Microsoft Defender can now automatically isolate hacked endpoints
Microsoft Defender can now automatically isolate hacked endpoints
Publish Date: 2026-05-26 08:19:43
Source Domain: www.bleepingcomputer.com
Summary:
Microsoft has introduced a new feature within its Defender for Endpoint platform that can automatically isolate compromised endpoints to curb attacker lateral movements across the network. Available in preview, this automatic attack disruption feature aims to contain the attack, minimize damage, and enable more reaction time for security teams. The isolated endpoints lose network connectivity but stay connected to the Defender service, allowing continuous monitoring. Manual intervention allows security operators to release devices after appropriate investigations and risk mitigation. Microsoft has progressively expanded device isolation capabilities since its announcement in 2022, now including Linux devices and user accounts, and recently, preventing traffic to/from unknown endpoints. Another new preview feature allows scheduling antivirus scans on onboarded Linux devices, improving overall endpoint protection.
Key Points:
- Microsoft Defender for Endpoint now offers automatic isolation of compromised endpoints.
- The isolated devices stay monitored by Microsoft service but remain disconnected from the network.
- Device isolation and other controls prevent lateral movement and reduce the risks of ransomware and data exfiltration.
- The feature is part of broader efforts by Microsoft to enhance endpoint security through additional isolation and threat detection capabilities.
- New features also include the option to schedule antivirus scans for Linux devices to further bolster security measures.
