Microsoft is testing a new Defender for Endpoint feature that can automatically isolate compromised devices when an attack is detected.
The capability is now available in preview and is designed to stop attackers from moving deeper into a company’s network.
The feature works as part of Microsoft’s automatic attack disruption system, which is built to contain active attacks, reduce damage, and give security teams more time to investigate and fix the issue. When Defender for Endpoint suspects that a device has been compromised, it can automatically disconnect that device from the network.
Microsoft said the goal is to reduce the risk of further impact on an organization. By isolating a compromised endpoint, the system can help limit attacker lateral movement and prevent serious outcomes such as data theft or ransomware spreading across the network.
Even after a device is isolated, it still remains connected to the Microsoft Defender for Endpoint service. This means the security platform can continue monitoring the device while blocking normal network communication that could be used by attackers.
The automatic device isolation feature currently works only on onboarded end-user workstations managed by Microsoft Defender for Endpoint. Security operators can also release a device from isolation at any time after they complete their investigation and reduce the risk.
To remove a device from automatic isolation, admins can select the affected device from the Device inventory or open the device page and choose “Release from isolation” from the action menu.
Microsoft has been expanding Defender for Endpoint’s containment tools for several years. In June 2022, the company announced that admins could manually contain compromised unmanaged Windows devices by cutting off their communication with onboarded Defender for Endpoint devices.
In January 2023, Microsoft also began testing device isolation support for onboarded Linux devices. That feature became generally available in October 2023. Around the same time, Microsoft said Defender for Endpoint could also isolate compromised user accounts as part of automatic attack disruption to block lateral movement in hands-on-keyboard ransomware attacks.
More recently, Microsoft started testing another Defender for Endpoint feature that automatically blocks traffic to and from undiscovered Windows endpoints. This is meant to stop attackers from using unknown or unmanaged devices to reach other systems on the network.
Earlier this month, Microsoft also introduced a Defender for Endpoint preview feature that lets admins schedule antivirus scans on onboarded Linux systems through the Microsoft Defender portal, managed JSON configuration, or the mdatp command-line tool. The scheduled scan options include daily quick scans, interval-based quick scans, and weekly full scans, with support for low-priority execution, idle-time scheduling, and randomized start times.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
