Microsoft Defender Now Automatically Isolates Hacked Devices

Microsoft is testing an update for Defender for Endpoint that will automatically isolate devices identified as compromised. The new capability is designed to prevent lateral movement by attackers within corporate networks following an initial breach.

The feature activates upon detecting suspicious activity, blocking network connections of the infected device except for communication channels with Microsoft servers to transmit threat data. This helps contain attacks and minimize damage without requiring manual intervention from administrators.

The tool is integrated into the existing Defender for Endpoint ecosystem, allowing deployment without additional configurations. Microsoft emphasizes that automatic isolation will be part of a multi-layered defense strategy, complementing other detection and response mechanisms.

Currently, the feature is available to a limited group of users as part of a preview program. It is expected to be included in the standard update package for enterprise customers after testing is complete.