Aims to slow ransomware spread
Image:
Microsoft adds automatic endpoint isolation to Defender platform. Source: Microsoft
Microsoft has introduced a new cybersecurity capability that can automatically isolate compromised computers from corporate networks.
The feature, currently available in preview for customers using Microsoft Defender for Endpoint, is designed to sever infected devices from wider company systems the moment suspicious activity is detected.
The move is intended to stop attackers spreading through networks after an initial breach.
Under the new system, compromised endpoints are disconnected from network communications while maintaining a secure link to Microsoft’s cloud-based Defender service, allowing security teams to continue monitoring the affected device remotely.
Microsoft said the capability forms part of its broader “automatic attack disruption” framework, which seeks to contain cyber intrusions without waiting for manual intervention from IT staff.
“When a device in your organisation is suspected to be compromised, Microsoft Defender for Endpoint can automatically isolate the device as part of automatic attack disruption,” Microsoft said in technical guidance.
“Automatic isolation helps reduce the risk of further impact on the organization, limit attacker lateral movement, and prevent impacts such as data exfiltration and ransomware propagation.”
Automated containment tools are becoming increasingly important as attackers shorten the time between breaching a system and deploying ransomware or stealing sensitive data.
The feature currently applies only to onboarded end-user workstations managed through Defender for Endpoint.
Security administrators can later reconnect isolated devices once investigations have concluded and threats have been neutralised.
Defender’s automated response capabilities
The announcement continues a rapid expansion of Defender’s automated response capabilities.
In 2023, Microsoft rolled out isolation support for Linux devices and added mechanisms capable of automatically containing compromised user accounts during “hands-on-keyboard” ransomware attacks.
More recently, the company began testing technology that blocks communications with previously undiscovered Windows devices on corporate networks, a measure intended to prevent attackers from using unmanaged systems as footholds.
Earlier this month, Microsoft said administrators will soon be able to schedule antivirus scans on Linux systems directly through the Defender portal and command-line tools.
Another preview feature introduces a revised exposure scoring system for Defender Vulnerability Management that incorporates exploit prediction data and asset criticality to improve vulnerability prioritisation.
Microsoft discloses Defender vulnerabilities
The developments come as Microsoft last week disclosed two actively exploited vulnerabilities affecting Defender software itself.
One flaw, identified as CVE-2026-41091, could allow attackers with authorised access to gain elevated system privileges through improper file-link handling. The vulnerability carries a CVSS severity rating of 7.8.
A second flaw, tracked as CVE-2026-45498, could allow denial-of-service attacks against Defender installations.
Microsoft said both issues have been patched in updated versions of the Defender Anti-malware Platform and urged customers to ensure systems are fully updated.
