Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: edr (1 article)Clear

Microsoft Defender for Endpoint adds automatic device isolation as part of automatic attack disruption (preview)

Microsoft has rolled out a preview of automatic device isolation in Microsoft Defender for Endpoint as part of its automatic attack disruption feature. When Defender detects a compromised endpoint, it now disconnects the device from the network without operator action, while preserving the Defender management channel so the host can still be monitored, investigated, and released. Security teams can release a device from containment after triage via 'Release from isolation' on the Device inventory or device page. The feature works only on onboarded end-user workstations. It joins earlier preview controls for blocking traffic to unmanaged endpoints and isolating compromised user accounts.

Check
Review Defender for Endpoint Action Center preview features in the Microsoft 365 Defender portal. Confirm automatic device isolation is enabled for high-risk endpoint groups.
Affected
Organizations relying on Defender for Endpoint where manual response to compromise alerts has historically been slow enough to allow lateral movement or data exfiltration.
Fix
Enable automatic device isolation in preview. Define release-from-isolation runbooks. Pair with automatic user-account isolation already available. Document operator override procedures for false positives.