Controls / MCSB / ES-1

MCSB ES-1: Endpoint Security

170 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control ES-1 (Endpoint Security). Each is checked against your tenant, ranked by Severity, with validated remediation.

170 checksEndpoint SecurityTop Severity: Critical

What MCSB ES-1 covers

The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. ES-1 sits in the Endpoint Security domain. Senserva evidences it with the 170 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.

Ask your own AI about this control

Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.

The 170 checks that evidence MCSB ES-1

Click any row for why it matters and how to fix it, with a link to the full check page.

Senserva checkSeverityWhat it verifies
Intune Role Excessive Destructive PermissionsCriticalIntune RBAC role has excessive destructive permissions, high count of delete, wipe, retire, or reset actions
Intune Role Privilege EscalationCriticalIntune RBAC role has permissions that allow privilege escalation, can manage roles or expand assignment scope
Admin Enforces Compliant Device For Admins Not FoundHighNo Conditional Access policy was found requiring compliant devices for admin roles Admins should only operate from managed, compliant endpoints
Admin Maester Device Compliance For AdminsHighMaester framework check: device compliance policy for administrators
Conditional Access Enforces Block Unknown Device Not FoundHighNo CA policy blocks unknown/unsupported device platforms
Device Endpoint Detection And ResponseHighEndpoint detection and response (EDR) solution status on the device
Device Privileged User Non CompliantHighPrivileged user is using a non-compliant device. High-risk combination - admin activity from unmanaged devices undermines security controls
Intune Policy Antivirus Behavior MonitoringHighBehavior monitoring is not enabled in Microsoft Defender Antivirus policy
Intune Policy Antivirus Cloud ProtectionHighCloud-delivered protection is not enabled in Microsoft Defender Antivirus policy
Intune Policy Antivirus Property Not FoundHighExpected antivirus property not found in the Intune policy configuration
Intune Policy Antivirus Real Time ProtectionHighReal-time protection is not enabled in Microsoft Defender Antivirus policy
Intune Policy Antivirus Removable Drive ScanningHighRemovable drive scanning is not enabled in Microsoft Defender Antivirus policy
Intune Policy Antivirus Script ScanningHighScript scanning not enabled in Microsoft Defender Antivirus policy
Intune Policy App Control Audit ModeHighApplication Control is in audit mode, not enforcing blocks
Intune Policy App Control Build OptionsHighApplication Control policy build options are not configured
Intune Policy Attack Surface Reduction Block Abuse Of Vulnerable Signed DriversHighASR rule to block abuse of exploited vulnerable signed drivers is not enabled
Intune Policy Attack Surface Reduction Block Credential Stealing From LSASSHighASR rule to block credential stealing from LSASS is not enabled
Intune Policy Attack Surface Reduction Block Downloading Executable ContentHighASR rule to block downloading executable content from email and webmail clients is not enabled
Intune Policy Attack Surface Reduction Block Executable Content From EmailHighASR rule to block executable content from email is not enabled
Intune Policy Attack Surface Reduction Block Js Vb Launching Downloaded ExecutablesHighASR rule to block JavaScript/VBScript from launching downloaded executables is not enabled
Intune Policy Attack Surface Reduction Block Obfuscated ScriptsHighASR rule to block obfuscated scripts is not enabled
Intune Policy Attack Surface Reduction Block Office Apps Creating Child ProcessesHighASR rule to block Office apps from creating child processes is not enabled
Intune Policy Attack Surface Reduction Block Office Apps Creating Executable ContentHighASR rule to block Office apps from creating executable content is not enabled
Intune Policy Attack Surface Reduction Block Office Apps Injecting CodeHighASR rule to block Office apps from injecting code into other processes is not enabled
Intune Policy Attack Surface Reduction Block Persistence Through Wmi Event SubscriptionHighASR rule to block persistence through WMI event subscription is not enabled
Intune Policy Attack Surface Reduction Block Process Creations From Psexec WmiHighASR rule to block process creations from PSExec and WMI commands is not enabled
Intune Policy Attack Surface Reduction Block Ransomware BehaviorHighASR rule to block ransomware behavior is not enabled
Intune Policy Attack Surface Reduction Block Untrusted Webmail ExecutablesHighASR rule to block executables from webmail is not enabled
Intune Policy Attack Surface Reduction Block Use Of Copied Or Impersonated System ToolsHighASR rule to block use of copied or impersonated system tools is not enabled
Intune Policy Attack Surface Reduction Block Web Shell Creation For ServersHighASR rule to block webshell creation for servers is not enabled
Intune Policy Attack Surface Reduction Block Win32 API Calls From Office MacrosHighASR rule to block Win32 API calls from Office macros is not enabled
Intune Policy Attack Surface Reduction Controlled Folder AccessHighControlled Folder Access is not enabled or configured
Intune Policy Compliance Active Firewall RequiredHighActive firewall is not required by device compliance policy
Intune Policy Compliance Anti Spyware RequiredHighAnti-spyware is not required by device compliance policy
Intune Policy Compliance Any Antivirus RequiredHighAny antivirus solution is not required by device compliance policy
Intune Policy Compliance Bit Locker RequiredHighBitLocker encryption is not required by device compliance policy
Intune Policy Compliance Code Integrity EnabledHighCode Integrity is not required by device compliance policy
