Controls / MCSB / ES-4

MCSB ES-4: Endpoint Security

25 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control ES-4 (Endpoint Security). Each is checked against your tenant, ranked by Severity, with validated remediation.

25 checksEndpoint SecurityTop Severity: High

What MCSB ES-4 covers

The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. ES-4 sits in the Endpoint Security domain. Senserva evidences it with the 25 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.

Ask your own AI about this control

Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.

The 25 checks that evidence MCSB ES-4

Click any row for why it matters and how to fix it, with a link to the full check page.

Senserva checkSeverityWhat it verifies
Intune Policy Attack Surface Reduction Block Abuse Of Vulnerable Signed DriversHighASR rule to block abuse of exploited vulnerable signed drivers is not enabled
Intune Policy Attack Surface Reduction Block Credential Stealing From LSASSHighASR rule to block credential stealing from LSASS is not enabled
Intune Policy Attack Surface Reduction Block Downloading Executable ContentHighASR rule to block downloading executable content from email and webmail clients is not enabled
Intune Policy Attack Surface Reduction Block Executable Content From EmailHighASR rule to block executable content from email is not enabled
Intune Policy Attack Surface Reduction Block Js Vb Launching Downloaded ExecutablesHighASR rule to block JavaScript/VBScript from launching downloaded executables is not enabled
Intune Policy Attack Surface Reduction Block Obfuscated ScriptsHighASR rule to block obfuscated scripts is not enabled
Intune Policy Attack Surface Reduction Block Office Apps Creating Child ProcessesHighASR rule to block Office apps from creating child processes is not enabled
Intune Policy Attack Surface Reduction Block Office Apps Creating Executable ContentHighASR rule to block Office apps from creating executable content is not enabled
Intune Policy Attack Surface Reduction Block Office Apps Injecting CodeHighASR rule to block Office apps from injecting code into other processes is not enabled
Intune Policy Attack Surface Reduction Block Persistence Through Wmi Event SubscriptionHighASR rule to block persistence through WMI event subscription is not enabled
Intune Policy Attack Surface Reduction Block Process Creations From Psexec WmiHighASR rule to block process creations from PSExec and WMI commands is not enabled
Intune Policy Attack Surface Reduction Block Ransomware BehaviorHighASR rule to block ransomware behavior is not enabled
Intune Policy Attack Surface Reduction Block Untrusted Webmail ExecutablesHighASR rule to block executables from webmail is not enabled
Intune Policy Attack Surface Reduction Block Use Of Copied Or Impersonated System ToolsHighASR rule to block use of copied or impersonated system tools is not enabled
Intune Policy Attack Surface Reduction Block Web Shell Creation For ServersHighASR rule to block webshell creation for servers is not enabled
Intune Policy Attack Surface Reduction Block Win32 API Calls From Office MacrosHighASR rule to block Win32 API calls from Office macros is not enabled
Intune Policy Attack Surface Reduction Controlled Folder AccessHighControlled Folder Access is not enabled or configured
Intune Policy Attack Surface Reduction Block Adobe Reader Child ProcessesMediumASR rule to block Adobe Reader from creating child processes is not enabled
Intune Policy Attack Surface Reduction Block Executable Files Unless Prevalence Age Trusted List CriterionMediumASR rule to block executable files unless they meet prevalence, age, or trusted list criteria is not enabled
Intune Policy Attack Surface Reduction Block Office Communication Apps Creating Child ProcessesMediumASR rule to block Office communication apps from creating child processes is not enabled
Intune Policy Attack Surface Reduction Block Rebooting Machine In Safe ModeMediumASR rule to block rebooting machine in Safe Mode is not enabled
Intune Policy Attack Surface Reduction Block Unsigned Or Untrusted USB ProcessesMediumASR rule to block unsigned or untrusted USB processes is not enabled
Intune Policy Attack Surface Reduction Block Untrusted And Unsigned ScriptsMediumASR rule to block untrusted and unsigned processes that run from USB is not enabled
Intune Policy Attack Surface Reduction Block Use Of Credential ManagerMediumASR rule to block credential manager misuse is not enabled
Intune Policy Attack Surface Reduction Property Not FoundMediumExpected Attack Surface Reduction property was not found in the Intune policy configuration

Also evidences

The same checks provide evidence for these frameworks, so one fix counts across your obligations:

Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.

Sponsored by Senserva

Siemserva by Senserva runs the checks that evidence MCSB ES-4 (Endpoint Security) across your own tenant: which tenants pass, which fail, ranked by Severity with the evidence attached.

  • 650+ Microsoft 365, Intune, Defender, and Entra ID checks in one scan
  • Findings mapped to SCuBA, CIS, NIST, HIPAA, SOC 2, and MCSB for audit-ready evidence
  • Senserva Trustworthy AI driven configuration remediation: validated, approve-before-apply fixes
  • Multi-tenant and MSP practices, with bulk tenant audits and client-ready reporting
Siemserva by Senserva
Compliance Status Report
MCSB ES-4 (Endpoint Security) across 2 tenants, ranked by Severity
23
FAILING
87
PASSING
41
OTHER FINDINGS
Estimated report, sample data for illustration
Get Going with Senserva Senserva compliance Built for IT admins, security teams, and auditors, with audit-ready evidence. Senserva is a Microsoft Intelligent Security Association member.
Microsoft 365 compliance and audit evidence
How a control becomes audit evidence, click to play

From finding to audit evidence, in two minutes. Watch page · All videos.

Reference: the compliance frameworks crosswalk, the check reference, and the audit guide.
Data notice: control mappings describe which Siemserva checks provide evidence for a control and are informational only, without warranty. They do not constitute compliance advice or certification; confirm requirements with your assessor. All use is subject to the Senserva EULA.