Microsoft tests automatic network isolation in Defender for Endpoint

The system responds before an analyst even knows there's a problem.
Automatic isolation removes the delay inherent in manual response, crucial when ransomware spreads in seconds.

As ransomware continues to outpace human reaction time, Microsoft has begun testing a capability within its enterprise security platform that removes the human delay from one of the most critical moments in a cyberattack — the instant a device is known to be compromised. Automatic isolation, now in preview for Defender for Endpoint, reflects a broader reckoning in cybersecurity: that the speed of modern threats demands systems that act before people can. The machine, in this case, is not replacing judgment — it is buying time for it.

  • Ransomware spreads in the seconds it takes a human analyst to notice and respond, making manual containment a race that defenders routinely lose.
  • Microsoft's new automatic isolation feature severs compromised devices from the network the moment a threat is detected, without waiting for operator intervention.
  • Isolated devices are not left dark — a dedicated telemetry channel keeps security analysts watching and investigating even as the machine is cut off from everything else.
  • The automation expands a toolset that has existed in manual form since the Windows 10 era, now reaching macOS and Linux with scheduled scanning also entering preview.
  • Google and Microsoft are layering containment into cloud storage as well, with Google Drive pausing sync on ransomware detection and OneDrive prioritizing recovery — acknowledging that attacks don't stop at the device.

Microsoft has begun previewing a new capability inside Defender for Endpoint that automatically disconnects a compromised device from the network the moment a threat is identified. The isolation is temporary — it lifts after a set investigation window closes, once analysts complete remediation, or when an operator manually releases the device. No human decision is required to trigger it.

The feature is part of Microsoft's broader automatic attack disruption strategy, aimed at containing ransomware and hands-on-keyboard intrusions before security teams can act. Speed is the core argument: lateral movement and file encryption can happen in the time it takes an analyst to open an alert. Automatic isolation is designed to interrupt that window.

Isolation does not mean blindness. Contained devices retain a dedicated channel back to the Defender for Endpoint service, allowing analysts to monitor telemetry, observe malware behavior, and plan remediation while the threat remains walled off. Windows users receive a notification when isolated; macOS and Linux users do not. Linux administrators also gain access to scheduled anti-malware scans, a feature already available on macOS.

Manual isolation has existed in Defender for Endpoint since the Windows 10 Creators Update, with unmanaged Windows device support arriving in 2022 and macOS and Linux following in 2023. What changes now is agency — the system decides when to act, not a person.

The containment logic is also moving into cloud storage. OneDrive emphasizes ransomware recovery, while Google Drive takes a more active stance, pausing file sync when it detects encrypted content being uploaded. Both reflect the same recognition: modern attacks flow beyond the endpoint and into the cloud before defenders can respond.

Automatic isolation is currently available in preview on Defender for Endpoint Plan 2, targeting enterprise customers. Microsoft is still refining the feature based on feedback, but the direction is clear — fewer seconds between detection and containment, and less damage left to repair.

Microsoft is moving toward a more automated defense against ransomware and other active attacks. This month, the company began testing a new capability within Defender for Endpoint—its enterprise security platform—that can automatically sever a compromised device from the network the moment a threat is detected. The isolation is temporary and scoped to the specific incident. After a set time window passes, or once security analysts finish their investigation and remediation work, the device reconnects automatically. A human operator can also manually release it from containment earlier if needed.

The feature targets end-user workstations that are enrolled in and managed by Defender for Endpoint. It sits within a larger strategy Microsoft calls automatic attack disruption, designed to contain ransomware and other hands-on-keyboard attacks before security teams can respond manually. Speed matters here. By the time a human analyst notices an intrusion and acts, an attacker may have already moved laterally through the network or encrypted critical files. Automatic isolation aims to stop that spread in its tracks.

This is not Microsoft's first isolation tool. Manual device isolation has existed in Defender for Endpoint since the Windows 10 Creators Update era, allowing administrators to disconnect managed devices by hand. Support for unmanaged Windows devices came in June 2022. macOS and Linux support followed in October 2023. What's new is the automation—the system now decides when to isolate, not a person.

The isolation is not complete blackout. Devices cut off from the network retain a dedicated communication channel back to the Defender for Endpoint service itself. This means security analysts continue to receive telemetry and maintain visibility into the compromised machine even while it sits isolated from everything else. They can watch what the malware is doing, gather evidence, and plan remediation without the threat spreading further.

Notifications work differently across operating systems. Windows users receive an alert when their device is isolated. macOS and Linux users do not. For Linux administrators, Microsoft is also previewing scheduled anti-malware scans—a capability that already exists on macOS. This allows scans to run on a fixed schedule rather than only on demand.

Microsoft is not alone in this direction. Google and Microsoft have both added containment at the cloud storage layer. OneDrive, Microsoft's cloud service, focuses on ransomware detection and post-incident recovery. Google Drive goes further, attempting to limit the spread of encrypted files by automatically pausing sync when it detects ransomware-encrypted content. Both approaches recognize that modern attacks don't stop at the endpoint—they flow into the cloud.

Automatic device isolation is available now in preview on Defender for Endpoint Plan 2, which targets enterprise customers. The feature remains experimental, meaning Microsoft is still testing it and may refine how it works based on feedback. For organizations managing large fleets of devices, the appeal is clear: fewer seconds between detection and containment, fewer devices compromised, less damage to clean up.

The isolation is time-limited and scoped to an incident, meaning it lifts automatically after a defined window
— Microsoft (via feature description)
The Hearth Conversation Another angle on the story
Inventor

Why does Microsoft need automatic isolation if manual isolation already exists?

Model

Manual isolation requires a human to notice the threat, understand it, and act. That takes minutes at best. Ransomware moves in seconds. Automatic isolation removes that delay—the system responds before an analyst even knows there's a problem.

Inventor

But if a device is isolated, how do analysts investigate it?

Model

It's not a total blackout. The device stays connected to Defender for Endpoint's own service, so analysts see all the telemetry, all the activity. They're just invisible to the rest of the network.

Inventor

What happens if the system isolates a device by mistake?

Model

That's why it's time-limited and scoped to the incident. After a defined window, it lifts automatically. And analysts can release it manually the moment they confirm it's safe. The system errs on the side of caution, but doesn't lock devices away forever.

Inventor

Why do Windows users get a notification but Linux users don't?

Model

That's a gap in the current implementation. Windows has a mature notification system built in. Linux and macOS don't have the same infrastructure yet. It's something Microsoft will likely address as the feature matures.

Inventor

How does this connect to what Google is doing with Drive?

Model

They're thinking about the same problem from different angles. Microsoft isolates the device. Google isolates the data by pausing sync when it detects encrypted files. Together, they're trying to contain the blast radius—stop it at the endpoint, stop it at the cloud, stop it everywhere at once.

Contact Us FAQ