Microsoft Defender for Endpoint Gains Automatic Endpoint Isolation to Block Lateral Movement
Microsoft is testing a new automatic endpoint isolation feature in Defender for Endpoint that cuts compromised devices off from the network while maintaining security monitoring.
Microsoft has introduced a preview feature in Defender for Endpoint that automatically isolates compromised endpoints from the network, aiming to stop attackers from moving laterally before security teams can respond. The capability, part of the automatic attack disruption framework, disconnects a suspected device from all network communication while preserving its connection to the Defender for Endpoint service for continued monitoring.
"When a device in your organization is suspected to be compromised, Microsoft Defender for Endpoint can automatically isolate the device as part of automatic attack disruption," Microsoft explained. "Automatic isolation helps reduce the risk of further impact on the organization, limit attacker lateral movement, and prevent impacts such as data exfiltration and ransomware propagation."
The feature is currently available in preview and works only on onboarded end-user workstations managed by Defender for Endpoint. Once isolated, the device remains contained until a security operator completes an incident investigation and manually releases it from isolation via the Device inventory or device page action menu.
This development builds on Microsoft's earlier efforts to contain threats. In June 2022, the company introduced manual containment for unmanaged Windows devices, and in October 2023, it brought device isolation to Linux endpoints. More recently, Microsoft added automatic isolation for compromised user accounts and began testing a feature to block traffic to undiscovered Windows endpoints.
The automatic isolation capability addresses a critical gap in incident response: the window between initial compromise and lateral movement. By cutting off network access immediately upon detection, the feature reduces the risk of ransomware propagation and data exfiltration, giving security teams more time to investigate and remediate.
Microsoft has also been expanding Defender for Endpoint's proactive defenses. Earlier this month, the company previewed scheduled antivirus scans for Linux systems, and in recent weeks, it rolled out a feature to automatically roll back faulty Windows drivers via cloud-initiated recovery. These additions reflect a broader push toward automated, self-healing security operations.
For organizations already using Defender for Endpoint, the automatic isolation feature represents a significant enhancement to their defense-in-depth strategy. While the feature is still in preview, its integration into the automatic attack disruption pipeline suggests Microsoft is betting heavily on automation to counter increasingly fast-moving threats.