Controls / MCSB / ES-2

MCSB ES-2: Endpoint Security

50 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control ES-2 (Endpoint Security). Each is checked against your tenant, ranked by Severity, with validated remediation.

50 checksEndpoint SecurityTop Severity: High

What MCSB ES-2 covers

The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. ES-2 sits in the Endpoint Security domain. Senserva evidences it with the 50 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.

Ask your own AI about this control

Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.

The 50 checks that evidence MCSB ES-2

Click any row for why it matters and how to fix it, with a link to the full check page.

Senserva checkSeverityWhat it verifies
Device Has Outdated Android Operating SystemHighAndroid device is running an outdated operating system version below the minimum required
Device Has Outdated IOS Operating SystemHighiOS device is running an outdated operating system version below the minimum required
Device Has Outdated Mac OS Operating SystemHighmacOS device is running an outdated operating system version below the minimum required
Device Has Outdated Windows Operating SystemHighWindows device is running an outdated operating system version below the minimum required
Intune Device Out Of SupportHighIntune-managed device is running an OS version that is out of support. No longer receiving security patches
Intune Policy Antivirus Behavior MonitoringHighBehavior monitoring is not enabled in Microsoft Defender Antivirus policy
Intune Policy Antivirus Cloud ProtectionHighCloud-delivered protection is not enabled in Microsoft Defender Antivirus policy
Intune Policy Antivirus Property Not FoundHighExpected antivirus property not found in the Intune policy configuration
Intune Policy Antivirus Real Time ProtectionHighReal-time protection is not enabled in Microsoft Defender Antivirus policy
Intune Policy Antivirus Removable Drive ScanningHighRemovable drive scanning is not enabled in Microsoft Defender Antivirus policy
Intune Policy Antivirus Script ScanningHighScript scanning not enabled in Microsoft Defender Antivirus policy
Intune Policy Compliance Active Firewall RequiredHighActive firewall is not required by device compliance policy
Intune Policy Compliance Anti Spyware RequiredHighAnti-spyware is not required by device compliance policy
Intune Policy Compliance Any Antivirus RequiredHighAny antivirus solution is not required by device compliance policy
Intune Policy Compliance Mde Integration RequiredHighMicrosoft Defender for Endpoint integration is not required by compliance policy
Intune Policy Compliance Mde Threat Level AllowedHighMicrosoft Defender for Endpoint allowed threat level is too permissive in compliance policy
Intune Policy Compliance Microsoft Defender Antivirus RequiredHighMicrosoft Defender Antivirus is not required by device compliance policy
Intune Policy Compliance Microsoft Defender Minimum VersionHighMicrosoft Defender Antivirus minimum version is not enforced by compliance policy
Intune Policy Compliance Microsoft Defender Real Time Protection RequiredHighMicrosoft Defender real-time protection is not required by compliance policy
Intune Policy Compliance Microsoft Defender Signature Must Be Up To DateHighMicrosoft Defender signature currency is not required by compliance policy
Intune Policy Windows Security Experience Tamper Protection OptionsHighTamper Protection options are not configured in Windows Security Experience policy
Device Intune Permission Check SkippedMediumIntune audit skipped: credential lacks a required directory role or the tenant does not have an Intune license.
Device Must Be ManagedMediumDevice management status (IsManaged property) Unmanaged devices may bypass endpoint security policies
Entra Device Not In Defender CoverageMediumEntra-registered Windows device has no matching Microsoft Defender for Endpoint machine record, so the audit cannot determine per-CVE patch posture.
Entra Device OS Version LagMediumEntra-registered Windows device is on a build that is no longer supported by Windows Update, so it cannot receive new security patches.
Intune Policy Antivirus Archive ScanningMediumArchive scanning is not enabled in Microsoft Defender Antivirus policy
Intune Policy Antivirus Email ScanningMediumEmail scanning is not enabled in Microsoft Defender Antivirus policy
Intune Policy Antivirus IOAV ScanningMediumIOAV (IE/Office/ActiveX) scanning is not enabled in Microsoft Defender Antivirus policy
Intune Policy Antivirus Network ScanningMediumNetwork inspection not enabled in Microsoft Defender Antivirus policy
Intune Policy Windows Security Experience Disable Tpm Firmware Update WarningMediumTPM firmware update warning is disabled in Windows Security Center
Intune Policy Windows Security Experience Hide Ransomware Data RecoveryMediumRansomware data recovery UI is hidden in Windows Security Center
Intune Policy Windows Security Experience Property Not FoundMediumExpected Windows Security Experience property was not found in the Intune policy configuration
Device Has Unallowed Extension AttributesLowDevice has extension attributes that match the disallowed list in the security baseline. May indicate non-compliant device configuration or tagging
Device Must Be Owned By CompanyLowDevice is not owned by the company (personal/BYOD) Company-owned devices should be required for privileged access
Device Required Enrollment TypeLowDevice enrollment type does not match the required enrollment type in the security baseline
Intune Policy Antivirus PUA ProtectionLowPUA (Potentially Unwanted Application) protection is not enabled in Microsoft Defender Antivirus policy
Intune Policy Antivirus Sample SubmissionLowAutomatic sample submission is not enabled in Microsoft Defender Antivirus policy
Intune Policy Windows Security Experience Disable Enhanced NotificationsLowEnhanced notifications are disabled in Windows Security Center
Intune Policy Windows Security Experience Hide Windows Security Notification Area ControlLowWindows Security notification area control is hidden
Device Trust TypeInfoDevice trust type (AAD Joined, Hybrid Azure AD Joined, Azure AD Registered). Tracked for device posture inventory and policy alignment
Intune Policy Windows Security Experience Disable Account Protection UiInfoAccount Protection UI is disabled in Windows Security Center
Intune Policy Windows Security Experience Disable App Browser UiInfoApp & Browser Control UI is disabled in Windows Security Center
Intune Policy Windows Security Experience Disable Clear Tpm ButtonInfoClear TPM button is disabled in Windows Security Center
Intune Policy Windows Security Experience Disable Device Security UiInfoDevice Security UI is disabled in Windows Security Center
Intune Policy Windows Security Experience Disable Family UiInfoFamily Options UI is disabled in Windows Security Center
Intune Policy Windows Security Experience Disable Health UiInfoDevice Performance & Health UI is disabled in Windows Security Center
Intune Policy Windows Security Experience Disable Network UiInfoFirewall & Network Protection UI is disabled in Windows Security Center
Intune Policy Windows Security Experience Disable Virus UiInfoVirus & Threat Protection UI is disabled in Windows Security Center
Intune Policy Windows Security Experience Enable Customized ToastsInfoCustomized toast notifications are enabled in Windows Security Center
Intune Policy Windows Security Experience Enable In App CustomizationInfoIn-app customization is enabled in Windows Security Center

