privileged User Non Compliant | High | Privileged user is using a non-compliant device. High-risk combination - admin activity from unmanaged devices undermines security controls |
| Intune Policy Antivirus Behavior Monitoring | High | Behavior monitoring is not enabled in Microsoft Defender Antivirus policy |
| Intune Policy Antivirus Cloud Protection | High | Cloud-delivered protection is not enabled in Microsoft Defender Antivirus policy |
| Intune Policy Antivirus Property Not Found | High | Expected antivirus property not found in the Intune policy configuration |
| Intune Policy Antivirus Real Time Protection | High | Real-time protection is not enabled in Microsoft Defender Antivirus policy |
| Intune Policy Antivirus Removable Drive Scanning | High | Removable drive scanning is not enabled in Microsoft Defender Antivirus policy |
| Intune Policy Antivirus Script Scanning | High | Script scanning not enabled in Microsoft Defender Antivirus policy |
| Intune Policy App Control Audit Mode | High | Application Control is in audit mode, not enforcing blocks |
| Intune Policy App Control Build Options | High | Application Control policy build options are not configured |
| Intune Policy Attack Surface Reduction Block Abuse Of Vulnerable Signed Drivers | High | ASR rule to block abuse of exploited vulnerable signed drivers is not enabled |
| Intune Policy Attack Surface Reduction Block Credential Stealing From LSASS | High | ASR rule to block credential stealing from LSASS is not enabled |
| Intune Policy Attack Surface Reduction Block Downloading Executable Content | High | ASR rule to block downloading executable content from email and webmail clients is not enabled |
| Intune Policy Attack Surface Reduction Block Executable Content From Email | High | ASR rule to block executable content from email is not enabled |
| Intune Policy Attack Surface Reduction Block Js Vb Launching Downloaded Executables | High | ASR rule to block JavaScript/VBScript from launching downloaded executables is not enabled |
| Intune Policy Attack Surface Reduction Block Obfuscated Scripts | High | ASR rule to block obfuscated scripts is not enabled |
| Intune Policy Attack Surface Reduction Block Office Apps Creating Child Processes | High | ASR rule to block Office apps from creating child processes is not enabled |
| Intune Policy Attack Surface Reduction Block Office Apps Creating Executable Content | High | ASR rule to block Office apps from creating executable content is not enabled |
| Intune Policy Attack Surface Reduction Block Office Apps Injecting Code | High | ASR rule to block Office apps from injecting code into other processes is not enabled |
| Intune Policy Attack Surface Reduction Block Persistence Through Wmi Event Subscription | High | ASR rule to block persistence through WMI event subscription is not enabled |
| Intune Policy Attack Surface Reduction Block Process Creations From Psexec Wmi | High | ASR rule to block process creations from PSExec and WMI commands is not enabled |
| Intune Policy Attack Surface Reduction Block Ransomware Behavior | High | ASR rule to block ransomware behavior is not enabled |
| Intune Policy Attack Surface Reduction Block Untrusted Webmail Executables | High | ASR rule to block executables from webmail is not enabled |
| Intune Policy Attack Surface Reduction Block Use Of Copied Or Impersonated System Tools | High | ASR rule to block use of copied or impersonated system tools is not enabled |
| Intune Policy Attack Surface Reduction Block Web Shell Creation For Servers | High | ASR rule to block webshell creation for servers is not enabled |
| Intune Policy Attack Surface Reduction Block Win32 API Calls From Office Macros | High | ASR rule to block Win32 API calls from Office macros is not enabled |
| Intune Policy Attack Surface Reduction Controlled Folder Access | High | Controlled Folder Access is not enabled or configured |
| Intune Policy Compliance Active Firewall Required | High | Active firewall is not required by device compliance policy |
| Intune Policy Compliance Anti Spyware Required | High | Anti-spyware is not required by device compliance policy |
| Intune Policy Compliance Any Antivirus Required | High | Any antivirus solution is not required by device compliance policy |
| Intune Policy Compliance Bit Locker Required | High | BitLocker encryption is not required by device compliance policy |
| Intune Policy Compliance Code Integrity Enabled | High | Code Integrity is not required by device compliance policy |
| Intune Policy Compliance Device Health Attestation Required | High | Device Health Attestation is not required by device compliance policy |
