In this update, we're further enhancing response capabilities and adding the ability to disrupt & contain attacker activity by applying a lock down policy on potentially compromised machines to prevent execution of unknown, malicious programs.
The new "Restrict code execution:" response action will be available in the portal for Windows 10 machines running the Creators Fall (RS3) update.
To use this new capability:
Open the action menu and select "Restrict code execution"
Type a comment (optional) and select yes to take action on the machine
The action center shows the submission information similarly to other response action
When execution restriction action is applied on the machine, a new event is reflected in the machine timeline
Note: undoing execution restriction is also possible from the console by opening the action menu and selecting "Undo restrict code execution" on a machine the action was previously applied on.
We'd love to hear your feedback on the new features - that's it for this time!