Intune Policy Compliance Device Health Attestation RequiredHighDevice Health Attestation is not required by device compliance policy
Intune Policy Compliance Early Launch Anti Malware EnabledHighEarly Launch Anti-Malware (ELAM) is not required by device compliance policy
Intune Policy Compliance Firmware Protection EnabledHighFirmware protection is not required by device compliance policy
Intune Policy Compliance Idle Lock Timeout MinutesHighIdle lock timeout is too long or not enforced by compliance policy
Intune Policy Compliance Kernel Dma Protection EnabledHighKernel DMA Protection is not required by device compliance policy
Intune Policy Compliance Mde Integration RequiredHighMicrosoft Defender for Endpoint integration is not required by compliance policy
Intune Policy Compliance Mde Threat Level AllowedHighMicrosoft Defender for Endpoint allowed threat level is too permissive in compliance policy
Intune Policy Compliance Memory Integrity EnabledHighMemory Integrity (HVCI) is not required by device compliance policy
Intune Policy Compliance Microsoft Defender Antivirus RequiredHighMicrosoft Defender Antivirus is not required by device compliance policy
Intune Policy Compliance Microsoft Defender Minimum VersionHighMicrosoft Defender Antivirus minimum version is not enforced by compliance policy
Intune Policy Compliance Microsoft Defender Real Time Protection RequiredHighMicrosoft Defender real-time protection is not required by compliance policy
Intune Policy Compliance Microsoft Defender Signature Must Be Up To DateHighMicrosoft Defender signature currency is not required by compliance policy
Intune Policy Compliance Minimum OS VersionHighMinimum OS version is not enforced by device compliance policy
Intune Policy Compliance Password Block SimpleHighSimple passwords are not blocked by device compliance policy
Intune Policy Compliance Password Minimum LengthHighMinimum password length is not enforced by device compliance policy
Intune Policy Compliance Password RequiredHighPassword is not required by device compliance policy
Intune Policy Compliance Password Required To Unlock From IdleHighPassword is not required to unlock device from idle state
Intune Policy Compliance Password Required TypeHighRequired password type is not enforced by device compliance policy
Intune Policy Compliance Secure Boot RequiredHighSecure Boot is not required by device compliance policy
Intune Policy Compliance Storage Encryption RequiredHighStorage encryption is not required by device compliance policy
Intune Policy Compliance Tpm RequiredHighTPM (Trusted Platform Module) is not required by device compliance policy
Intune Policy Compliance Vbs EnabledHighVirtualization-Based Security (VBS) is not required by device compliance policy
Intune Policy Disk Fixed Drives Encryption TypeHighFixed drive encryption type is not configured in BitLocker policy
Intune Policy Disk Fixed Drives Encryption Type DropdownHighFixed drive encryption type dropdown is not set in BitLocker policy
Intune Policy Disk Fixed Drives Recovery OptionsHighFixed drive recovery options are not configured in BitLocker policy
Intune Policy Disk Fixed Drives Require EncryptionHighFixed drive encryption is not required by BitLocker policy
Intune Policy Disk Property Not FoundHighExpected disk encryption property was not found in the Intune policy configuration
Intune Policy Disk Removable Drives Configure BDEHighRemovable drive BitLocker policy is not configured
Intune Policy Disk Removable Drives Require EncryptionHighRemovable drive encryption is not required by BitLocker policy
Intune Policy Disk Require Device EncryptionHighDevice encryption is not required by BitLocker policy
Intune Policy Disk System Drives Disallow Standard Users Can Change PinHighStandard users are allowed to change BitLocker PIN
Intune Policy Disk System Drives Encryption TypeHighOS drive encryption type is not configured in BitLocker policy
Intune Policy Disk System Drives Encryption Type OS DropdownHighOS drive encryption type dropdown is not set in BitLocker policy
Intune Policy Disk System Drives Minimum Pin LengthHighMinimum PIN length for OS drive is below recommended threshold
Intune Policy Disk System Drives Minimum Pin Length EnabledHighMinimum PIN length is not enabled for OS drive
Intune Policy Disk System Drives Recovery OptionsHighOS drive recovery options are not configured in BitLocker policy
Intune Policy Firewall Domain Network Default Inbound ActionHighWindows Firewall default inbound action for Domain network is not set to Block
Intune Policy Firewall Domain Network EnablementHighWindows Firewall is not enabled for Domain network profile
Intune Policy Firewall Private Network Default Inbound ActionHighWindows Firewall default inbound action for Private network is not set to Block
Intune Policy Firewall Private Network EnablementHighWindows Firewall is not enabled for Private network profile
Intune Policy Firewall Public Network Default Inbound ActionHighWindows Firewall default inbound action for Public network is not set to Block
Intune Policy Firewall Public Network Disabled Inbound Action NotificationsHighWindows Firewall inbound action notifications not disabled for Public network
Intune Policy Firewall Public Network EnablementHighWindows Firewall is not enabled for Public network profile
Intune Policy Firewall Public Network IP Sec MergeHighIPsec exemptions are allowed on Public network profile
Intune Policy Firewall Public Network Local Policy MergeHighLocal firewall policy merge is enabled on Public network profile
Intune Policy Firewall Public Network Log Dropped PacketsHighWindows Firewall is not configured to log dropped packets on Public network
Intune Policy Windows Security Experience Tamper Protection OptionsHighTamper Protection options are not configured in Windows Security Experience policy
