Microsoft lets Defender automatically isolate infected PCs

Microsoft lets Defender automatically isolate infected PCs

Briefly

"Microsoft is expanding its Defender for Endpoint security platform with a feature that can automatically disconnect infected systems from the corporate network. The new capability is designed to prevent attackers from moving further through an organization after an initial breach, for example to deploy ransomware or steal data. The feature is currently available as a preview within Microsoft Defender for Endpoint. As soon as the platform detects suspicious activity on a device, the system can automatically isolate that endpoint from the rest of the network."

"However, a secure connection to Microsoft's cloud environment remains active, allowing security teams to continue investigating and managing the device remotely. According to Microsoft, the expansion is part of the broader "automatic attack disruption" program. With this, the company aims to contain cyberattacks more quickly without requiring administrators to intervene manually first. In technical documentation, Microsoft states that automatic isolation should reduce the likelihood of attackers moving laterally through a network or causing further damage."

"For now, the feature works only on workstations already enrolled in Defender for Endpoint. Security teams can also manually restore a system's network access after investigation, once the risks have been mitigated. This step is part of a broader trend in cybersecurity where vendors are increasingly focusing on automated response mechanisms. Attackers are operating at an ever-faster pace."

"By immediately isolating an infected system, vendors like Microsoft hope to limit this so-called dwell time. The idea is that an attacker will have fewer opportunities to reach other systems, take over accounts, or exfiltrate data. Microsoft has long positioned Defender for Endpoint as a platform that combines"