Microsoft Tests Automatic Device Isolation in Defender for Endpoint

Microsoft is testing a new automatic device isolation feature in Microsoft Defender for Endpoint that can disconnect compromised PCs from the network during active cyberattacks. The feature is currently available in preview and forms part of the company’s broader automatic attack disruption system.

The capability is designed to stop attackers from moving across networks after compromising a device. Microsoft says isolated systems still maintain connectivity to Defender for Endpoint services, allowing continued monitoring and investigation while blocking most other network communication.

Microsoft Wants Faster Attack Containment

When Defender for Endpoint detects suspicious activity that suggests a workstation has been compromised, the platform can automatically isolate the endpoint from the network. Microsoft says this approach can help reduce the impact of ransomware attacks, credential theft, and lateral movement during enterprise breaches.

Unlike traditional isolation methods that completely cut off connectivity, Microsoft keeps the isolated system connected to Defender services. This allows security teams to continue gathering telemetry, investigating alerts, and applying remediation steps remotely while the threat remains contained.

How Automatic Isolation Works

The feature activates when Defender identifies behavior that may indicate an active compromise. Once isolation begins, the affected device loses access to most normal network communication, making it harder for attackers to spread across the environment.

Microsoft says the isolated endpoint can still communicate with Defender for Endpoint. This gives security analysts continued visibility into the attack while preventing malicious activity from reaching other systems.

The company positions the feature as a way to slow down fast-moving attacks and give defenders more time to respond before additional devices become affected.

Preview Comes With Some Limitations

Microsoft says the preview currently supports only onboarded end-user workstations managed through Defender for Endpoint. The feature is not available for every type of endpoint at this stage.

Automatic isolation also depends on Microsoft’s broader automatic attack disruption system, which combines multiple automated security responses during active threats.

Admins Can Restore Devices After Investigation

Once security teams complete their investigation and remediation process, administrators can reconnect devices manually. Microsoft says operators can use the “Release from isolation” action either from the Device inventory section or directly from the affected device page in Defender for Endpoint.

The company continues expanding automated security protections as enterprise attacks become faster and more difficult to contain manually.

In related security news, the FBI recently warned that Kali365 phishing attacks can bypass Microsoft 365 MFA protections. Microsoft also criticized a researcher for releasing the YellowKey proof-of-concept outside its security disclosure guidelines.

The company recently also explained what could happen if Windows PCs fail to install the latest Secure Boot certificates before the June 2026 deadline.

Via Bleeping Computer