Microsoft Defender for Endpoint has introduced a preview feature enabling automatic isolation of compromised endpoints. When a device is suspected of being hacked, Defender automatically disconnects it from the network to reduce lateral movement and limit risks such as data exfiltration and ransomware spread. The isolated device remains connected to the Defender service for continuous monitoring. This automatic isolation is applicable only to onboarded Windows workstations managed by Defender for Endpoint and can be released by administrators post-incident. This capability complements existing manual isolation features and extends Defender's attack disruption capabilities.

The feature reduces the risk of attackers moving laterally across the network from compromised endpoints, thereby limiting the potential spread of malware, ransomware, or data exfiltration. By isolating devices automatically, organizations can contain attacks more effectively and gain additional time for incident response. There are no known exploits in the wild related to this feature, and it is currently in preview mode.

This is a new security enhancement rather than a vulnerability requiring patching. Organizations using Microsoft Defender for Endpoint can enable and test this automatic isolation feature in preview to improve attack containment. No additional remediation is required beyond onboarding devices to Defender for Endpoint and configuring the feature. Security operators should familiarize themselves with the process to release devices from isolation after investigation.