Back

Microsoft Defender Introduces Automatic Isolation for Compromised Endpoints

Severity: Medium (Score: 54.9)

Sources: Bleepingcomputer, Cybersecuritynews, learn.microsoft.com

Published: 2026-05-26 · Updated: 2026-05-26

Keywords: microsoft, defender, automatically, compromised, isolate, endpoints, endpoint

Severity indicators: ransomware

Summary

Microsoft Defender for Endpoint has launched a new feature that automatically isolates compromised devices to prevent lateral movement by attackers. This capability is part of the Automatic Attack Disruption framework and disconnects affected endpoints from the network immediately upon detection of a high-confidence attack. The isolated devices remain connected to the Defender service for ongoing monitoring. This feature aims to mitigate risks such as data exfiltration and ransomware spread. It is currently available in preview mode and is applicable to onboarded end-user workstations. Microsoft previously introduced manual isolation options in June 2022 and has expanded isolation support to Linux devices since October 2023. The automatic isolation feature enhances the security posture of organizations by providing security teams with more time to respond to incidents. Microsoft emphasizes that devices can be released from isolation after risk mitigation. Key Points: • Microsoft Defender now automatically isolates compromised endpoints to prevent further attacks. • The feature is part of the Automatic Attack Disruption framework and is currently in preview. • Isolated devices remain monitored by Defender while disconnected from the network.

Detailed Analysis

**Impact** The new automatic isolation feature affects organizations using Microsoft Defender for Endpoint on onboarded end-user workstations, primarily within enterprise environments. It aims to reduce the risk of lateral movement, ransomware propagation, and data exfiltration by disconnecting compromised devices from the network immediately upon detection. No specific sectors, geographies, or quantitative impact data were provided in the articles. **Technical Details** The feature operates as part of Microsoft’s Automatic Attack Disruption framework, isolating endpoints when a high-confidence compromise is detected. It targets onboarded Windows and Linux devices managed by Defender for Endpoint, disconnecting them from the network while maintaining connectivity to the Defender service for ongoing monitoring. No specific attack vectors, malware, CVEs, or IOCs were detailed in the sources. **Recommended Response** Organizations should ensure all endpoints are onboarded and managed via Microsoft Defender for Endpoint to leverage automatic isolation capabilities. Security teams must monitor the Defender portal for isolation events and be prepared to investigate and release devices from isolation after risk mitigation. Additional recommended actions include scheduling regular antivirus scans on Linux systems using the new Defender features and maintaining updated detection rules aligned with the Automatic Attack Disruption framework.

Source articles (4)

  • Microsoft Defender can now automatically isolate hacked endpoints — Bleepingcomputer · 2026-05-26
    Microsoft is testing a new Defender for Endpoint capability that will automatically isolate compromised endpoints to thwart attackers' attempts to move laterally across the network. This is now availa…
  • Microsoft Defender Now Automatically Isolates Compromised Devices to Stop Ransomware Spread — Cybersecuritynews · 2026-05-26
    Microsoft Defender for Endpoint has introduced automatic device isolation, a proactive containment capability that disconnects compromised workstations from the network the moment a high-confidence at…
  • Whats New In Microsoft Defender Endpoint — learn.microsoft.com · 2026-05-26
  • Schedule Antivirus Scans Linux — learn.microsoft.com · 2026-05-26

Timeline

  • 2022-06-01 — Manual isolation feature launched: Microsoft introduced the ability for admins to manually isolate compromised unmanaged Windows devices.
  • 2023-10-01 — Linux device isolation support announced: Microsoft Defender for Endpoint began supporting isolation for onboarded Linux devices, enhancing cross-platform security.
  • 2026-05-26 — Automatic isolation feature launched: Microsoft Defender for Endpoint introduced automatic isolation for compromised devices to stop ransomware spread.

Related entities

  • Ransomware (Attack Type)
  • Linux (Platform)
  • Microsoft Defender For Endpoint (Platform)
  • Windows (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed