Microsoft Defender auto‑isolate endpoints

Why it matters

Microsoft has added automatic device isolation to Defender for Endpoint, extending its automatic attack disruption system from alerting and investigation into direct containment. The feature is in preview and is designed to cut off a compromised device from most network traffic when Microsoft’s detections determine an attack is underway. Microsoft says the isolated device remains connected to Defender for Endpoint so security teams can continue monitoring and response. The change puts a concrete new action inside Microsoft’s broader “automatic attack disruption” framework, which the company describes as using AI, predefined playbooks and threat intelligence to detect attacks in progress and contain affected assets. Microsoft’s documentation says the goal is to limit lateral movement early and reduce the impact of an incident while leaving security operations teams in control of investigation, remediation and recovery. (learn.microsoft.com) ### When does Defender isolate a device without waiting for an analyst? Microsoft’s May 2026 Defender for Endpoint update says automatic device isolation is now part of automatic attack disruption in preview. BleepingComputer and Computerworld both reported the capability on May 27, describing it as a move to let Defender contain compromised endpoints before a human analyst manually triggers isolation. (learn.microsoft.com) Microsoft has not framed the feature as blanket auto-isolation for every alert. The company’s attack-disruption documentation says containment occurs while an attack is in progress and is tied to Defender’s automated determination that compromised assets are being used by an attacker. That means the decision is driven by Microsoft’s disruption logic and configured protections rather than by every standalone detection. (learn.microsoft.com) ### What actually happens to the endpoint once isolation starts? Microsoft’s device-response documentation says an isolated device is cut off from external network access, and its API documentation describes the action as isolating a device from accessing the external network. Third-party coverage of the new feature says the automatic version applies that same containment model once disruption criteria are met. Microsoft also says the device keeps its connection to Defender for Endpoint during isolation. (learn.microsoft.com) That matters because the company positions the feature as containment, not abandonment: defenders can still monitor the machine, investigate activity and bring the asset back online after response steps are complete. ### Which machines are hardest to auto-isolate in practice? Microsoft’s own documentation points to the operational tradeoff by documenting isolation exclusions and selective isolation. (learn.microsoft.com) The company says some critical services, including management tools or security products, may need to stay operational during network isolation, and exclusions can allow designated processes, IP addresses or services to bypass restrictions. (learn.microsoft.com) That makes endpoint class a policy question as much as a product question. A standard employee laptop is easier to isolate than an administrator workstation, a jump box, or a machine tied to business-critical operations. Computerworld reported that security practitioners will need to tune the capability so it does not create unnecessary disruption or become a path for abuse if policies are too broad. (learn.microsoft.com) ### Where does Microsoft want customers to manage this? Microsoft’s configuration guidance says administrators can set up and manage automatic attack disruption in the Defender portal, where they can review containment actions in incidents and the Action center and change settings if needed. The feature is listed in Microsoft’s “What’s new” page for Defender for Endpoint and is supported by the company’s response-action documentation for devices. (computerworld.com) Microsoft’s next step is broader rollout beyond preview, but as of the May 2026 product update the company is presenting automatic device isolation as a preview capability inside Defender for Endpoint’s attack-disruption controls. (learn.microsoft.com 1) (learn.microsoft.com 2)

Key numbers

• Microsoft on May 27 said Defender for Endpoint can now automatically isolate compromised devices in preview as part of its automatic attack disruption feature.
• The feature appears in Microsoft’s May 2026 Defender for Endpoint updates and attack-disruption documentation, with configuration handled in the Defender portal.
• Microsoft’s May 2026 Defender for Endpoint update says automatic device isolation is now part of automatic attack disruption in preview.
• BleepingComputer and Computerworld both reported the capability on May 27, describing it as a move to let Defender contain compromised endpoints before a human analyst manually triggers isolation.

What happens next

• Microsoft’s May 2026 Defender for Endpoint update says automatic device isolation is now part of automatic attack disruption in preview.
• BleepingComputer and Computerworld both reported the capability on May 27, describing it as a move to let Defender contain compromised endpoints before a human analyst manually triggers isolation.
• Computerworld reported that security practitioners will need to tune the capability so it does not create unnecessary disruption or become a path for abuse if policies are too broad.

Sources

• learn.microsoft.com
• learn.microsoft.com
• learn.microsoft.com
• learn.microsoft.com
• learn.microsoft.com
• learn.microsoft.com
• computerworld.com
• learn.microsoft.com 2

Quick answers