| Intune Policy Compliance Early Launch Anti Malware Enabled | High | Early Launch Anti-Malware (ELAM) is not required by device compliance policy |
| Intune Policy Compliance Firmware Protection Enabled | High | Firmware protection is not required by device compliance policy |
| Intune Policy Compliance Idle Lock Timeout Minutes | High | Idle lock timeout is too long or not enforced by compliance policy |
| Intune Policy Compliance Kernel Dma Protection Enabled | High | Kernel DMA Protection is not required by device compliance policy |
| Intune Policy Compliance Mde Integration Required | High | Microsoft Defender for Endpoint integration is not required by compliance policy |
| Intune Policy Compliance Mde Threat Level Allowed | High | Microsoft Defender for Endpoint allowed threat level is too permissive in compliance policy |
| Intune Policy Compliance Memory Integrity Enabled | High | Memory Integrity (HVCI) is not required by device compliance policy |
| Intune Policy Compliance Microsoft Defender Antivirus Required | High | Microsoft Defender Antivirus is not required by device compliance policy |
| Intune Policy Compliance Microsoft Defender Minimum Version | High | Microsoft Defender Antivirus minimum version is not enforced by compliance policy |
| Intune Policy Compliance Microsoft Defender Real Time Protection Required | High | Microsoft Defender real-time protection is not required by compliance policy |
| Intune Policy Compliance Microsoft Defender Signature Must Be Up To Date | High | Microsoft Defender signature currency is not required by compliance policy |
| Intune Policy Compliance Minimum OS Version | High | Minimum OS version is not enforced by device compliance policy |
| Intune Policy Compliance Password Block Simple | High | Simple passwords are not blocked by device compliance policy |
| Intune Policy Compliance Password Minimum Length | High | Minimum password length is not enforced by device compliance policy |
| Intune Policy Compliance Password Required | High | Password is not required by device compliance policy |
| Intune Policy Compliance Password Required To Unlock From Idle | High | Password is not required to unlock device from idle state |
| Intune Policy Compliance Password Required Type | High | Required password type is not enforced by device compliance policy |
| Intune Policy Compliance Secure Boot Required | High | Secure Boot is not required by device compliance policy |
| Intune Policy Compliance Storage Encryption Required | High | Storage encryption is not required by device compliance policy |
| Intune Policy Compliance Tpm Required | High | TPM (Trusted Platform Module) is not required by device compliance policy |
| Intune Policy Compliance Vbs Enabled | High | Virtualization-Based Security (VBS) is not required by device compliance policy |
| Intune Policy Disk Fixed Drives Encryption Type | High | Fixed drive encryption type is not configured in BitLocker policy |
| Intune Policy Disk Fixed Drives Encryption Type Dropdown | High | Fixed drive encryption type dropdown is not set in BitLocker policy |
| Intune Policy Disk Fixed Drives Recovery Options | High | Fixed drive recovery options are not configured in BitLocker policy |
| Intune Policy Disk Fixed Drives Require Encryption | High | Fixed drive encryption is not required by BitLocker policy |
| Intune Policy Disk Property Not Found | High | Expected disk encryption property was not found in the Intune policy configuration |
| Intune Policy Disk Removable Drives Configure BDE | High | Removable drive BitLocker policy is not configured |
| Intune Policy Disk Removable Drives Require Encryption | High | Removable drive encryption is not required by BitLocker policy |
| Intune Policy Disk Require Device Encryption | High | Device encryption is not required by BitLocker policy |
| Intune Policy Disk System Drives Disallow Standard Users Can Change Pin | High | Standard users are allowed to change BitLocker PIN |
| Intune Policy Disk System Drives Encryption Type | High | OS drive encryption type is not configured in BitLocker policy |
| Intune Policy Disk System Drives Encryption Type OS Dropdown | High | OS drive encryption type dropdown is not set in BitLocker policy |
| Intune Policy Disk System Drives Minimum Pin Length | High | Minimum PIN length for OS drive is below recommended threshold |
| Intune Policy Disk System Drives Minimum Pin Length Enabled | High | Minimum PIN length is not enabled for OS drive |
| Intune Policy Disk System Drives Recovery Options | High | OS drive recovery options are not configured in BitLocker policy |
| Intune Policy Firewall Domain Network Default Inbound Action | High | Windows Firewall default inbound action for Domain network is not set to Block |
