Microsoft Defender Now Automatically Isolates Compromised Devices to Stop Ransomware
Microsoft Defender for Endpoint automatically isolates compromised workstations upon detecting high-confidence ransomware or sophisticated attacks, cutting network access while preserving telemetry.
Microsoft Defender for Endpoint has introduced automatic device isolation, a proactive containment capability that disconnects compromised workstations from the network the moment a high-confidence attack is detected without waiting for human intervention. The feature is part of the broader Automatic Attack Disruption framework, which correlates millions of signals across endpoints, identities, email, and SaaS applications to build a single, high-confidence incident view. Once an active attack, such as ransomware propagation or Business Email Compromise (BEC) credential harvesting, is confirmed with sufficient confidence, the system automatically triggers containment actions at the incident level, not just the alert level.
For device isolation specifically, Defender for Endpoint severs the affected device's network connections, cutting off the attacker's access while preserving the device's communication channel with the Defender for Endpoint service itself. This means security analysts continue to receive telemetry and maintain visibility into the compromised machine even while it is isolated. The capability targets end-user workstations that are onboarded and managed by Microsoft Defender for Endpoint, and it does not apply to servers or unmanaged devices under the current scope of this feature.
Microsoft has embedded several safeguards to prevent isolation from becoming an operational bottleneck. Isolation is time-limited and automatically reversed after a defined time window, ensuring devices are not permanently cut off. Security teams can manually release isolation at any point after completing investigation and remediation steps. Only devices directly implicated in the attack chain are isolated, not the entire environment, minimizing collateral disruption to business operations. Organizations can also configure exclusion rules for critical business machines, ensuring that high-priority assets use selective isolation based on defined rules rather than full network disconnection.
After automatic isolation is applied, security operators can audit the full activity trail directly in the Microsoft Defender portal. The Activities tab within the incident view logs each isolation and unisolation event, including the timestamp, the triggering alert, and the automated action performer (Attack Disruption). The Action Center provides a historical log of all isolation actions, including their status (Completed or Failed), action source, and the deciding entity.
Ransomware groups rely heavily on speed; the faster they move laterally, the more damage they inflict before detection. By automating containment the moment a high-confidence signal is detected, Microsoft Defender for Endpoint removes the critical delay between detection and response. Security operations teams retain full investigative control, while the attack's blast radius is dramatically reduced, limiting both financial impact and productivity loss.
This capability represents a significant evolution in endpoint detection and response (EDR) technology, moving from alerting to automated containment. While many EDR platforms offer manual isolation options, Microsoft's approach is fully automated and integrated into the incident response workflow, reducing the burden on overworked security teams. The feature is available now for Microsoft Defender for Endpoint customers with appropriate licensing.