Published: Jun 10, 2022
Microsoft Defender for Endpoint has released a new Contain feature that lets organizations isolate compromised unmanaged Windows devices from the network. The new capability will help IT admins to prevent attackers from carrying out malicious activities like lateral movement or data exfiltration.
Once a device is contained, Microsoft Defender for Endpoint will block its communications with all other Windows PCs. “This action can help prevent neighboring devices from becoming compromised while the security operations analyst locates, identifies, and remediates the threat on the compromised device,” Microsoft noted.
Microsoft indicated that the Contain feature is similar to the existing device isolation option available in Microsoft Defender for Endpoint. However, it works with unmanaged devices that haven’t been onboarded yet.
Once clicked, all devices enrolled in the Microsoft Defender for Endpoint can take up to 5 minutes to stop communications to and from the contained device. The blocking will continue even if the compromised device tries to change its IP address.
Meanwhile, IT admins will be able to unblock the specific device by selecting it from the Device inventory or heading to the device page. Finally, open the action menu and select the “Release from containment” option to restore the device’s communication with the network.
Microsoft notes that the new Contain feature in Microsoft Defender for Endpoint is currently only available for PCs running Windows 10 (or newer) or Windows Server 2019 (or newer) OS. The company has promised to bring support for additional platforms in future versions.