Controls / MCSB / PV-6

MCSB PV-6: Posture and Vulnerability Management

52 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control PV-6 (Posture and Vulnerability Management). Each is checked against your tenant, ranked by Severity, with validated remediation.

52 checksPosture and Vulnerability ManagementTop Severity: Critical

What MCSB PV-6 covers

The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. PV-6 sits in the Posture and Vulnerability Management domain. Senserva evidences it with the 52 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.

Ask your own AI about this control

Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.

The 52 checks that evidence MCSB PV-6

Click any row for why it matters and how to fix it, with a link to the full check page.

Senserva checkSeverityWhat it verifies
Intune Device Missing KEV PatchCriticalManaged device is missing one or more KB articles that fix KEV-listed CVEs.
Intune Device Vulnerability KEVCriticalDevice has one or more vulnerabilities listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
Intune Policy Autopatch CVE Gap KEVCriticalA KEV-listed CVE has KB articles in the Windows Update catalog that are not covered by any active Autopatch deployment.
Intune Device Defender Recommendation CriticalHighMicrosoft Defender Vulnerability Management raised a security recommendation with a public exploit or an active alert.
Intune Device Malware Protection DisabledHighManaged device reports Microsoft Defender Antivirus malware protection is not enabled.
Intune Device Missing Critical PatchHighManaged device is missing one or more KB articles that fix Critical-severity CVEs (CVSS 9.0+).
Intune Device Real Time Protection DisabledHighManaged device reports Microsoft Defender Antivirus real-time protection is turned off.
Intune Device Vulnerability CriticalHighDevice has one or more Critical-severity vulnerabilities (CVSS 9.0+).
Intune Device Vulnerable Software CriticalHighMicrosoft Defender Vulnerability Management reports an installed software product with a public exploit or an active alert.
Intune Policy Autopatch CVE Gap CriticalHighA Critical-severity CVE (CVSS 9.0+) has KB articles in the Windows Update catalog that are not covered by any active Autopatch deployment.
Intune Policy Autopatch Deployment No MembersHighWindows Autopatch deployment exists but its audience contains zero updatable assets, so no devices receive the patch.
Intune Policy Autopatch Deployment Not HealthyHighWindows Autopatch deployment is not in a healthy state (paused, faulted, or cancelled).
Intune Policy Autopatch Deployment Reboot Delay LongHighWindows Autopatch deployment forced-reboot deadline exceeds 5 days.
Intune Policy Autopatch Deployments NoneHighNo active Windows Autopatch deployments are configured. The deployment service is provisioned but unused.
Intune Policy Autopatch Updatable Asset Group Not EnrolledHighEntra security group is registered as a Windows Autopatch updatable asset but its devices are not enrolled with the deployment service.
Intune Policy Autopatch Updatable Assets NoneHighNo Windows Autopatch updatable assets (devices or groups) are registered with the deployment service.
Intune Policy Update Driver Auto ApprovalHighWindows Driver Update profile uses automatic approval, drivers are deployed without review.
Intune Policy Update Driver No DeferralHighWindows Driver Update profile has zero deployment deferral, drivers deploy immediately.
Intune Policy Update Driver Profile MissingHighNo Windows Driver Update profile exists, driver updates are not managed by Intune.
Intune Policy Update Driver Profile UnassignedHighWindows Driver Update profile has no device assignments, profile exists but targets no devices.
Intune Policy Update Driver Sync FailedHighWindows Driver Update profile inventory sync has failed.
Intune Policy Update Feature No Gradual RolloutHighWindows Feature Update profile has no gradual rollout interval, all devices update at once.
Intune Policy Update Feature Profile MissingHighNo Windows Feature Update profile exists, feature updates are not managed by Intune.
Intune Policy Update Feature Profile UnassignedHighWindows Feature Update profile has no device assignments, profile exists but targets no devices.
Intune Policy Update Feature Rollout Deadline MissingHighWindows Feature Update profile has no rollout deadline configured.
Intune Policy Update Feature Version Not SetHighWindows Feature Update profile has no target version specified.
Intune Policy Update Feature Version OutdatedHighWindows Feature Update profile targets an end-of-support Windows version.
Intune Policy Update Profile Assignment Empty GroupHighA Windows update profile or ring is assigned to an Entra security group that has zero members. Devices receive nothing through this assignment.
Intune Policy Update Quality Expedited MissingHighWindows Quality Update profile has no expedited update settings, critical patches cannot be fast-tracked.
Intune Policy Update Quality Profile MissingHighNo Windows Quality Update profile exists, security and quality updates are not managed by Intune.
Intune Policy Update Quality Profile UnassignedHighWindows Quality Update profile has no device assignments, profile exists but targets no devices.
Intune Policy Update Quality Reboot Delay LongHighWindows Quality Update expedited reboot deadline exceeds 5 days.
Intune Policy Update Ring Feature No DeferralHighUpdate ring has zero feature update deferral, major Windows updates install immediately.
Intune Policy Update Ring Feature PausedHighFeature updates are paused in the update ring.
Intune Policy Update Ring MissingHighNo Windows Update for Business update ring policy exists.
Intune Policy Update Ring Quality No DeferralHighUpdate ring has zero quality update deferral, security patches install with no testing window.
Intune Policy Update Ring Quality PausedHighQuality updates are paused in the update ring, devices are not receiving security patches.
Intune Policy Update Ring UnassignedHighWindows Update ring policy has no device assignments.
Intune Policy Win32 App Install FailuresHighWin32 LOB application has a high install failure rate across assigned devices.
Intune Audit Event Configuration DeletedMediumA security-relevant Intune configuration object was deleted in the last 30 days.
Intune Audit Event Configuration ModifiedMediumA security-relevant Intune configuration object was modified in the last 30 days.
Intune Device Defender Recommendation ActiveMediumMicrosoft Defender Vulnerability Management has an active security recommendation affecting one or more devices.
Intune Device Malware Signature Out Of DateMediumManaged device reports Microsoft Defender Antivirus security intelligence (signature) updates are overdue.
Intune Device Missing High PatchMediumManaged device is missing one or more KB articles that fix High-severity CVEs (CVSS 7.0-8.9).
Intune Device OS Version LagMediumManaged device's osVersion lags the latest published Windows build by more than 60 days (fallback when Defender TVM is unavailable).
Intune Device Vulnerability HighMediumDevice has one or more High-severity vulnerabilities (CVSS 7.0-8.9).
Intune Device Vulnerable SoftwareMediumMicrosoft Defender Vulnerability Management reports an installed software product with one or more known vulnerabilities.
Intune Policy Autopatch CVE Gap HighMediumA High-severity CVE (CVSS 7.0-8.9) has KB articles in the Windows Update catalog that are not covered by any active Autopatch deployment.
Intune Policy Update Profile Assignment MismatchMediumWindows update profiles for the same fleet target different Entra groups, suggesting an accidental coverage gap rather than an intentional split.
Intune Policy Win32 App UnassignedMediumWin32 LOB application is published in Intune but has no group assignments. The app reaches no devices.
Intune Policy Win32 Apps NoneMediumNo Win32 LOB applications are deployed via Intune. Line-of-business app delivery may rely on uncontrolled channels.
Intune Policy Autopatch Catalog UnavailableLowWindows Update catalog endpoint returns no entries while the deployment service is otherwise reachable.

