Microsoft Defender Can Now Automatically Isolate Hacked Endpoints in Preview

At a glance:

• Microsoft Defender for Endpoint now offers automatic isolation of compromised endpoints in preview.
• The feature disrupts lateral movement by disconnecting isolated devices from the network.
• Support for Linux devices was rolled out in October 2023 after initial testing in January.

Automatic Endpoint Isolation Explained

Microsoft's new Defender for Endpoint capability automatically isolates compromised endpoints to prevent attackers from moving laterally across networks. This functionality is part of the automatic attack disruption feature, which aims to contain threats, limit their impact, and buy security teams more time for remediation. When a device is flagged as compromised, it is immediately disconnected from the network but remains connected to Defender for Endpoint's monitoring services. This allows continuous threat detection while isolating the affected device.

The isolation process is designed to be non-invasive for users. Compromised endpoints can be released from containment at any time by security operators after investigating and mitigating risks. Administrators can trigger this release through the "Device inventory" or by selecting "Release from isolation" on the device's page in the Defender portal. The feature initially launched in preview mode for Windows devices but has since expanded to include Linux endpoints. As of October 2023, Linux isolation capabilities reached general availability, marking a significant step in cross-platform security.

Expansion to Linux and Enhanced Threat Prevention

The integration of automatic isolation for Linux devices began with testing in January 2023, addressing a gap in endpoint security for non-Windows systems. This expansion was critical as Linux adoption in enterprise environments grows. Microsoft also announced additional capabilities in early 2024, including automatic isolation of compromised user accounts. This feature specifically targets ransomware attacks where attackers use stolen credentials to move laterally. By isolating accounts, Defender for Endpoint can block further access even if the initial endpoint is compromised.

Beyond isolation, Microsoft is testing a new feature that blocks traffic to and from undiscovered Windows endpoints. This proactive measure prevents attackers from breaching other devices on the network before they are detected. The capability aligns with the principle of zero-trust security, where no device is inherently trusted. The preview version of this traffic-blocking feature is available alongside scheduled antivirus scans for Linux systems. These scans can be configured via the Defender portal, mdatp managed JSON settings, or the mdatp CLI tool, offering flexibility for IT administrators.

Scheduled Scans and Operational Flexibility

A recent preview feature allows admins to schedule antivirus scans on onboarded Linux systems. This includes options for daily quick scans, interval-based quick scans, and weekly full scans. Advanced settings let users define low-priority execution times, idle-time scheduling, and randomized start times to minimize disruption. This level of customization ensures scans align with organizational workflows while maintaining robust security. The feature builds on Microsoft's existing manual containment tools, which have been available since June 2022 for unmanaged Windows devices.

Strategic Implications for Cybersecurity

The rollout of these features reflects Microsoft's focus on proactive threat containment. By combining automatic isolation with traffic blocking and scheduled scans, Defender for Endpoint offers a layered defense against lateral movement—a common tactic in advanced persistent threats. The inclusion of Linux support underscores the growing need for cross-platform security solutions. However, the effectiveness of these tools depends on proper configuration and integration with existing security protocols. Organizations must ensure endpoints are onboarded to Defender for Endpoint to leverage these capabilities fully.

Looking Ahead

While automatic isolation represents a significant advancement, it is not a standalone solution. Security teams should complement these features with regular audits, user education, and threat intelligence. The preview nature of some tools also means organizations may need to evaluate their readiness before full deployment. As ransomware and lateral movement attacks evolve, Microsoft's Defender for Endpoint will likely continue expanding its automated response capabilities. The company's emphasis on real-time threat disruption aligns with broader industry trends toward AI-driven security operations.