Microsoft Defender Now Automatically Isolates Compromised Devices to Stop Ransomware

HomeCyber Security Microsoft Defender Now Automatically Isolates Compromised Devices to Stop Ransomware By Guru Baran May 26, 2026 Microsoft Defender for Endpoint has introduced automatic device isolation, a proactive containment capability that disconnects compromised workstations from the network the moment a high-confidence attack is detected without waiting for human intervention. Microsoft Defender for Endpoint can now automatically isolate compromised devices as part of its broader Automatic Attack Disruption framework. When the platform identifies an active ransomware campaign or sophisticated intrusion in progress, it immediately severs the affected device’s network connections, cutting off the attacker’s access while preserving the device’s communication channel with the Defender for Endpoint service itself. This means security analysts continue to receive telemetry and maintain visibility into the compromised machine even while it is isolated. The capability targets end-user workstations that are onboarded and managed by Microsoft Defender for Endpoint. It does not apply to servers or unmanaged devices under the current scope of this feature. How Automatic Attack Disruption Works Microsoft Defender XDR correlates millions of signals across endpoints, identities, email, and SaaS applications to build a single, high-confidence incident view. Once an active attack, such as ransomware propagation or Business Email Compromise (BEC) credential harvesting, is confirmed with sufficient confidence, the system automatically triggers containment actions at the incident level, not just the alert level. For device isolation specifically, Defender for Endpoint disconnects the compromised asset from the broader network, preventing the attacker from using it as a launchpad for lateral movement, data exfiltration, or ransomware deployment to adjacent systems. Isolation based on Ransomware Attack The isolation is scoped to specific devices involved in the incident, not broadly applied across the environment, minimizing collateral disruption to business operations. Microsoft has embedded several safeguards to prevent isolation from becoming an operational bottleneck: Time-limited containment: Isolation is automatically reversed after a defined time window, ensuring devices are not permanently cut off. Operator override: Security teams can manually release isolation at any point after completing investigation and remediation steps. Scoped targeting: Only devices directly implicated in the attack chain are isolated, not the entire environment. Exclusion support: Organizations can configure exclusion rules for critical business machines, ensuring that high-priority assets use selective isolation based on defined rules rather than full network disconnection. After automatic isolation is applied, security operators can audit the full activity trail directly in the Microsoft Defender portal. The Activities tab within the incident view logs each isolation and unisolation event, including the timestamp, the triggering alert, and the automated action performer (Attack Disruption). The Action Center provides a historical log of all isolation actions, including their status (Completed or Failed), action source, and the deciding entity. Ransomware groups rely heavily on speed; the faster they move laterally, the more damage they inflict before detection. By automating containment the moment a high-confidence signal is detected, Microsoft Defender for Endpoint removes the critical delay between detection and response. Security operations teams retain full investigative control, while the attack’s blast radius is dramatically reduced, limiting both financial impact and productivity loss. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Microsoft Edge Stops Loading Saved Passwords Into Memory at Startup CISA Warns of Drupal Core SQL Injection Vulnerability Exploited in Attacks P2PInfect Botnet Compromises Kubernetes Clusters Through Exposed Redis Instances Cloud Atlas APT Group Modifies termsrv.dll to Enable Multiple RDP Sessions on Victim Hosts Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial Access Latest News Cyber Security News NightSpire Ransomware Uses RDP Access and Remote Admin Tools for Stealthy Persistence Cyber Security News GitHub Down – Authentication Issues Denying Access to Actions  Cyber Security News Hackers Exploit Ghost CMS CVE-2026-26980 to Poison 700 Websites With ClickFix Malware Cyber Security News Windows Server 2016 Domain Controller May Fail with 15-Character Hostname Cyber Security News Hackers Use SEO Poisoning to Impersonate Gemini CLI and Claude Code Installers