Microsoft Defender for Endpoint Default Settings

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Microsoft Defender for Endpoint Default Settings

    The Microsoft Defender for Endpoint Default Settings module is accessible after installation within the Microsoft Defender for Endpoint application in ServiceNow. It provides default configurations for various Defender functionalities, facilitating streamlined endpoint security management. Proper configuration of these settings is essential to ensure the correct operation of actions such as host isolation, application restriction, and antivirus scanning.

    Show full answer Show less

    Key Features

    • Approval Configuration: Controls approval requirements specifically for critical actions like Isolate Host, Remove Host Isolation, Restrict App Execution, Remove App Restriction, and Run Antivirus Scan. This approval applies only when actions are triggered from the Related list and no existing profiles are present. If profiles exist, their approval settings take precedence.
    • Require Approval and Approvers: When enabled, the system mandates approval from designated approver groups to complete requests, enhancing governance and control over sensitive actions.
    • Alternate Configuration Item (CI): Allows specifying an alternate CI field for the Run Additional Actions on Endpoint capability, overriding the default use of the Security Incident’s CI field. This flexibility enables more accurate or relevant CI association during endpoint actions.
    • Agent ID Resolution Input: Determines whether IP address, Host Name, or both are used to resolve the Agent ID. This setting allows customization based on available data and environment needs.
    • Timeout Settings: Defines execution thresholds (in minutes) for various capabilities including Isolate Host, Remove Isolation, Restrict App Execution, Remove App Restriction, Run Antivirus Scan, and Stop and Quarantine File. These timeouts help manage operation duration and system responsiveness.

    Roles Required

    To access and configure the Default Settings module, users must have the snsi.admin role for full access or the snsi.analyst role for read-only permissions.

    Practical Implications for ServiceNow Customers

    By configuring these default settings, administrators can ensure proper control and authorization workflows for endpoint security actions, customize how endpoints are identified, and manage operational timeouts effectively. This setup is crucial for maintaining security compliance, operational efficiency, and ensuring that endpoint actions align with organizational policies and incident management processes within ServiceNow.

    There are additional configuration settings you must perform after you complete the installation.

    After you complete the installation, you can find the Default Settings module under the Microsoft Defender for Endpoint application on the left-navigation pane. It contains the default settings for different Microsoft Defender for Endpoint functionalities.

    Roles required: sn_si.admin, sn_si.analyst (read-only).

    Additional Configurations

    The following are additional configuration settings:
    • Approval: This approval is specifically for the Isolate Host action, Remove Host Isolation action, and additional actions such as Restrict App Execution, Remove App Restriction and Run Antivirus Scan. You can use this approval only when actions are triggered directly from the Related list, and if there are no any existing profiles. If there are any existing profiles for these capabilities, then the approval configuration in the profile takes precedence.
      • Require Approval: When you enable Require Approval, the Approvers field is available on the form.
      • Approvers: List of approver groups. After you submit a request, approval is required from the group to complete the request.
    • Alternate CI: Enabling this check box provides the list of fields available to pass an alternate CI to the capability. By default, the integration uses the Configuration Item (CI) field on the Security incident. This configuration is applicable only for the Run Additional Actions on Endpoint capability. Use this configuration to define an alternate CI input field for the only Run Additional Actions on Endpoint capability. For the other capabilities, use the configuration in the profile section. If the profiles do not define an alternate CI, then the capabilities would take the CI field from the Security Incident form.
    • Input for Agent ID resolution: By default, IP and Host Name is used to get the Agent ID. If you're going to use only one of them, then set the input field to either IP or Host Name.
    • Timeout:
      • Isolate Host Timeout (in minutes): Indicates the execution threshold for the Isolate Host capabilities.
      • Remove Isolation Timeout (in minutes): Indicates the execution threshold for the Remove Isolation Timeout capability.
      • Restrict App Execution Timeout (in minutes): Indicates the execution threshold for the Restrict App Execution capability.
      • Remove App Restriction Timeout (in minutes): Indicates the execution threshold for the Remove App Restriction capability.
      • Run Antivirus Scan Timeout (in minutes): Indicates the execution threshold for the Run Antivirus Scan capability.
      • Stop and Quarantine File Timeout (in minutes): Indicates the execution threshold for the Stop and Quarantine File capability.
    Figure 1. Default Settings
    Additional configuration settings after you complete the installation