Also evidences

The same checks provide evidence for these frameworks, so one fix counts across your obligations:

Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.

Sponsored by Senserva

Siemserva by Senserva runs the checks that evidence MCSB PV-6 (Posture and Vulnerability... across your own tenant: which tenants pass, which fail, ranked by Severity with the evidence attached.

  • 650+ Microsoft 365, Intune, Defender, and Entra ID checks in one scan
  • Findings mapped to SCuBA, CIS, NIST, HIPAA, SOC 2, and MCSB for audit-ready evidence
  • Senserva Trustworthy AI driven configuration remediation: validated, approve-before-apply fixes
  • Multi-tenant and MSP practices, with bulk tenant audits and client-ready reporting
Siemserva by Senserva
Compliance Status Report
MCSB PV-6 (Posture and Vulnerability... across 2 tenants, ranked by Severity
23
FAILING
87
PASSING
41
OTHER FINDINGS
Estimated report, sample data for illustration
Get Going with Senserva Senserva compliance Built for IT admins, security teams, and auditors, with audit-ready evidence. Senserva is a Microsoft Intelligent Security Association member.
Microsoft 365 compliance and audit evidence
How a control becomes audit evidence, click to play

From finding to audit evidence, in two minutes. Watch page · All videos.

Reference: the compliance frameworks crosswalk, the check reference, and the audit guide.
Data notice: control mappings describe which Siemserva checks provide evidence for a control and are informational only, without warranty. They do not constitute compliance advice or certification; confirm requirements with your assessor. All use is subject to the Senserva EULA.