| Intune Policy Firewall Domain Network Enablement | High | Windows Firewall is not enabled for Domain network profile |
| Intune Policy Firewall Private Network Default Inbound Action | High | Windows Firewall default inbound action for Private network is not set to Block |
| Intune Policy Firewall Private Network Enablement | High | Windows Firewall is not enabled for Private network profile |
| Intune Policy Firewall Public Network Default Inbound Action | High | Windows Firewall default inbound action for Public network is not set to Block |
| Intune Policy Firewall Public Network Disabled Inbound Action Notifications | High | Windows Firewall inbound action notifications not disabled for Public network |
| Intune Policy Firewall Public Network Enablement | High | Windows Firewall is not enabled for Public network profile |
| Intune Policy Firewall Public Network IP Sec Merge | High | IPsec exemptions are allowed on Public network profile |
| Intune Policy Firewall Public Network Local Policy Merge | High | Local firewall policy merge is enabled on Public network profile |
| Intune Policy Firewall Public Network Log Dropped Packets | High | Windows Firewall is not configured to log dropped packets on Public network |
| Intune Policy Windows Security Experience Tamper Protection Options | High | Tamper Protection options are not configured in Windows Security Experience policy |
| Intune Role Custom High Risk | High | Custom Intune RBAC role with elevated risk score, not a Microsoft built-in role |
| Intune Role Global Scope | High | Intune RBAC role has unrestricted global scope, applies to all resources with no scope tag restriction |
| Intune Role Over Assigned | High | Intune RBAC role is assigned to many principals, broad exposure increases compromise risk |
| Intune Role Security Sensitive | High | Intune RBAC role has security-sensitive permissions, touches security baselines, compliance, Defender, or endpoint protection |
| User Login Device Must Be Compliant | High | User sign-in from a device that is not compliant |
| User Login Device Must Be Managed | High | User sign-in from a device that is not managed by Intune |
| User Login Outdated Windows Operating System | High | User sign-in from a Windows device with an outdated OS |
| Conditional Access Device Code Flow Not Blocked | Medium | Device code flow not blocked for privileged users. Detected via What-If |
| Device Health Check Failed | Medium | Device fails one or more basic health checks: not compliant, not managed, or rooted/jailbroken |
| Device Intune Permission Check Skipped | Medium | Intune audit skipped: credential lacks a required directory role or the tenant does not have an Intune license. |
| Device Must Be Compliant | Medium | Device compliance status (IsCompliant property) Non-compliant devices may lack required security configurations (encryption, PIN, etc) |
| Device Not Registered But Is Logging In | Medium | Device is not registered to any user but has recent sign-in activity An unregistered device actively in use is a security concern |
| Entra Device Not In Defender Coverage | Medium | Entra-registered Windows device has no matching Microsoft Defender for Endpoint machine record, so the audit cannot determine per-CVE patch posture. |
| Entra Device OS Version Lag | Medium | Entra-registered Windows device is on a build that is no longer supported by Windows Update, so it cannot receive new security patches. |
| Intune Device Non Compliant | Medium | Intune-managed device is non-compliant with one or more compliance policies Reports the specific failing setting. |
| Intune Policy Antivirus Archive Scanning | Medium | Archive scanning is not enabled in Microsoft Defender Antivirus policy |
| Intune Policy Antivirus Email Scanning | Medium | Email scanning is not enabled in Microsoft Defender Antivirus policy |
| Intune Policy Antivirus IOAV Scanning | Medium | IOAV (IE/Office/ActiveX) scanning is not enabled in Microsoft Defender Antivirus policy |
| Intune Policy Antivirus Network Scanning | Medium | Network inspection not enabled in Microsoft Defender Antivirus policy |
| Intune Policy App Control Property Not Found | Medium | Expected Application Control property was not found in the Intune policy configuration |
| Intune Policy App Control Trust Apps From Managed Installer | Medium | Managed Installer trust is not enabled in Application Control policy |
| Intune Policy App Control Trust Apps With Good Reputation | Medium | Intelligent Security Graph (ISG) reputation trust is not enabled in Application Control policy |
