Microsoft Defender – Microsoft is testing a Defender for Endpoint feature that can automatically isolate suspected compromised devices in preview mode. The move is designed to contain attacks, reduce lateral movement, and buy security teams time—while keeping the isolated endpoint
There’s a moment in every incident response that teams dread: the point where an attacker stops rummaging and starts moving. Microsoft’s latest test for Defender for Endpoint is built around that danger, aiming to cut off the network paths that make lateral movement possible.
Microsoft is testing a new Defender for Endpoint capability that will automatically isolate an endpoint when it’s suspected to be compromised. The company says the feature is available in preview and works as part of an “automatic attack disruption” function intended to contain attacks. limit their impact. and give security teams more time to respond.
When an endpoint is automatically isolated, it is disconnected from the network to reduce the risk of further impact. At the same time, Microsoft says the device retains connectivity to the Microsoft Defender for Endpoint service so the platform can continue to monitor it.
“When a device in your organization is suspected to be compromised, Microsoft Defender for Endpoint can automatically isolate the device as part of automatic attack disruption,” Microsoft said.
Microsoft adds that automatic isolation is meant to reduce the risk of additional damage, limit attacker lateral movement, and prevent impacts such as data exfiltration and ransomware propagation.
The capability isn’t meant for just any machine. Microsoft says automatic device isolation works only on onboarded end-user workstations that are managed by Microsoft Defender for Endpoint.
Isolation isn’t meant to be a one-way door. Microsoft says security operators can release devices from containment at any time after completing an incident investigation and mitigating the risks. The release process is straightforward: security operators can either select the device from the “Device inventory” or open the device page and choose “Release from isolation” from the action menu.
This isn’t the first time Microsoft has explored cutting devices off once compromise is suspected. Nearly four years ago. in June 2022. Microsoft announced that admins could manually contain compromised. unmanaged Windows devices by cutting off incoming and outgoing communication with onboarded Defender for Endpoint endpoints.
The company later broadened the approach. In January 2023, Microsoft began testing device isolation support for onboarded Linux devices. That capability reached general availability in October 2023. Around the same time. Microsoft also revealed that Defender for Endpoint could isolate compromised user accounts as part of automatic attack disruption—specifically to block lateral movement in hands-on-keyboard ransomware attacks.
Microsoft’s latest direction also echoes another prevention effort it has been testing. The company began testing a feature for the Defender for Endpoint enterprise endpoint security platform that automatically blocks traffic to and from undiscovered Windows endpoints. The goal there is to prevent attackers from breaching other non-compromised devices on the network.
Alongside isolation testing, Microsoft has also been expanding Defender for Endpoint capabilities for Linux. Earlier this month. it revealed a preview feature that will allow admins to schedule antivirus scans on onboarded Linux systems using the Microsoft Defender portal. mdatp managed JSON configuration. or the mdatp command-line tool.
Microsoft says scheduled scans support daily quick scans, interval-based quick scans, and weekly full scans. It also lists options for low-priority execution, idle-time scheduling, and randomized start times.
The through-line across these features is clear in the way they’re being packaged: reducing the window of opportunity once compromise is suspected. and tightening the chain that attackers rely on to spread. Automatic isolation. in preview. is Microsoft’s attempt to make that response faster—before the lateral movement phase gets going. and before security teams have to chase the attacker across the network.
Microsoft Defender for Endpoint automatic attack disruption device isolation cybersecurity lateral movement ransomware preview feature endpoint security Linux scanning mdatp