Microsoft is expanding its Defender for Endpoint security platform with a feature that can automatically disconnect infected systems from the corporate network. The new capability is designed to prevent attackers from moving further through an organization after an initial breach, for example to deploy ransomware or steal data.
The feature is currently available as a preview within Microsoft Defender for Endpoint. As soon as the platform detects suspicious activity on a device, the system can automatically isolate that endpoint from the rest of the network. However, a secure connection to Microsoft’s cloud environment remains active, allowing security teams to continue investigating and managing the device remotely.
According to Microsoft, the expansion is part of the broader “automatic attack disruption” program. With this, the company aims to contain cyberattacks more quickly without requiring administrators to intervene manually first. In technical documentation, Microsoft states that automatic isolation should reduce the likelihood of attackers moving laterally through a network or causing further damage.
For now, the feature works only on workstations already enrolled in Defender for Endpoint. Security teams can also manually restore a system’s network access after investigation, once the risks have been mitigated.
This step is part of a broader trend in cybersecurity where vendors are increasingly focusing on automated response mechanisms. Attackers are operating at an ever-faster pace. According to security firms, the time between an initial breach and the deployment of ransomware or the theft of sensitive data is getting shorter and shorter.
By immediately isolating an infected system, vendors like Microsoft hope to limit this so-called dwell time. The idea is that an attacker will have fewer opportunities to reach other systems, take over accounts, or exfiltrate data.
Microsoft has long positioned Defender for Endpoint as a platform that combines detection, threat analysis, and automated response. The new isolation feature is designed to help organizations respond to incidents more quickly, especially in environments where security teams cannot continuously monitor all alerts manually.
Expansion of previous containment features
The new feature builds on previous capabilities within Defender for Endpoint. Microsoft introduced options as early as 2022 to manually isolate infected unmanaged Windows systems from network traffic. Support for Linux systems and automatic isolation of compromised user accounts during ransomware attacks followed later.
According to BleepingComputer, Microsoft is also working on additional security features that can automatically block traffic from unknown Windows endpoints. The company aims to prevent attackers from spreading further through a network via unmanaged systems.
Earlier this month, Microsoft also announced that Defender for Endpoint will gain support for scheduled antivirus scans on Linux systems in preview. Administrators can configure these scans centrally via the Defender portal or using command-line tools.