| Intune Policy Attack Surface Reduction Block Adobe Reader Child Processes | Medium | ASR rule to block Adobe Reader from creating child processes is not enabled |
| Intune Policy Attack Surface Reduction Block Executable Files Unless Prevalence Age Trusted List Criterion | Medium | ASR rule to block executable files unless they meet prevalence, age, or trusted list criteria is not enabled |
| Intune Policy Attack Surface Reduction Block Office Communication Apps Creating Child Processes | Medium | ASR rule to block Office communication apps from creating child processes is not enabled |
| Intune Policy Attack Surface Reduction Block Rebooting Machine In Safe Mode | Medium | ASR rule to block rebooting machine in Safe Mode is not enabled |
| Intune Policy Attack Surface Reduction Block Unsigned Or Untrusted USB Processes | Medium | ASR rule to block unsigned or untrusted USB processes is not enabled |
| Intune Policy Attack Surface Reduction Block Untrusted And Unsigned Scripts | Medium | ASR rule to block untrusted and unsigned processes that run from USB is not enabled |
| Intune Policy Attack Surface Reduction Block Use Of Credential Manager | Medium | ASR rule to block credential manager misuse is not enabled |
| Intune Policy Attack Surface Reduction Property Not Found | Medium | Expected Attack Surface Reduction property was not found in the Intune policy configuration |
| Intune Policy Compliance Configuration Manager Compliance Required | Medium | Configuration Manager compliance is not required by device compliance policy |
| Intune Policy Compliance Password Expiration Days | Medium | Password expiration is not enforced by device compliance policy |
| Intune Policy Compliance Password Minimum Character Sets | Medium | Minimum character sets (complexity) is not enforced by device compliance policy |
| Intune Policy Disk Configure Recovery Password Rotation | Medium | Recovery password rotation is not configured in BitLocker policy |
| Intune Policy Disk Encryption Method By Drive Type | Medium | Encryption method is not configured by drive type in BitLocker policy |
| Intune Policy Disk System Drives Enable Pre Boot Pin Exception On DE Capable Device | Medium | Pre-boot PIN exception is enabled on InstantGo/Modern Standby devices |
| Intune Policy Disk System Drives Enhanced Pin | Medium | Enhanced PIN (alphanumeric) is not enabled for OS drive |
| Intune Policy Disk System Drives Recovery Message | Medium | OS drive recovery message is not configured |
| Intune Policy Firewall Domain Network Disabled Inbound Action Notifications | Medium | Windows Firewall inbound action notifications are not disabled for Domain network |
| Intune Policy Firewall Domain Network Log Dropped Packets | Medium | Windows Firewall is not configured to log dropped packets on Domain network |
| Intune Policy Firewall Private Network Log Dropped Packets | Medium | Windows Firewall is not configured to log dropped packets on Private network |
| Intune Policy Firewall Property Not Found | Medium | Expected firewall property was not found in the Intune policy configuration |
| Intune Policy Windows Security Experience Disable Tpm Firmware Update Warning | Medium | TPM firmware update warning is disabled in Windows Security Center |
| Intune Policy Windows Security Experience Hide Ransomware Data Recovery | Medium | Ransomware data recovery UI is hidden in Windows Security Center |
| Intune Policy Windows Security Experience Property Not Found | Medium | Expected Windows Security Experience property was not found in the Intune policy configuration |
| Intune Role Dormant | Medium | Intune RBAC role has permissions but zero active assignments, dormant role |
| Purview Label Not Endpoint Protected | Medium | A sensitivity label does not have endpoint protection enabled. |
| User Device Registered To Not Enabled User | Medium | Device registered to a disabled user account |
| User Disabled User Device Last Signin Date | Medium | Disabled user's device last sign-in date |
| Conditional Access Device Compliance Bypassed | Low | Device compliance policy bypassed in actual sign-ins. Detected by sign-in replay |
| Conditional Access Unmanaged Device Not Protected | Low | No CA policy protects access from unmanaged devices for this user. Detected via What-If |
| Device Is Rooted | Low | Device is flagged as rooted or jailbroken Rooted devices bypass OS security controls |
| Intune Policy Antivirus PUA Protection | Low | PUA (Potentially Unwanted Application) protection is not enabled in Microsoft Defender Antivirus policy |
| Intune Policy Antivirus Sample Submission | Low | Automatic sample submission is not enabled in Microsoft Defender Antivirus policy |
