Microsoft Defender can now automatically isolate hacked endpoints
Recorded: May 26, 2026, 1:16 p.m.
| Original | Summarized |
Microsoft Defender can now automatically isolate hacked endpoints News Featured Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign Laravel Lang packages hijacked to deploy credential-stealing malware Netherlands seizes 800 servers of hosting firm enabling cyberattacks Ubiquiti patches three max severity UniFi OS vulnerabilities Microsoft Defender can now automatically isolate hacked endpoints Webinar: Too many tools are slowing network incident response This lifetime PDF editor is just $65 with code SAVE5 through 5/31 CISA orders feds to patch actively exploited Drupal vulnerability Tutorials Latest How to access the Dark Web using the Tor Browser How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 How to use the Windows Registry Editor How to backup and restore the Windows Registry How to start Windows in Safe Mode How to remove a Trojan, Virus, Worm, or other Malware How to show hidden files in Windows 7 How to see hidden files in Windows Webinars Latest Qualys BrowserCheck STOPDecrypter AuroraDecrypter FilesLockerDecrypter AdwCleaner ComboFix RKill Junkware Removal Tool Deals Categories eLearning IT Certification Courses Gear + Gadgets Security VPNs Popular Best VPNs How to change IP address Access the dark web safely Best VPN for YouTube Forums Virus Removal Guides HomeNewsMicrosoftMicrosoft Defender can now automatically isolate hacked endpoints Microsoft Defender can now automatically isolate hacked endpoints By Sergiu Gatlan May 26, 2026 Microsoft is testing a new Defender for Endpoint capability that will automatically isolate compromised endpoints to thwart attackers' attempts to move laterally across the network. Defender for Endpoint automatic device isolation (Microsoft) The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate. Related Articles: Microsoft Sergiu Gatlan Previous Article Post a Comment Community Rules You need to login in order to post a comment Not a member yet? Register Now You may also like: Upcoming Webinar Popular Stories Laravel Lang packages hijacked to deploy credential-stealing malware Italy disrupts CINEMAGOAL piracy app that stole streaming auth codes Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign Sponsor Posts Overdue a password health-check? Audit your Active Directory for free Protect Your Business from Ecommerce Fraud 33% Rise in Healthcare Credential Theft in 2025: What you need to know Patch management isn't enough. See why privilege is defining security risk today. Upcoming Webinar Follow us: Main Sections News Community Forums Useful Resources Welcome Guide Company About BleepingComputer Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved Login Username Password Remember Me Sign in anonymously Sign in with Twitter Not a member yet? Register Now Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... |
Microsoft is introducing a new capability within Microsoft Defender for Endpoint that enables the automatic isolation of compromised endpoints to effectively thwart attackers' attempts at lateral movement across a network. This feature functions as part of an automatic attack disruption mechanism, designed to contain malicious activities, limit the overall impact of an attack, and afford security teams additional time for remediation efforts. When an endpoint is automatically isolated, it is disconnected from the network to mitigate further harm, although it remains connected to the Microsoft Defender for Endpoint service, allowing continuous monitoring of the device. Automatic device isolation is specifically applicable to end-user workstations that are onboarded and managed by Microsoft Defender for Endpoint. Security operators retain the ability to release a device from this automatic isolation at any time, provided that the incident investigation is complete and the associated risks have been successfully mitigated, a process which is executed by selecting the device from the device inventory or via the device page action menu. This development builds upon previous security controls implemented by Microsoft. Nearly four years prior, in June 2022, Microsoft had already provided administrators with the option to manually contain compromised, unmanaged Windows devices by severing incoming and outgoing communications with onboarded Defender for Endpoint endpoints. Furthermore, Microsoft had initiated testing of device isolation support for Defender for Endpoint on onboarded Linux devices in January 2023, which reached general availability in October 2023. In the same period, the platform also demonstrated the capability to automatically isolate compromised user accounts to block lateral movement during hands-on-keyboard ransomware attacks. More recently, Microsoft has been testing additional features, including the automated blocking of all traffic to and from undiscovered Windows endpoints to prevent attackers from accessing other non-compromised devices on the network. Additionally, other preview features include the ability for administrators to schedule antivirus scans on onboarded Linux systems using the Microsoft Defender portal, mdatp managed JSON configuration, or the mdatp command-line tool, supporting various scan frequencies and scheduling options. |