Microsoft has enhanced Defender for Endpoint with a new automatic device isolation capability designed to contain ransomware attacks and other sophisticated cyber threats without requiring immediate human intervention.
The feature is part of Microsoft’s broader Automatic Attack Disruption framework and enables compromised devices to be isolated from the network as soon as a high-confidence attack is detected.
When Microsoft Defender for Endpoint identifies an active ransomware campaign or advanced intrusion, it automatically disconnects the affected workstation from the network. This action prevents attackers from maintaining access, moving laterally across systems, exfiltrating data or spreading ransomware to other devices.
Despite the isolation, the compromised device remains connected to the Defender for Endpoint service. This allows security teams to continue receiving telemetry, monitoring activity and conducting investigations while the device remains quarantined.
The capability currently applies to managed end-user workstations onboarded to Microsoft Defender for Endpoint and does not extend to servers or unmanaged devices.
Microsoft Defender XDR analyzes signals across endpoints, identities, email environments and SaaS applications to create a unified incident view. Once an attack such as ransomware deployment or Business Email Compromise (BEC) credential theft is confirmed with high confidence, containment measures are automatically triggered at the incident level.
To minimize disruption to business operations, Microsoft has built several safeguards into the feature. Isolation is limited to devices directly involved in an attack rather than the broader environment. The containment action is also time-bound and can be automatically reversed after a predefined period.
Security teams retain full control and can manually release devices from isolation once investigations and remediation activities are completed. Organizations can also configure exclusion rules for critical systems, allowing selective protection strategies for high-priority assets.
Following an isolation event, administrators can review detailed activity logs through the Microsoft Defender portal. The incident view records isolation and restoration actions, including timestamps, triggering alerts and automated response details. The Action Center also provides a historical record of all containment actions and their status.
The new capability addresses one of the biggest challenges in cybersecurity response: the delay between threat detection and containment. By automating isolation immediately after a high-confidence threat is identified, Microsoft aims to significantly reduce the impact of ransomware and other cyberattacks.
The update allows security operations teams to maintain visibility and control while limiting the potential damage, financial losses and operational disruptions caused by rapidly spreading threats.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.