MCSB ES-5: Endpoint Security
5 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control ES-5 (Endpoint Security). Each is checked against your tenant, ranked by Severity, with validated remediation.
What MCSB ES-5 covers
The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. ES-5 sits in the Endpoint Security domain. Senserva evidences it with the 5 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.
Ask your own AI about this control
Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.
The 5 checks that evidence MCSB ES-5
Click any row for why it matters and how to fix it, with a link to the full check page.
| Senserva check | Severity | What it verifies |
|---|---|---|
| Intune Policy App Control Audit Mode | High | Application Control is in audit mode, not enforcing blocks |
| Intune Policy App Control Build Options | High | Application Control policy build options are not configured |
| Intune Policy App Control Property Not Found | Medium | Expected Application Control property was not found in the Intune policy configuration |
| Intune Policy App Control Trust Apps From Managed Installer | Medium | Managed Installer trust is not enabled in Application Control policy |
| Intune Policy App Control Trust Apps With Good Reputation | Medium | Intelligent Security Graph (ISG) reputation trust is not enabled in Application Control policy |
Also evidences
The same checks provide evidence for these frameworks, so one fix counts across your obligations:
Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.