By rssfeeds-admin 
Microsoft Defender for Endpoint has introduced automatic device isolation, a proactive containment capability that disconnects compromised workstations from the network the moment a high-confidence attack is detected without waiting for human intervention.
Microsoft Defender for Endpoint can now automatically isolate compromised devices as part of its broader Automatic Attack Disruption framework.
When the platform identifies an active ransomware campaign or sophisticated intrusion in progress, it immediately severs the affected device’s network connections, cutting off the attacker’s access while preserving the device’s communication channel with the Defender for Endpoint service itself.
This means security analysts continue to receive telemetry and maintain visibility into the compromised machine even while it is isolated.
The capability targets end-user workstations that are onboarded and managed by Microsoft Defender for Endpoint. It does not apply to servers or unmanaged devices under the current scope of this feature.
How Automatic Attack Disruption Works
Microsoft Defender XDR correlates millions of signals across endpoints, identities, email, and SaaS applications to build a single, high-confidence incident view.
Once an active attack, such as ransomware propagation or Business Email Compromise (BEC) credential harvesting, is confirmed with sufficient confidence, the system automatically triggers containment actions at the incident level, not just the alert level.
For device isolation specifically, Defender for Endpoint disconnects the compromised asset from the broader network, preventing the attacker from using it as a launchpad for lateral movement, data exfiltration, or ransomware deployment to adjacent systems.
The isolation is scoped to specific devices involved in the incident, not broadly applied across the environment, minimizing collateral disruption to business operations.
Microsoft has embedded several safeguards to prevent isolation from becoming an operational bottleneck:
- Time-limited containment: Isolation is automatically reversed after a defined time window, ensuring devices are not permanently cut off.
- Operator override: Security teams can manually release isolation at any point after completing investigation and remediation steps.
- Scoped targeting: Only devices directly implicated in the attack chain are isolated, not the entire environment.
- Exclusion support: Organizations can configure exclusion rules for critical business machines, ensuring that high-priority assets use selective isolation based on defined rules rather than full network disconnection.
After automatic isolation is applied, security operators can audit the full activity trail directly in the Microsoft Defender portal. The Activities tab within the incident view logs each isolation and unisolation event, including the timestamp, the triggering alert, and the automated action performer (Attack Disruption).
The Action Center provides a historical log of all isolation actions, including their status (Completed or Failed), action source, and the deciding entity.
Ransomware groups rely heavily on speed; the faster they move laterally, the more damage they inflict before detection. By automating containment the moment a high-confidence signal is detected, Microsoft Defender for Endpoint removes the critical delay between detection and response.
Security operations teams retain full investigative control, while the attack’s blast radius is dramatically reduced, limiting both financial impact and productivity loss.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post Microsoft Defender Now Automatically Isolates Compromised Devices to Stop Ransomware Spread appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.