Configure Restrict App Execution capability in Microsoft Defender for Endpoint

  • Release version: Zurich
  • Updated March 12, 2026
  • 1 minute to read

    • To contain an attack, restrict or lock a device and prevent subsequent attempts of potentially malicious programs from running.

    Before you begin

    Table 1. Requirements for Restrict App Execution capability
    Input Description
    Comment (Required: Comment to associate with the action)

    Role required: sn_si.admin or sn_si.analyst

    Procedure

    1. Navigate to Security Incidents > Show All Incidents.
    2. Select the security incident that you want to review with the Microsoft Defender for Endpoint information.
      1. In the related links section, select Run Additional Actions on Endpoint.
      2. Browse and select the Restrict App Execution capability.
      Alternatively, you can perform the following steps:
      1. In the related lists section, select Show All Related Lists.
      2. Select the Configuration Item related list.
      3. Select the added configuration items.
      4. From the Actions on selected rows, select Run Additional Actions on Endpoint.
    3. To enable Restrict App Execution on the machine, select Run Additional Action.
    4. View the automation activities of the execution, and validate them.
    5. Validate the status of the action on the Additional Actions on Endpoint related lists.