Microsoft Defender Now Auto-Isolates Hacked Endpoints
Key Takeaways
- Defender for Endpoint can now automatically isolate compromised devices without manual intervention
- Isolated devices stay connected to Defender for continued monitoring and forensic investigation
- The feature is currently in preview mode and works only on onboarded end-user workstations
Microsoft is rolling out a preview feature that lets Defender for Endpoint automatically isolate compromised devices. The goal: cut off attackers before they can spread through your network.
The new capability works as part of automatic attack disruption, a system designed to contain threats while giving security teams more time to respond. When Defender detects a high-confidence compromise, it can now disconnect the device from the network without waiting for human approval.
How Automatic Isolation Works
The feature targets a specific problem in enterprise security: lateral movement. Once attackers compromise a single endpoint, they typically pivot across the network to escalate privileges, steal data, or deploy ransomware. Automatic isolation breaks that chain.
When a device is flagged as compromised, Defender disconnects it from the broader network. But here's the key detail: the device keeps its connection to the Defender for Endpoint service. This lets security teams continue monitoring and investigating the machine remotely.
“Automatic isolation helps reduce the risk of further impact on the organization, limit attacker lateral movement, and prevent impacts such as data exfiltration and ransomware propagation.”
— Microsoft
Sarah Anderson, Lead Security Researcher at Microsoft, explained the shift in approach: "By automating the isolation of compromised endpoints, we shift the balance from reactive incident response to proactive containment, denying attackers the time they need to pivot."
Requirements and Limitations
The automatic isolation feature has specific requirements. It works only on onboarded end-user workstations managed by Defender for Endpoint. Servers and unmanaged devices are excluded from automatic containment.
Security operators retain full control over isolated devices. Once an incident investigation is complete and risks are mitigated, admins can release devices from containment. The process is straightforward: select the device from the Device inventory or open the device page and choose "Release from isolation" from the action menu.
Building on Existing Capabilities
This isn't Microsoft's first move toward automated endpoint containment. The company has been expanding Defender's isolation capabilities for years.
Microsoft also recently started testing automatic traffic blocking to and from undiscovered Windows endpoints. This feature targets devices that haven't been onboarded to Defender, aiming to prevent attackers from using unknown assets as footholds.
Security Community Response
The feature has drawn mixed reactions from security professionals. Many welcome the reduced manual workload, especially during off-hours when security teams may be understaffed. The ability to contain threats automatically at 3 AM is a real operational advantage.
But some administrators worry about false positives. What happens when a critical business machine gets automatically disconnected during a crucial operation? Discussions on r/sysadmin and r/DefenderATP suggest testing the feature in a restricted policy group before enabling it enterprise-wide.
Marcus Thorne, Senior CISO Advisor, highlighted the forensic benefits: "The ability to disconnect a device while keeping the security umbilical cord attached is significant for digital forensics."
Why This Matters for Enterprise Security
Human-operated attacks are among the most damaging threats enterprises face. Unlike automated malware, these attacks involve adversaries manually navigating networks, adapting to defenses, and escalating privileges over days or weeks.
Microsoft reports that automated disruption achieves 99.9% precision with its high-fidelity AI triggers. This accuracy matters: automatic isolation that constantly generates false positives would be worse than useless.
The timing is notable. EDR systems have detected a 400% increase in lateral movement attempts since 2024. Attackers are getting faster at pivoting through networks. Automated containment is one way to match that speed.
Logicity's Take
Getting Started
The feature is currently in preview mode. Organizations using Microsoft Defender for Endpoint can access it through their existing management console. Microsoft recommends starting with a limited device group to evaluate behavior before broader deployment.
For organizations with mixed environments, Microsoft also recently introduced scheduled antivirus scans for Linux systems through the Defender portal, mdatp managed JSON configuration, or the mdatp command-line tool. These scans support daily quick scans, interval-based quick scans, and weekly full scans.
Frequently Asked Questions
Which devices support automatic isolation in Microsoft Defender?
Automatic isolation currently works only on onboarded end-user workstations managed by Microsoft Defender for Endpoint. Servers and unmanaged devices are not supported for automatic containment.
Can isolated devices still be monitored?
Yes. Isolated devices retain connectivity to the Microsoft Defender for Endpoint service. Security teams can continue monitoring and investigating the device remotely while it remains disconnected from the broader network.
How do I release a device from automatic isolation?
Select the device from the Device inventory in the Defender portal or open the device page directly. Then choose "Release from isolation" from the action menu after completing your investigation.
Is automatic isolation available now?
The feature is currently in preview mode. Organizations using Defender for Endpoint can access it through their management console, though Microsoft recommends testing with a limited device group first.
Does automatic isolation work for ransomware attacks?
Yes. The feature is specifically designed to prevent lateral movement in human-operated attacks, including ransomware. It can also isolate compromised user accounts, not just devices, to block attackers using stolen credentials.
Recent enterprise security incident highlighting data breach risks
Need Help Implementing This?
Source: BleepingComputer
Huma Shazia
Senior AI & Tech Writer
Related Articles
Browse all
Kraken Crypto Exchange Extortion: Hackers Threaten to Leak Internal Videos After Insider Breach
Cryptocurrency exchange Kraken is being extorted by hackers who obtained videos of internal systems through bribed support employees. The company says no funds were compromised and refuses to pay, with only about 2,000 accounts affected. Kraken is working with federal law enforcement to prosecute everyone involved.
Windows 11 KB5083769 and KB5082052: April 2026 Patch Tuesday Brings Smart App Control Changes and Security Fixes
Microsoft's April 2026 Patch Tuesday updates are now live for Windows 11, bringing critical security patches alongside a welcome change to Smart App Control. You can finally toggle SAC on or off without wiping your entire system. The updates cover versions 23H2, 24H2, and 25H2.
Zero Trust Identity Security: 5 Ways This Framework Actually Stops Credential Theft
Stolen credentials caused 22% of breaches in 2025, making them the top attack vector. Zero Trust promises to fix this, but only when it's built around identity as the core principle. Here's how organizations can implement it properly.
Open Source PR Backlogs: Why Your GitHub Contribution Sits Unreviewed for a Year
A developer's Jellyfin pull request has been waiting over a year for merge despite two approvals, exposing a systemic crisis in open source maintenance. Queuing theory explains why backlogs grow exponentially, and 60% of maintainers have quit or considered quitting due to burnout.
Also Read
007 First Light Review: IO Interactive Nails the Bond Fantasy
IO Interactive's 007 First Light earns an 8.6 from IGN and a perfect 5/5 from VGC. The Hitman studio delivers a patient, prestige-TV-style Bond origin story that trades Call of Duty bombast for social stealth and gadget-driven infiltration.
Samsung 900-Layer Flash Prototype Could Triple SSD Density
Samsung has built a working 900-layer NAND flash memory prototype by bonding two 450-layer wafers together. The technology could eventually triple storage density compared to current flash chips, though consumer SSD prices won't drop until AI demand for storage cools off.
Fake Citations in Medical Papers Up 12-Fold Since 2023
A Columbia University study of 2.47 million biomedical papers found that fabricated references have increased more than twelvefold since 2023. The researchers link the surge to widespread use of language models like ChatGPT, warning that fake citations now reach clinical guidelines that shape patient treatment.