Microsoft Defender Isolates Compromised Devices from Ransom

Microsoft Defender for Endpoint now features automatic device isolation, a proactive containment capability designed to instantly disconnect compromised workstations from the network. This occurs the moment a high-confidence attack is detected, eliminating the need for human intervention.

Microsoft Defender for Endpoint can now automatically isolate compromised devices as part of its broader Automatic Attack Disruption framework.

When the platform identifies an active ransomware campaign or sophisticated intrusion in progress, it immediately severs the affected device’s network connections, cutting off the attacker’s access while preserving the device’s communication channel with the Defender for Endpoint service itself.

This means security analysts continue to receive telemetry and maintain visibility into the compromised machine even while it is isolated.

The capability targets end-user workstations that are onboarded and managed by Microsoft Defender for Endpoint. It does not apply to servers or unmanaged devices under the current scope of this feature.

How Automatic Attack Disruption Works

Microsoft Defender XDR correlates millions of signals across endpoints, identities, email, and SaaS applications to build a single, high-confidence incident view.

Once an active attack, such as ransomware propagation or Business Email Compromise (BEC) credential harvesting, is confirmed with sufficient confidence, the system automatically triggers containment actions at the incident level, not just the alert level.

For device isolation specifically, Defender for Endpoint disconnects the compromised asset from the broader network, preventing the attacker from using it as a launchpad for lateral movement, data exfiltration, or ransomware deployment to adjacent systems.

The isolation is scoped to specific devices involved in the incident, not broadly applied across the environment, minimizing collateral disruption to business operations.

Microsoft has embedded several safeguards to prevent isolation from becoming an operational bottleneck:

• Time-limited containment: Isolation is automatically reversed after a defined time window, ensuring devices are not permanently cut off.
• Operator override: Security teams can manually release isolation at any point after completing investigation and remediation steps.
• Scoped targeting: Only devices directly implicated in the attack chain are isolated, not the entire environment.
• Exclusion support: Organizations can configure exclusion rules for critical business machines, ensuring that high-priority assets use selective isolation based on defined rules rather than full network disconnection.

After automatic isolation is applied, security operators can audit the full activity trail directly in the Microsoft Defender portal. The Activities tab within the incident view logs each isolation and unisolation event, including the timestamp, the triggering alert, and the automated action performer (Attack Disruption).

The Action Center provides a historical log of all isolation actions, including their status (Completed or Failed), action source, and the deciding entity.

Ransomware groups rely heavily on speed; the faster they move laterally, the more damage they inflict before detection. By automating containment the moment a high-confidence signal is detected, Microsoft Defender for Endpoint removes the critical delay between detection and response.

Security operations teams retain full investigative control, while the attack’s blast radius is dramatically reduced, limiting both financial impact and productivity loss.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.