Microsoft this month added capability to automatically cut off devices from networks in its enterprise Defender for Endpoint extended detection and response platform, with the feature being in preview for now.
It described the action as time-limited and scoped to an incident, meaning isolation lifts automatically after a defined window, though security operators can release a device from containment earlier once investigation and remediation are complete.
The feature is aimed at end-user workstations onboarded and managed by Defender for Endpoint, and sits within Microsoft’s broader automatic attack disruption framework.
This tries to contain ransomware and other hands-on-keyboard attacks before human response can catch up.
Manual device isolation, by contrast, has been available in Defender for Endpoint since the Windows 10 Creators Update era for managed devices, with support for unmanaged Windows devices arriving in June 2022, and general availability on macOS and Linux following in October 2023.
The isolation is not total as the device retains a communication channel to the Defender for Endpoint service.
This allows analysts to continue receiving telemetry and maintaining visibility into the compromised machine while it is cut off from the rest of the network.
End-users on Windows receive a notification for when their device is isolated, but this isn’t the case for Defender on macOS and Linux-based operating systems.
For administrators running Defender for Endpoint on Linux, Microsoft is also previewing scheduled scans, a feature that is already available for the anti-malware tool on macOS.
Google and Microsoft have also added containment at the cloud storage layer for their Drive and OneDrive systems.
Currently, OneDrive focuses on ransomware detection and post-incident recovery, whereas Google Drive additionally attempts to limit propagation by automatically pausing sync when ransomware-encrypted files are detected
Automatic device isolation from the network is available in preview on Defender for Endpoint Plan 2, aimed at enterprise customers.
