Microsoft Defender can now automatically isolate hacked endpoints

Microsoft is rolling out an automated isolation feature in Defender for Endpoint that will quarantine compromised systems without waiting for administrator approval. The capability detects when an endpoint falls under active attack and immediately severs its network connections to prevent lateral movement.

The feature operates within Defender for Endpoint's detection and response framework. When the system identifies suspicious activity matching attack patterns, it triggers isolation protocols automatically. This removes the time delay between breach detection and containment, a critical window attackers exploit to spread within networks.

Lateral movement represents a core adversary objective. Once attackers establish initial access to a single machine, they pivot to additional systems to deepen their foothold, access sensitive data, and establish persistence. By isolating the first compromised endpoint, organisations block this progression before it accelerates.

The automatic isolation carries operational considerations. System administrators retain visibility and can quickly review the isolation decision. The feature defaults to automatic mode but organisations can adjust settings to require human approval before isolation executes. This flexibility lets security teams balance speed against the risk of isolating critical systems prematurely.

Microsoft positions this as part of its shift toward AI-assisted incident response. Defender for Endpoint already correlates behavioral signals to detect breach activity. Automating isolation removes a manual step that frequently causes response delays, especially in organisations lacking 24/7 security operations centers.

The capability benefits organisations of all sizes but particularly strengthens defenses at companies where security staff bandwidth limits response speed. Automated isolation of breached endpoints reduces the window between compromise and containment from hours to seconds.

Security teams should evaluate whether this feature aligns with their environment. High-availability systems may need adjusted thresholds to prevent unnecessary isolation during legitimate spike activity. Configuration options let administrators set isolation triggers matched to their risk tolerance and network architecture.