"When a device in your organization is suspected to be compromised, Microsoft Defender for Endpoint can automatically isolate the device as part of automatic attack disruption," Microsoft said.
Automatic isolation arrives in preview as part of automatic attack disruption
Microsoft is testing a preview capability in Microsoft Defender for Endpoint that will automatically isolate compromised endpoints to make lateral movement harder for attackers. The company describes the functionality as working "as part of automatic attack disruption," a feature set designed to contain attacks, limit their impact, and provide security teams with more remediation time.
What automatic isolation does — and what it does not
Under the new preview, compromised endpoints that are automatically isolated are disconnected from the network to reduce further impact, while retaining connectivity to the Microsoft Defender for Endpoint service so the device can continue to be monitored. Microsoft said automatic isolation "helps reduce the risk of further impact on the organization, limit attacker lateral movement, and prevent impacts such as data exfiltration and ransomware propagation."
Microsoft also notes that automatic device isolation works only on onboarded end-user workstations managed by Microsoft Defender for Endpoint. Devices can be released from containment by security operators after incident investigation and risk mitigation.
Operational steps for security operators
Microsoft documents a straightforward release path for operators: to release a device from automatic isolation, select the device from the "Device inventory" or open the device page and choose "Release from isolation" from the action menu. The company explicitly frames release as an operator action to be taken after investigation and mitigation have been completed.
Where this sits in Defender for Endpoint's recent rollout
This preview joins a string of earlier Defender for Endpoint containment and isolation capabilities. Nearly four years ago, in June 2022, Microsoft announced admins could manually contain compromised, unmanaged Windows devices by cutting off incoming and outgoing communication with onboarded Defender for Endpoint endpoints. Microsoft began testing device isolation support for Defender for Endpoint on onboarded Linux devices in January 2023, with the capability reaching general availability in October 2023.
Also in October 2023, Microsoft revealed that Defender for Endpoint could isolate compromised user accounts as part of automatic attack disruption to block lateral movement in hands-on-keyboard ransomware attacks. More recently, Microsoft began testing a feature that automatically blocks traffic to and from undiscovered Windows endpoints to prevent attackers from breaching other, non-compromised devices on the network.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: Teams managing Defender for Endpoint will gain an automated tool for containment, but only for devices that are onboarded and classified as end-user workstations. They will also retain the operator control to release devices after an investigation.
- Procurement and enterprise security leaders: Adoption decisions will hinge on how extensively endpoints are onboarded and whether existing processes account for automated isolation. The preview arrives alongside other Defender for Endpoint updates — including scheduled Linux scan management and traffic-blocking tests — that influence procurement and deployment planning.
- End users and IT support: Affected endpoints will be disconnected from the network if flagged as compromised but will remain visible to Defender for Endpoint for monitoring and remediation. Operators can return systems to normal operation once risks are mitigated.
Putting the preview in context
Microsoft's preview adds automated containment to a platform that has been iteratively expanding isolation and monitoring capabilities across Windows and Linux endpoints, as well as account-level isolation for ransomware scenarios. The company also recently previewed a separate capability that allows admins to schedule antivirus scans on onboarded Linux systems via the Microsoft Defender portal, mdatp managed JSON configuration, or the mdatp command-line tool. Microsoft said scheduled scans support daily quick scans, interval-based quick scans, and weekly full scans, with options for low-priority execution, idle-time scheduling, and randomized start times.
Taken together, the pieces — automated isolation, account isolation, traffic blocking to undiscovered endpoints, and scheduled Linux scans — extend Defender for Endpoint's emphasis on automated disruption plus operator-managed remediation. The new automatic isolation preview will be available to organizations that have onboarded end-user workstations to the service and can be controlled by security operators through the Device inventory and device action menu.
Read the original Microsoft Defender isolation preview report




