Microsoft Defender for Endpoint Default Settings

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Microsoft Defender for Endpoint Default Settings

    After installing Microsoft Defender for Endpoint, additional configuration settings are necessary to utilize various functionalities effectively. These settings can be accessed through the Default Settings module within the application’s navigation pane. Users with roles snsi.admin or snsi.analyst (read-only) can manage these configurations.

    Show full answer Show less

    Key Features

    • Approval Settings: This feature specifically governs actions such as Isolate Host and Remove Host Isolation, along with additional actions. Approval is only applicable when actions are triggered directly from the Related list without existing profiles.
    • Require Approval: Enabling this option makes the Approvers field available, requiring approval from designated groups to complete requests.
    • Alternate CI: This setting allows for specifying an alternate Configuration Item (CI) field for the Run Additional Actions on Endpoint capability, ensuring flexibility in incident management.
    • Agent ID Resolution Input: By default, the system uses IP and Host Name to resolve the Agent ID. Users can configure it to use either input exclusively if desired.
    • Timeout Settings: Various capabilities have associated timeout thresholds (in minutes), such as Isolate Host and Run Antivirus Scan, which dictate execution limits for those actions.

    Key Outcomes

    By configuring these default settings, customers can streamline their security incident response, ensure proper approval flows, and optimize the management of endpoints within their environment. These configurations enhance the overall effectiveness of Microsoft Defender for Endpoint in protecting enterprise assets.

    There are additional configuration settings you must perform after you complete the installation.

    After you complete the installation, you can find the Default Settings module under the Microsoft Defender for Endpoint application on the left-navigation pane. It contains the default settings for different Microsoft Defender for Endpoint functionalities.

    Roles required: sn_si.admin, sn_si.analyst (read-only).

    Additional Configurations

    The following are additional configuration settings:
    • Approval: This approval is specifically for the Isolate Host action, Remove Host Isolation action, and additional actions such as Restrict App Execution, Remove App Restriction and Run Antivirus Scan. You can use this approval only when actions are triggered directly from the Related list, and if there are no any existing profiles. If there are any existing profiles for these capabilities, then the approval configuration in the profile takes precedence.
      • Require Approval: When you enable Require Approval, the Approvers field is available on the form.
      • Approvers: List of approver groups. After you submit a request, approval is required from the group to complete the request.
    • Alternate CI: Enabling this check box provides the list of fields available to pass an alternate CI to the capability. By default, the integration uses the Configuration Item (CI) field on the Security incident. This configuration is applicable only for the Run Additional Actions on Endpoint capability. Use this configuration to define an alternate CI input field for the only Run Additional Actions on Endpoint capability. For the other capabilities, use the configuration in the profile section. If the profiles do not define an alternate CI, then the capabilities would take the CI field from the Security Incident form.
    • Input for Agent ID resolution: By default, IP and Host Name is used to get the Agent ID. If you're going to use only one of them, then set the input field to either IP or Host Name.
    • Timeout:
      • Isolate Host Timeout (in minutes): Indicates the execution threshold for the Isolate Host capabilities.
      • Remove Isolation Timeout (in minutes): Indicates the execution threshold for the Remove Isolation Timeout capability.
      • Restrict App Execution Timeout (in minutes): Indicates the execution threshold for the Restrict App Execution capability.
      • Remove App Restriction Timeout (in minutes): Indicates the execution threshold for the Remove App Restriction capability.
      • Run Antivirus Scan Timeout (in minutes): Indicates the execution threshold for the Run Antivirus Scan capability.
      • Stop and Quarantine File Timeout (in minutes): Indicates the execution threshold for the Stop and Quarantine File capability.
    Figure 1. Default Settings
    Additional configuration settings after you complete the installation