| Intune Policy Compliance Allowed Wsl Distributions | Low | Allowed WSL (Windows Subsystem for Linux) distributions are restricted by compliance policy |
| Intune Policy Compliance Maximum OS Version | Low | Maximum OS version is enforced by compliance policy, potentially blocking newer builds |
| Intune Policy Compliance Password History Count | Low | Password history count is not enforced by device compliance policy |
| Intune Policy Disk Allow Warning For Other Disk Encryption | Low | Warning for other disk encryption software is allowed |
| Intune Policy Disk Identification Field | Low | BitLocker identification field is not configured |
| Intune Policy Firewall Private Network Disabled Inbound Action Notifications | Low | Windows Firewall inbound action notifications are not disabled for Private network |
| Intune Policy Windows Security Experience Disable Enhanced Notifications | Low | Enhanced notifications are disabled in Windows Security Center |
| Intune Policy Windows Security Experience Hide Windows Security Notification Area Control | Low | Windows Security notification area control is hidden |
| Admin Enforces Compliant Device For Admins | Info | A Conditional Access policy requires compliant or domain-joined devices for admin roles |
| Conditional Access Enforces Block Unknown Device | Info | A CA policy blocks sign-ins from unknown/unsupported device platforms across all apps |
| Conditional Access Policy Device Included By Filter | Info | A CA policy's device filter includes this device via its filter rule |
| Device Compliance Expiration Date Time | Info | Device compliance expiration datetime Reports when the compliance state expires and the device needs re-evaluation |
| Intune Policy Compliance Custom Compliance Script Enabled | Info | Custom compliance script is enabled in device compliance policy |
| Intune Policy Compliance Valid OS Build Ranges | Info | Valid OS build ranges are enforced by compliance policy |
| Intune Policy Disk System Drives Enable Pre Boot Input Protectors On Slates | Info | Pre-boot input protectors are enabled on slates/tablets |
| Intune Policy Firewall Domain Network Log Max File Size | Info | Windows Firewall log file size for Domain network is below recommended threshold |
| Intune Policy Firewall Domain Network Log Successful Connections | Info | Windows Firewall is not configured to log successful connections on Domain network |
| Intune Policy Firewall Private Network Log Max File Size | Info | Windows Firewall log file size for Private network is below recommended threshold |
| Intune Policy Firewall Private Network Log Successful Connections | Info | Windows Firewall is not configured to log successful connections on Private network |
| Intune Policy Firewall Public Network Log Max File Size | Info | Windows Firewall log file size for Public network is below recommended threshold |
| Intune Policy Firewall Public Network Log Successful Connections | Info | Windows Firewall is not configured to log successful connections on Public network |
| Intune Policy Windows Security Experience Disable Account Protection Ui | Info | Account Protection UI is disabled in Windows Security Center |
| Intune Policy Windows Security Experience Disable App Browser Ui | Info | App & Browser Control UI is disabled in Windows Security Center |
| Intune Policy Windows Security Experience Disable Clear Tpm Button | Info | Clear TPM button is disabled in Windows Security Center |
| Intune Policy Windows Security Experience Disable Device Security Ui | Info | Device Security UI is disabled in Windows Security Center |
| Intune Policy Windows Security Experience Disable Family Ui | Info | Family Options UI is disabled in Windows Security Center |
| Intune Policy Windows Security Experience Disable Health Ui | Info | Device Performance & Health UI is disabled in Windows Security Center |
| Intune Policy Windows Security Experience Disable Network Ui | Info | Firewall & Network Protection UI is disabled in Windows Security Center |
| Intune Policy Windows Security Experience Disable Virus Ui | Info | Virus & Threat Protection UI is disabled in Windows Security Center |
| Intune Policy Windows Security Experience Enable Customized Toasts | Info | Customized toast notifications are enabled in Windows Security Center |
| Intune Policy Windows Security Experience Enable In App Customization | Info | In-app customization is enabled in Windows Security Center |
| User Login Device Trust Type | Info | Reports the device trust type used during user sign-in |
Also evidences
The same checks provide evidence for these frameworks, so one fix counts across your obligations:
Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.