Configure Restrict App Execution capability in Microsoft Defender for Endpoint

  • Release version: Xanadu
  • Updated August 1, 2024
  • 1 minute to read

    • To contain an attack, restrict or lock a device and prevent subsequent attempts of potentially malicious programs from running.

    Before you begin

    Table 1. Requirements for Restrict App Execution capability
    Input Description
    Comment (Required) Comment to associate with the action)

    Role required: sn_si.admin or sn_si.analyst

    Procedure

    1. Navigate to Security Incidents > Show All Incidents.
    2. Select the security incident that you want to review with the Microsoft Defender for Endpoint information.
      1. In the related links section, click Run Additional Actions on Endpoint.
      2. Browse and select the Restrict App Execution capability.
      Figure 1. Restrict App Execution
      Restrict App capability implementation
      Alternatively, you can perform the following steps:
      1. In the related lists section, click Show All Related Lists.
      2. Click the Configuration Item related list.
      3. Select the added configuration items.
      4. From the Actions on selected rows, select Run Additional Actions on Endpoint.
    3. To enable Restrict App Execution on the machine, click Run Additional Action.
    4. View the automation activities of the execution, and validate them.
    5. Validate the status of the action on the Additional Actions on Endpoint related lists.