Microsoft has expanded Defender for Endpoint with automatic device isolation, giving enterprise security teams a faster way to contain compromised machines before ransomware crews and hands-on attackers can move deeper into corporate networks.The capability, now available in preview, sits inside Microsoft Defender XDR’s automatic attack disruption framework. When the platform detects a high-confidence active attack, it can isolate a suspected device from most network communication while keeping it connected to Microsoft Defender for Endpoint. That allows monitoring, investigation and response actions to continue even as the endpoint is cut off from peer systems, servers and other assets that could be targeted next.
The move reflects a broader shift in enterprise cyber defence from alert-based monitoring to automated containment. Security operations centres have long struggled with the gap between detection and response, especially during ransomware incidents where attackers can escalate privileges, steal credentials, disable defences and deploy encryption tools within a compressed time window. Microsoft’s addition is aimed at reducing that gap by allowing the platform to act before a human analyst has completed triage.
Automatic device isolation is time-limited and linked to a specific incident. Security operators can review the action in the Defender portal, examine the activity record and release the device from isolation once they are satisfied that containment is no longer needed. The feature is designed for end-user workstations that are onboarded and managed through Defender for Endpoint, rather than as a blanket isolation mechanism for every server or unmanaged asset on a network.
Microsoft’s automatic attack disruption uses signals from across Defender products, including endpoint, identity, email, collaboration tools and cloud applications. The system correlates large volumes of telemetry to determine whether separate events form part of an active attack chain. When confidence is high, it can trigger containment steps such as isolating devices, restricting compromised users or blocking assets being used by an attacker.
For ransomware defence, the most important objective is to stop lateral movement. Attackers commonly begin with a foothold on one device or account, then seek administrative credentials, move across shared drives and domain resources, and prepare broad deployment of malicious payloads. Isolating a compromised workstation during that phase can reduce the blast radius and buy time for incident responders to remove persistence mechanisms, reset credentials and identify other affected systems.
The feature also underlines Microsoft’s strategy of building more autonomous response into its security portfolio. Defender XDR already supports attack disruption scenarios involving ransomware, business email compromise, adversary-in-the-middle phishing, OAuth application compromise and attacks targeting high-value assets. The new isolation capability adds a more direct network containment layer to that model, narrowing the attacker’s room to manoeuvre once a device is judged to be part of an active campaign.
Security teams are likely to welcome the speed of the measure, but the preview status is significant. Automated isolation can affect business operations if it blocks a user’s workstation during a critical process or if an attack signal is misread. Microsoft has therefore made the action incident-scoped and reversible, while also allowing administrators to define exclusions for selected users, devices and IP addresses. Those exclusions, however, can weaken protection if applied too broadly.
The development comes as ransomware remains one of the costliest threats facing large organisations. Extortion groups have moved beyond simple encryption to multi-stage operations involving data theft, pressure tactics, credential abuse and attacks on cloud and software-as-a-service environments. Human-operated campaigns are particularly difficult to counter because attackers adapt their behaviour as they encounter controls, often using legitimate administration tools to avoid detection.
Defender’s new capability is not a substitute for basic security controls. Organisations still need strong identity governance, patch management, multi-factor authentication, network segmentation, offline backups and tested incident response plans. Automated containment works best when deployed across a well-instrumented environment where endpoint, identity, email and cloud signals can be combined into a coherent attack story.
The competitive market for extended detection and response is also pushing vendors to show measurable improvements in response speed. CrowdStrike, Palo Alto Networks, SentinelOne, Sophos and other providers have been expanding automated response, identity protection and AI-assisted investigation tools. Microsoft’s advantage lies in its deep integration across Windows, Microsoft 365, Entra ID and cloud workloads, but customers still face the task of configuring policies, permissions and exclusions carefully.
Topics
Technology