Also evidences

The same checks provide evidence for these frameworks, so one fix counts across your obligations:

Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.

Sponsored by Senserva

Siemserva by Senserva runs the checks that evidence MCSB ES-2 (Endpoint Security) across your own tenant: which tenants pass, which fail, ranked by Severity with the evidence attached.

  • 650+ Microsoft 365, Intune, Defender, and Entra ID checks in one scan
  • Findings mapped to SCuBA, CIS, NIST, HIPAA, SOC 2, and MCSB for audit-ready evidence
  • Senserva Trustworthy AI driven configuration remediation: validated, approve-before-apply fixes
  • Multi-tenant and MSP practices, with bulk tenant audits and client-ready reporting
Siemserva by Senserva
Compliance Status Report
MCSB ES-2 (Endpoint Security) across 2 tenants, ranked by Severity
23
FAILING
87
PASSING
41
OTHER FINDINGS
Estimated report, sample data for illustration
Get Going with Senserva Senserva compliance Built for IT admins, security teams, and auditors, with audit-ready evidence. Senserva is a Microsoft Intelligent Security Association member.
Microsoft 365 compliance and audit evidence
How a control becomes audit evidence, click to play

From finding to audit evidence, in two minutes. Watch page · All videos.

Reference: the compliance frameworks crosswalk, the check reference, and the audit guide.
Data notice: control mappings describe which Siemserva checks provide evidence for a control and are informational only, without warranty. They do not constitute compliance advice or certification; confirm requirements with your assessor. All use is subject to the Senserva EULA.