Microsoft is testing a new Microsoft Defender for Endpoint feature that can automatically isolate compromised devices before attackers spread deeper into corporate networks. The capability is currently in preview and is part of Microsoft’s automatic attack disruption technology designed to contain threats faster and reduce damage during active cyberattacks.
When suspicious activity is detected, Microsoft Defender for Endpoint can automatically disconnect the affected device from the network to block lateral movement attempts commonly used in ransomware and data theft operations. Even while isolated, the device remains connected to Defender services so security teams can continue monitoring, investigating, and remediating the threat remotely.
Microsoft says the feature is designed to reduce the impact of attacks, prevent ransomware propagation, and stop hackers from accessing additional systems across enterprise environments. The automatic isolation capability currently works on onboarded end-user workstations managed through Microsoft Defender for Endpoint.
Administrators still maintain full control and can manually release isolated systems after the investigation is completed and risks are mitigated. Security operators can restore network access directly from the Defender portal through the “Device inventory” section.
The feature arrives as ransomware groups continue accelerating attacks and moving across networks within minutes of gaining initial access. Automated containment tools like this are becoming increasingly important for organizations trying to stop fast-moving cyber threats before they escalate into widespread breaches or costly operational disruptions.