MCSB ES-3: Endpoint Security
61 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control ES-3 (Endpoint Security). Each is checked against your tenant, ranked by Severity, with validated remediation.
What MCSB ES-3 covers
The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. ES-3 sits in the Endpoint Security domain. Senserva evidences it with the 61 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.
Ask your own AI about this control
Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.
The 61 checks that evidence MCSB ES-3
Click any row for why it matters and how to fix it, with a link to the full check page.
| Senserva check | Severity | What it verifies |
|---|---|---|
| Intune Device Missing KEV Patch | Critical | Managed device is missing one or more KB articles that fix KEV-listed CVEs. |
| Intune Device Vulnerability KEV | Critical | Device has one or more vulnerabilities listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. |
| Intune Policy Autopatch CVE Gap KEV | Critical | A KEV-listed CVE has KB articles in the Windows Update catalog that are not covered by any active Autopatch deployment. |
| Device Endpoint Detection And Response | High | Endpoint detection and response (EDR) solution status on the device |
| Intune Device Defender Recommendation Critical | High | Microsoft Defender Vulnerability Management raised a security recommendation with a public exploit or an active alert. |
| Intune Device Malware Protection Disabled | High | Managed device reports Microsoft Defender Antivirus malware protection is not enabled. |
| Intune Device Missing Critical Patch | High | Managed device is missing one or more KB articles that fix Critical-severity CVEs (CVSS 9.0+). |
| Intune Device Real Time Protection Disabled | High | Managed device reports Microsoft Defender Antivirus real-time protection is turned off. |
| Intune Device Vulnerability Critical | High | Device has one or more Critical-severity vulnerabilities (CVSS 9.0+). |
| Intune Device Vulnerable Software Critical | High | Microsoft Defender Vulnerability Management reports an installed software product with a public exploit or an active alert. |
| Intune Policy Autopatch CVE Gap Critical | High | A Critical-severity CVE (CVSS 9.0+) has KB articles in the Windows Update catalog that are not covered by any active Autopatch deployment. |
| Intune Policy Autopatch Deployment No Members | High | Windows Autopatch deployment exists but its audience contains zero updatable assets, so no devices receive the patch. |
| Intune Policy Autopatch Deployment Not Healthy | High | Windows Autopatch deployment is not in a healthy state (paused, faulted, or cancelled). |
| Intune Policy Autopatch Deployment Reboot Delay Long | High | Windows Autopatch deployment forced-reboot deadline exceeds 5 days. |
| Intune Policy Autopatch Deployments None | High | No active Windows Autopatch deployments are configured. The deployment service is provisioned but unused. |
| Intune Policy Autopatch Updatable Asset Group Not Enrolled | High | Entra security group is registered as a Windows Autopatch updatable asset but its devices are not enrolled with the deployment service. |
| Intune Policy Autopatch Updatable Assets None | High | No Windows Autopatch updatable assets (devices or groups) are registered with the deployment service. |
| Intune Policy Update Driver Auto Approval | High | Windows Driver Update profile uses automatic approval, drivers are deployed without review. |
| Intune Policy Update Driver No Deferral | High | Windows Driver Update profile has zero deployment deferral, drivers deploy immediately. |
| Intune Policy Update Driver Profile Missing | High | No Windows Driver Update profile exists, driver updates are not managed by Intune. |
| Intune Policy Update Driver Profile Unassigned | High | Windows Driver Update profile has no device assignments, profile exists but targets no devices. |
| Intune Policy Update Driver Sync Failed | High | Windows Driver Update profile inventory sync has failed. |
| Intune Policy Update Feature No Gradual Rollout | High | Windows Feature Update profile has no gradual rollout interval, all devices update at once. |
| Intune Policy Update Feature Profile Missing | High | No Windows Feature Update profile exists, feature updates are not managed by Intune. |
| Intune Policy Update Feature Profile Unassigned | High | Windows Feature Update profile has no device assignments, profile exists but targets no devices. |
| Intune Policy Update Feature Rollout Deadline Missing | High | Windows Feature Update profile has no rollout deadline configured. |
| Intune Policy Update Feature Version Not Set | High | Windows Feature Update profile has no target version specified. |
| Intune Policy Update Feature Version Outdated | High | Windows Feature Update profile targets an end-of-support Windows version. |
| Intune Policy Update Profile Assignment Empty Group | High | A Windows update profile or ring is assigned to an Entra security group that has zero members. Devices receive nothing through this assignment. |