Intune Role Custom High RiskHighCustom Intune RBAC role with elevated risk score, not a Microsoft built-in role
Intune Role Global ScopeHighIntune RBAC role has unrestricted global scope, applies to all resources with no scope tag restriction
Intune Role Over AssignedHighIntune RBAC role is assigned to many principals, broad exposure increases compromise risk
Intune Role Security SensitiveHighIntune RBAC role has security-sensitive permissions, touches security baselines, compliance, Defender, or endpoint protection
User Login Device Must Be CompliantHighUser sign-in from a device that is not compliant
User Login Device Must Be ManagedHighUser sign-in from a device that is not managed by Intune
User Login Outdated Windows Operating SystemHighUser sign-in from a Windows device with an outdated OS
Conditional Access Device Code Flow Not BlockedMediumDevice code flow not blocked for privileged users. Detected via What-If
Device Health Check FailedMediumDevice fails one or more basic health checks: not compliant, not managed, or rooted/jailbroken
Device Intune Permission Check SkippedMediumIntune audit skipped: credential lacks a required directory role or the tenant does not have an Intune license.
Device Must Be CompliantMediumDevice compliance status (IsCompliant property) Non-compliant devices may lack required security configurations (encryption, PIN, etc)
Device Not Registered But Is Logging InMediumDevice is not registered to any user but has recent sign-in activity An unregistered device actively in use is a security concern
Entra Device Not In Defender CoverageMediumEntra-registered Windows device has no matching Microsoft Defender for Endpoint machine record, so the audit cannot determine per-CVE patch posture.
Entra Device OS Version LagMediumEntra-registered Windows device is on a build that is no longer supported by Windows Update, so it cannot receive new security patches.
Intune Device Non CompliantMediumIntune-managed device is non-compliant with one or more compliance policies Reports the specific failing setting.
Intune Policy Antivirus Archive ScanningMediumArchive scanning is not enabled in Microsoft Defender Antivirus policy
Intune Policy Antivirus Email ScanningMediumEmail scanning is not enabled in Microsoft Defender Antivirus policy
Intune Policy Antivirus IOAV ScanningMediumIOAV (IE/Office/ActiveX) scanning is not enabled in Microsoft Defender Antivirus policy
Intune Policy Antivirus Network ScanningMediumNetwork inspection not enabled in Microsoft Defender Antivirus policy
Intune Policy App Control Property Not FoundMediumExpected Application Control property was not found in the Intune policy configuration
Intune Policy App Control Trust Apps From Managed InstallerMediumManaged Installer trust is not enabled in Application Control policy
Intune Policy App Control Trust Apps With Good ReputationMediumIntelligent Security Graph (ISG) reputation trust is not enabled in Application Control policy
Intune Policy Attack Surface Reduction Block Adobe Reader Child ProcessesMediumASR rule to block Adobe Reader from creating child processes is not enabled
Intune Policy Attack Surface Reduction Block Executable Files Unless Prevalence Age Trusted List CriterionMediumASR rule to block executable files unless they meet prevalence, age, or trusted list criteria is not enabled
Intune Policy Attack Surface Reduction Block Office Communication Apps Creating Child ProcessesMediumASR rule to block Office communication apps from creating child processes is not enabled
Intune Policy Attack Surface Reduction Block Rebooting Machine In Safe ModeMediumASR rule to block rebooting machine in Safe Mode is not enabled
Intune Policy Attack Surface Reduction Block Unsigned Or Untrusted USB ProcessesMediumASR rule to block unsigned or untrusted USB processes is not enabled
Intune Policy Attack Surface Reduction Block Untrusted And Unsigned ScriptsMediumASR rule to block untrusted and unsigned processes that run from USB is not enabled
Intune Policy Attack Surface Reduction Block Use Of Credential ManagerMediumASR rule to block credential manager misuse is not enabled
Intune Policy Attack Surface Reduction Property Not FoundMediumExpected Attack Surface Reduction property was not found in the Intune policy configuration
Intune Policy Compliance Configuration Manager Compliance RequiredMediumConfiguration Manager compliance is not required by device compliance policy
Intune Policy Compliance Password Expiration DaysMediumPassword expiration is not enforced by device compliance policy
Intune Policy Compliance Password Minimum Character SetsMediumMinimum character sets (complexity) is not enforced by device compliance policy
Intune Policy Disk Configure Recovery Password RotationMediumRecovery password rotation is not configured in BitLocker policy
Intune Policy Disk Encryption Method By Drive TypeMediumEncryption method is not configured by drive type in BitLocker policy
Intune Policy Disk System Drives Enable Pre Boot Pin Exception On DE Capable DeviceMediumPre-boot PIN exception is enabled on InstantGo/Modern Standby devices
Intune Policy Disk System Drives Enhanced PinMediumEnhanced PIN (alphanumeric) is not enabled for OS drive
Intune Policy Disk System Drives Recovery MessageMediumOS drive recovery message is not configured
Intune Policy Firewall Domain Network Disabled Inbound Action NotificationsMediumWindows Firewall inbound action notifications are not disabled for Domain network
Intune Policy Firewall Domain Network Log Dropped PacketsMediumWindows Firewall is not configured to log dropped packets on Domain network
Intune Policy Firewall Private Network Log Dropped PacketsMediumWindows Firewall is not configured to log dropped packets on Private network
