In a recent blog I looked at how Microsoft Defender for Endpoint can allow an administrator to restrict a device from communicating with everything except the Defender for Endpoint admin console. You’ll find that post here:
Microsoft Defender for Endpoint device isolation
Isolating a device is a pretty drastic measure, however Defender for Endpoint does have another device restriction option that is probably less intrusive known as Restrict app execution.
What Restrict app execution does is that it present applications that are not signed by Microsoft from running.
To Restrict app execution on a device firstly navigate to:
https://security.microsoft.com
and select the Device inventory from the options on the left. This will display a list of all the devices that Defender for Endpoint knows about. Select the device you wish to isolate from the list. In the top right hand side should appear an option Restrict app execution as shown above.
Once you select this option you’ll need to provide a reason for this restriction and press the Confirm button. This action will be logged in the admin console for later reference.
You will see the action item display as shown above. You can also cancel if required here.
On the device, in a matter of moments, a message will now appear:
and if a non Microsoft application is run you’ll see:
putty.exe
Brave browser
This process is using Windows Defender Application Control (WDAC) that I have spoken about before:
Windows Defender Application Control (WDAC) basics
which you can apply yourself via a policy, but in this case, it is being applied on the fly, which is impressive!
To remove this device restriction, all you need to do is select
the Remove app restriction which can be again found in the top right of the device page.
You’ll again be prompted to enter a reason for removing the restriction and then you’ll need to select the Confirm button.
The Action center confirmation will then appear as shown above and in a very short period of time the restriction will be removed from the device.
These confirmation can be found in the Action center option on the left hand side menu under the Actions & submissions item as shown above.
This is handy option in Defender for Endpoint for isolating a possible security issue on a device while minimising the impact to the user. Of course, smart attackers will use Microsoft tools located on the device, such as PowerShell to compromise machines to avoid this restriction. However, typically, they will also need to run a non-Microsoft application somewhere along the line which this technique will block.
For more information about Microsoft Defender Restrict app execution see the Microsoft documentation here:
and remember that Restrict app execution is another feature that can be used with Defender for Endpoint when responding to security threats on devices.
CIAOPS 
2 thoughts on “Microsoft Defender for Endpoint Restrict app execution”