| Intune Policy Update Quality Expedited Missing | High | Windows Quality Update profile has no expedited update settings, critical patches cannot be fast-tracked. |
| Intune Policy Update Quality Profile Missing | High | No Windows Quality Update profile exists, security and quality updates are not managed by Intune. |
| Intune Policy Update Quality Profile Unassigned | High | Windows Quality Update profile has no device assignments, profile exists but targets no devices. |
| Intune Policy Update Quality Reboot Delay Long | High | Windows Quality Update expedited reboot deadline exceeds 5 days. |
| Intune Policy Update Ring Feature No Deferral | High | Update ring has zero feature update deferral, major Windows updates install immediately. |
| Intune Policy Update Ring Feature Paused | High | Feature updates are paused in the update ring. |
| Intune Policy Update Ring Missing | High | No Windows Update for Business update ring policy exists. |
| Intune Policy Update Ring Quality No Deferral | High | Update ring has zero quality update deferral, security patches install with no testing window. |
| Intune Policy Update Ring Quality Paused | High | Quality updates are paused in the update ring, devices are not receiving security patches. |
| Intune Policy Update Ring Unassigned | High | Windows Update ring policy has no device assignments. |
| Intune Policy Win32 App Install Failures | High | Win32 LOB application has a high install failure rate across assigned devices. |
| Device Health Check Failed | Medium | Device fails one or more basic health checks: not compliant, not managed, or rooted/jailbroken |
| Device Intune Permission Check Skipped | Medium | Intune audit skipped: credential lacks a required directory role or the tenant does not have an Intune license. |
| Device Must Be Compliant | Medium | Device compliance status (IsCompliant property) Non-compliant devices may lack required security configurations (encryption, PIN, etc) |
| Entra Device Not In Defender Coverage | Medium | Entra-registered Windows device has no matching Microsoft Defender for Endpoint machine record, so the audit cannot determine per-CVE patch posture. |
| Entra Device OS Version Lag | Medium | Entra-registered Windows device is on a build that is no longer supported by Windows Update, so it cannot receive new security patches. |
| Intune Audit Event Configuration Deleted | Medium | A security-relevant Intune configuration object was deleted in the last 30 days. |
| Intune Audit Event Configuration Modified | Medium | A security-relevant Intune configuration object was modified in the last 30 days. |
| Intune Device Defender Recommendation Active | Medium | Microsoft Defender Vulnerability Management has an active security recommendation affecting one or more devices. |
| Intune Device Malware Signature Out Of Date | Medium | Managed device reports Microsoft Defender Antivirus security intelligence (signature) updates are overdue. |
| Intune Device Missing High Patch | Medium | Managed device is missing one or more KB articles that fix High-severity CVEs (CVSS 7.0-8.9). |
| Intune Device Non Compliant | Medium | Intune-managed device is non-compliant with one or more compliance policies Reports the specific failing setting. |
| Intune Device OS Version Lag | Medium | Managed device's osVersion lags the latest published Windows build by more than 60 days (fallback when Defender TVM is unavailable). |
| Intune Device Vulnerability High | Medium | Device has one or more High-severity vulnerabilities (CVSS 7.0-8.9). |
| Intune Device Vulnerable Software | Medium | Microsoft Defender Vulnerability Management reports an installed software product with one or more known vulnerabilities. |
| Intune Policy Autopatch CVE Gap High | Medium | A High-severity CVE (CVSS 7.0-8.9) has KB articles in the Windows Update catalog that are not covered by any active Autopatch deployment. |
| Intune Policy Update Profile Assignment Mismatch | Medium | Windows update profiles for the same fleet target different Entra groups, suggesting an accidental coverage gap rather than an intentional split. |
| Intune Policy Win32 App Unassigned | Medium | Win32 LOB application is published in Intune but has no group assignments. The app reaches no devices. |
| Intune Policy Win32 Apps None | Medium | No Win32 LOB applications are deployed via Intune. Line-of-business app delivery may rely on uncontrolled channels. |
| Device Is Rooted | Low | Device is flagged as rooted or jailbroken Rooted devices bypass OS security controls |
| Intune Policy Autopatch Catalog Unavailable | Low | Windows Update catalog endpoint returns no entries while the deployment service is otherwise reachable. |
| Device Compliance Expiration Date Time | Info | Device compliance expiration datetime Reports when the compliance state expires and the device needs re-evaluation |
Also evidences
The same checks provide evidence for these frameworks, so one fix counts across your obligations:
Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.