Intune Policy Firewall Property Not FoundMediumExpected firewall property was not found in the Intune policy configuration
Intune Policy Windows Security Experience Disable Tpm Firmware Update WarningMediumTPM firmware update warning is disabled in Windows Security Center
Intune Policy Windows Security Experience Hide Ransomware Data RecoveryMediumRansomware data recovery UI is hidden in Windows Security Center
Intune Policy Windows Security Experience Property Not FoundMediumExpected Windows Security Experience property was not found in the Intune policy configuration
Intune Role DormantMediumIntune RBAC role has permissions but zero active assignments, dormant role
Purview Label Not Endpoint ProtectedMediumA sensitivity label does not have endpoint protection enabled.
User Device Registered To Not Enabled UserMediumDevice registered to a disabled user account
User Disabled User Device Last Signin DateMediumDisabled user's device last sign-in date
Conditional Access Device Compliance BypassedLowDevice compliance policy bypassed in actual sign-ins. Detected by sign-in replay
Conditional Access Unmanaged Device Not ProtectedLowNo CA policy protects access from unmanaged devices for this user. Detected via What-If
Device Is RootedLowDevice is flagged as rooted or jailbroken Rooted devices bypass OS security controls
Intune Policy Antivirus PUA ProtectionLowPUA (Potentially Unwanted Application) protection is not enabled in Microsoft Defender Antivirus policy
Intune Policy Antivirus Sample SubmissionLowAutomatic sample submission is not enabled in Microsoft Defender Antivirus policy
Intune Policy Compliance Allowed Wsl DistributionsLowAllowed WSL (Windows Subsystem for Linux) distributions are restricted by compliance policy
Intune Policy Compliance Maximum OS VersionLowMaximum OS version is enforced by compliance policy, potentially blocking newer builds
Intune Policy Compliance Password History CountLowPassword history count is not enforced by device compliance policy
Intune Policy Disk Allow Warning For Other Disk EncryptionLowWarning for other disk encryption software is allowed
Intune Policy Disk Identification FieldLowBitLocker identification field is not configured
Intune Policy Firewall Private Network Disabled Inbound Action NotificationsLowWindows Firewall inbound action notifications are not disabled for Private network
Intune Policy Windows Security Experience Disable Enhanced NotificationsLowEnhanced notifications are disabled in Windows Security Center
Intune Policy Windows Security Experience Hide Windows Security Notification Area ControlLowWindows Security notification area control is hidden
Admin Enforces Compliant Device For AdminsInfoA Conditional Access policy requires compliant or domain-joined devices for admin roles
Conditional Access Enforces Block Unknown DeviceInfoA CA policy blocks sign-ins from unknown/unsupported device platforms across all apps
Conditional Access Policy Device Included By FilterInfoA CA policy's device filter includes this device via its filter rule
Device Compliance Expiration Date TimeInfoDevice compliance expiration datetime Reports when the compliance state expires and the device needs re-evaluation
Intune Policy Compliance Custom Compliance Script EnabledInfoCustom compliance script is enabled in device compliance policy
Intune Policy Compliance Valid OS Build RangesInfoValid OS build ranges are enforced by compliance policy
Intune Policy Disk System Drives Enable Pre Boot Input Protectors On SlatesInfoPre-boot input protectors are enabled on slates/tablets
Intune Policy Firewall Domain Network Log Max File SizeInfoWindows Firewall log file size for Domain network is below recommended threshold
Intune Policy Firewall Domain Network Log Successful ConnectionsInfoWindows Firewall is not configured to log successful connections on Domain network
Intune Policy Firewall Private Network Log Max File SizeInfoWindows Firewall log file size for Private network is below recommended threshold
Intune Policy Firewall Private Network Log Successful ConnectionsInfoWindows Firewall is not configured to log successful connections on Private network
Intune Policy Firewall Public Network Log Max File SizeInfoWindows Firewall log file size for Public network is below recommended threshold
Intune Policy Firewall Public Network Log Successful ConnectionsInfoWindows Firewall is not configured to log successful connections on Public network
Intune Policy Windows Security Experience Disable Account Protection UiInfoAccount Protection UI is disabled in Windows Security Center
Intune Policy Windows Security Experience Disable App Browser UiInfoApp & Browser Control UI is disabled in Windows Security Center
Intune Policy Windows Security Experience Disable Clear Tpm ButtonInfoClear TPM button is disabled in Windows Security Center
Intune Policy Windows Security Experience Disable Device Security UiInfoDevice Security UI is disabled in Windows Security Center
Intune Policy Windows Security Experience Disable Family UiInfoFamily Options UI is disabled in Windows Security Center
Intune Policy Windows Security Experience Disable Health UiInfoDevice Performance & Health UI is disabled in Windows Security Center
Intune Policy Windows Security Experience Disable Network UiInfoFirewall & Network Protection UI is disabled in Windows Security Center
Intune Policy Windows Security Experience Disable Virus UiInfoVirus & Threat Protection UI is disabled in Windows Security Center
Intune Policy Windows Security Experience Enable Customized ToastsInfoCustomized toast notifications are enabled in Windows Security Center
Intune Policy Windows Security Experience Enable In App CustomizationInfoIn-app customization is enabled in Windows Security Center
User Login Device Trust TypeInfoReports the device trust type used during user sign-in

