Microsoft has added a feature to its endpoint security platform Defender for Endpoint that automatically isolates infected devices from the network.

According to a recent report by Techzine, the feature blocks the endpoint from a corporate network as soon as suspicious activity is detected on a device. Even during isolation, the connection to the Microsoft cloud environment is maintained, allowing security teams to investigate and manage the device remotely. It is currently available in preview form and works only on workstations registered with Defender for Endpoint.

Microsoft introduced the feature as part of its "automatic attack disruption" programme. It expands an existing isolation function and focuses on preventing an attack from spreading without administrator intervention before an attacker deploys ransomware or steals data after an initial breach.

Microsoft has added support for Linux systems and a feature that automatically isolates compromised user accounts during ransomware attacks, after introducing manual isolation for unmanaged Windows systems in 2022. According to BleepingComputer, Microsoft is also developing a feature that automatically blocks unknown Windows endpoint traffic to prevent network spread through unmanaged systems.