Introducing selective response actions for high-value assets in Microsoft Defender

Deploying Microsoft Defender on high-value assets (HVAs) such as domain controllers, ADFS servers, and other Tier-0 systems, requires a thoughtful approach to balance strong protection with operational stability. Given the powerful response capabilities available, organizations often seek greater control over how these actions are applied in sensitive environments. Many organizations, especially those with strict privileged access management policies, also prefer to limit cloud-initiated administrative actions on Tier-0 systems to align with their security and compliance requirements.

That’s why we’re excited to announce that selective response actions for high-value assets are now available in public preview. This new capability provides a more controlled and flexible approach, enabling organizations to define exactly which response actions are allowed on critical assets. Security teams can maintain operational continuity while still benefiting from the full visibility and protection of Defender.

How it works

Deploying Defender on high-value assets requires additional safeguards. This capability introduces a controlled onboarding experience that enforces strict boundaries from the start.

Security teams can:

• Generate a custom onboarding package tailored specifically for Tier-0 and High-Value Assets
• Use the Defender deployment tool, a lightweight, dynamic tool that simplifies onboarding and removes the need for complex scripts
• Leverage secure key validation and package expiry, ensuring controlled and secure deployment
• Explicitly define which remote response actions are permitted on sensitive systems
• Onboard both Windows workstations and Windows Server environments

This approach ensures that security controls are applied consistently and cannot be altered post-deployment, reducing the risk of misconfiguration or misuse.

Image 1: selective response actions in the Defender deployment tool package settings

Key benefits

Selective response actions for high-value assets provide a safer and more controlled way to protect critical systems:

• Reduce operational risk by limiting powerful security actions on Tier-0 assets
• Prevent accidental or malicious disruptions caused by overprivileged or compromised accounts
• Align with privileged access management (PAM) policies by restricting cloud-initiated administrative actions
• Support compliance and regulatory requirements with stricter enforcement of security controls
• Maintain full Defender visibility and protection without overexposing sensitive systems
• Provide explicit and granular control over remote response capabilities

Image 2: view of the available response actions for a particular device in the Defender portal

Secure your most critical assets with confidence

You can now extend Defender for Endpoint protection to your most critical Windows systems, while maintaining strict control over how those systems are accessed and managed. This capability empowers security teams to protect what matters most with confidence and precision.

Learn more

• Learn more about how to set up selective response actions for high value assets
• To learn more about endpoint protection with Microsoft Defender, check out our website.
• To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.