Also evidences

The same checks provide evidence for these frameworks, so one fix counts across your obligations:

Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.

Sponsored by Senserva

Siemserva by Senserva runs the checks that evidence MCSB ES-1 (Endpoint Security) across your own tenant: which tenants pass, which fail, ranked by Severity with the evidence attached.

  • 650+ Microsoft 365, Intune, Defender, and Entra ID checks in one scan
  • Findings mapped to SCuBA, CIS, NIST, HIPAA, SOC 2, and MCSB for audit-ready evidence
  • Senserva Trustworthy AI driven configuration remediation: validated, approve-before-apply fixes
  • Multi-tenant and MSP practices, with bulk tenant audits and client-ready reporting
Siemserva by Senserva
Compliance Status Report
MCSB ES-1 (Endpoint Security) across 2 tenants, ranked by Severity
23
FAILING
87
PASSING
41
OTHER FINDINGS
Estimated report, sample data for illustration
Get Going with Senserva Senserva compliance Built for IT admins, security teams, and auditors, with audit-ready evidence. Senserva is a Microsoft Intelligent Security Association member.
Microsoft 365 compliance and audit evidence
How a control becomes audit evidence, click to play

From finding to audit evidence, in two minutes. Watch page · All videos.

Reference: the compliance frameworks crosswalk, the check reference, and the audit guide.
Data notice: control mappings describe which Siemserva checks provide evidence for a control and are informational only, without warranty. They do not constitute compliance advice or certification; confirm requirements with your assessor. All use is subject to the Senserva EULA.