MCSB ES-2: Endpoint Security
50 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control ES-2 (Endpoint Security). Each is checked against your tenant, ranked by Severity, with validated remediation.
What MCSB ES-2 covers
The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. ES-2 sits in the Endpoint Security domain. Senserva evidences it with the 50 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.
Ask your own AI about this control
Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.
The 50 checks that evidence MCSB ES-2
Click any row for why it matters and how to fix it, with a link to the full check page.
| Senserva check | Severity | What it verifies |
|---|---|---|
| Device Has Outdated Android Operating System | High | Android device is running an outdated operating system version below the minimum required |
| Device Has Outdated IOS Operating System | High | iOS device is running an outdated operating system version below the minimum required |
| Device Has Outdated Mac OS Operating System | High | macOS device is running an outdated operating system version below the minimum required |
| Device Has Outdated Windows Operating System | High | Windows device is running an outdated operating system version below the minimum required |
| Intune Device Out Of Support | High | Intune-managed device is running an OS version that is out of support. No longer receiving security patches |
| Intune Policy Antivirus Behavior Monitoring | High | Behavior monitoring is not enabled in Microsoft Defender Antivirus policy |
| Intune Policy Antivirus Cloud Protection | High | Cloud-delivered protection is not enabled in Microsoft Defender Antivirus policy |
| Intune Policy Antivirus Property Not Found | High | Expected antivirus property not found in the Intune policy configuration |
| Intune Policy Antivirus Real Time Protection | High | Real-time protection is not enabled in Microsoft Defender Antivirus policy |
| Intune Policy Antivirus Removable Drive Scanning | High | Removable drive scanning is not enabled in Microsoft Defender Antivirus policy |
| Intune Policy Antivirus Script Scanning | High | Script scanning not enabled in Microsoft Defender Antivirus policy |
| Intune Policy Compliance Active Firewall Required | High | Active firewall is not required by device compliance policy |
| Intune Policy Compliance Anti Spyware Required | High | Anti-spyware is not required by device compliance policy |
| Intune Policy Compliance Any Antivirus Required | High | Any antivirus solution is not required by device compliance policy |
| Intune Policy Compliance Mde Integration Required | High | Microsoft Defender for Endpoint integration is not required by compliance policy |
| Intune Policy Compliance Mde Threat Level Allowed | High | Microsoft Defender for Endpoint allowed threat level is too permissive in compliance policy |
| Intune Policy Compliance Microsoft Defender Antivirus Required | High | Microsoft Defender Antivirus is not required by device compliance policy |
| Intune Policy Compliance Microsoft Defender Minimum Version | High | Microsoft Defender Antivirus minimum version is not enforced by compliance policy |
| Intune Policy Compliance Microsoft Defender Real Time Protection Required | High | Microsoft Defender real-time protection is not required by compliance policy |
| Intune Policy Compliance Microsoft Defender Signature Must Be Up To Date | High | Microsoft Defender signature currency is not required by compliance policy |
| Intune Policy Windows Security Experience Tamper Protection Options | High | Tamper Protection options are not configured in Windows Security Experience policy |
| Device Intune Permission Check Skipped | Medium | Intune audit skipped: credential lacks a required directory role or the tenant does not have an Intune license. |
| Device Must Be Managed | Medium | Device management status (IsManaged property) Unmanaged devices may bypass endpoint security policies |
| Entra Device Not In Defender Coverage | Medium | Entra-registered Windows device has no matching Microsoft Defender for Endpoint machine record, so the audit cannot determine per-CVE patch posture. |
| Entra Device OS Version Lag | Medium | Entra-registered Windows device is on a build that is no longer supported by Windows Update, so it cannot receive new security patches. |
| Intune Policy Antivirus Archive Scanning | Medium | Archive scanning is not enabled in Microsoft Defender Antivirus policy |
| Intune Policy Antivirus Email Scanning | Medium | Email scanning is not enabled in Microsoft Defender Antivirus policy |
| Intune Policy Antivirus IOAV Scanning | Medium | IOAV (IE/Office/ActiveX) scanning is not enabled in Microsoft Defender Antivirus policy |
| Intune Policy Antivirus Network Scanning | Medium | Network inspection not enabled in Microsoft Defender Antivirus policy |
| Intune Policy Windows Security Experience Disable Tpm Firmware Update Warning | Medium | TPM firmware update warning is disabled in Windows Security Center |
| Intune Policy Windows Security Experience Hide Ransomware Data Recovery | Medium | Ransomware data recovery UI is hidden in Windows Security Center |
| Intune Policy Windows Security Experience Property Not Found | Medium | Expected Windows Security Experience property was not found in the Intune policy configuration |
| Device Has Unallowed Extension Attributes | Low | Device has extension attributes that match the disallowed list in the security baseline. May indicate non-compliant device configuration or tagging |
| Device Must Be Owned By Company | Low | Device is not owned by the company (personal/BYOD) Company-owned devices should be required for privileged access |
| Device Required Enrollment Type | Low | Device enrollment type does not match the required enrollment type in the security baseline |
| Intune Policy Antivirus PUA Protection | Low | PUA (Potentially Unwanted Application) protection is not enabled in Microsoft Defender Antivirus policy |
| Intune Policy Antivirus Sample Submission | Low | Automatic sample submission is not enabled in Microsoft Defender Antivirus policy |
| Intune Policy Windows Security Experience Disable Enhanced Notifications | Low | Enhanced notifications are disabled in Windows Security Center |
| Intune Policy Windows Security Experience Hide Windows Security Notification Area Control | Low | Windows Security notification area control is hidden |
| Device Trust Type | Info | Device trust type (AAD Joined, Hybrid Azure AD Joined, Azure AD Registered). Tracked for device posture inventory and policy alignment |
| Intune Policy Windows Security Experience Disable Account Protection Ui | Info | Account Protection UI is disabled in Windows Security Center |
| Intune Policy Windows Security Experience Disable App Browser Ui | Info | App & Browser Control UI is disabled in Windows Security Center |
| Intune Policy Windows Security Experience Disable Clear Tpm Button | Info | Clear TPM button is disabled in Windows Security Center |
| Intune Policy Windows Security Experience Disable Device Security Ui | Info | Device Security UI is disabled in Windows Security Center |
| Intune Policy Windows Security Experience Disable Family Ui | Info | Family Options UI is disabled in Windows Security Center |
| Intune Policy Windows Security Experience Disable Health Ui | Info | Device Performance & Health UI is disabled in Windows Security Center |
| Intune Policy Windows Security Experience Disable Network Ui | Info | Firewall & Network Protection UI is disabled in Windows Security Center |
| Intune Policy Windows Security Experience Disable Virus Ui | Info | Virus & Threat Protection UI is disabled in Windows Security Center |
| Intune Policy Windows Security Experience Enable Customized Toasts | Info | Customized toast notifications are enabled in Windows Security Center |
| Intune Policy Windows Security Experience Enable In App Customization | Info | In-app customization is enabled in Windows Security Center |
Also evidences
The same checks provide evidence for these frameworks, so one fix counts across your obligations:
Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.