MCSB ES-4: Endpoint Security
25 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control ES-4 (Endpoint Security). Each is checked against your tenant, ranked by Severity, with validated remediation.
What MCSB ES-4 covers
The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. ES-4 sits in the Endpoint Security domain. Senserva evidences it with the 25 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.
Ask your own AI about this control
Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.
The 25 checks that evidence MCSB ES-4
Click any row for why it matters and how to fix it, with a link to the full check page.
| Senserva check | Severity | What it verifies |
|---|---|---|
| Intune Policy Attack Surface Reduction Block Abuse Of Vulnerable Signed Drivers | High | ASR rule to block abuse of exploited vulnerable signed drivers is not enabled |
| Intune Policy Attack Surface Reduction Block Credential Stealing From LSASS | High | ASR rule to block credential stealing from LSASS is not enabled |
| Intune Policy Attack Surface Reduction Block Downloading Executable Content | High | ASR rule to block downloading executable content from email and webmail clients is not enabled |
| Intune Policy Attack Surface Reduction Block Executable Content From Email | High | ASR rule to block executable content from email is not enabled |
| Intune Policy Attack Surface Reduction Block Js Vb Launching Downloaded Executables | High | ASR rule to block JavaScript/VBScript from launching downloaded executables is not enabled |
| Intune Policy Attack Surface Reduction Block Obfuscated Scripts | High | ASR rule to block obfuscated scripts is not enabled |
| Intune Policy Attack Surface Reduction Block Office Apps Creating Child Processes | High | ASR rule to block Office apps from creating child processes is not enabled |
| Intune Policy Attack Surface Reduction Block Office Apps Creating Executable Content | High | ASR rule to block Office apps from creating executable content is not enabled |
| Intune Policy Attack Surface Reduction Block Office Apps Injecting Code | High | ASR rule to block Office apps from injecting code into other processes is not enabled |
| Intune Policy Attack Surface Reduction Block Persistence Through Wmi Event Subscription | High | ASR rule to block persistence through WMI event subscription is not enabled |
| Intune Policy Attack Surface Reduction Block Process Creations From Psexec Wmi | High | ASR rule to block process creations from PSExec and WMI commands is not enabled |
| Intune Policy Attack Surface Reduction Block Ransomware Behavior | High | ASR rule to block ransomware behavior is not enabled |
| Intune Policy Attack Surface Reduction Block Untrusted Webmail Executables | High | ASR rule to block executables from webmail is not enabled |
| Intune Policy Attack Surface Reduction Block Use Of Copied Or Impersonated System Tools | High | ASR rule to block use of copied or impersonated system tools is not enabled |
| Intune Policy Attack Surface Reduction Block Web Shell Creation For Servers | High | ASR rule to block webshell creation for servers is not enabled |
| Intune Policy Attack Surface Reduction Block Win32 API Calls From Office Macros | High | ASR rule to block Win32 API calls from Office macros is not enabled |
| Intune Policy Attack Surface Reduction Controlled Folder Access | High | Controlled Folder Access is not enabled or configured |
| Intune Policy Attack Surface Reduction Block Adobe Reader Child Processes | Medium | ASR rule to block Adobe Reader from creating child processes is not enabled |
| Intune Policy Attack Surface Reduction Block Executable Files Unless Prevalence Age Trusted List Criterion | Medium | ASR rule to block executable files unless they meet prevalence, age, or trusted list criteria is not enabled |
| Intune Policy Attack Surface Reduction Block Office Communication Apps Creating Child Processes | Medium | ASR rule to block Office communication apps from creating child processes is not enabled |
| Intune Policy Attack Surface Reduction Block Rebooting Machine In Safe Mode | Medium | ASR rule to block rebooting machine in Safe Mode is not enabled |
| Intune Policy Attack Surface Reduction Block Unsigned Or Untrusted USB Processes | Medium | ASR rule to block unsigned or untrusted USB processes is not enabled |
| Intune Policy Attack Surface Reduction Block Untrusted And Unsigned Scripts | Medium | ASR rule to block untrusted and unsigned processes that run from USB is not enabled |
| Intune Policy Attack Surface Reduction Block Use Of Credential Manager | Medium | ASR rule to block credential manager misuse is not enabled |
| Intune Policy Attack Surface Reduction Property Not Found | Medium | Expected Attack Surface Reduction property was not found in the Intune policy configuration |
Also evidences
The same checks provide evidence for these frameworks, so one fix counts across your obligations:
Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.