One of the features Microsoft Defender for Endpoint offers is device isolation, which helps prevent the spread of malware and other threats within an organization’s network. Depending on the intensity of the assault and the sensitivity of the device, it may be necessary to isolate it from the network. This action can help stop the attacker from taking control of the compromised device and doing other things, like stealing data or moving laterally.
This device isolation feature disconnects the compromised device from the network while retaining connectivity to the Defender for Endpoint service, which continues to monitor the device.The device remains functional, but all incoming and outgoing network traffic is blocked, except for traffic to a small set of whitelisted domains. This allows the security team to investigate and contain the threat, while minimizing the risk of further spread.
Possible Ways to Isolate the device
- Manually – You need to select the device in Microsoft Defender Security portal and then choose to isolate the device.
- Automate using Power Automate
In this post, I will be covering how you can manually isolate an device from network using Microsoft Defender for Endpoint
Steps to Manually Isolate a device
Login to Microsoft Security portal
Select Devices and then select the device you want to isolate.
Click on Device Value and then choose Isolate Device
User will get a notification on the device.
To bring device back to network choose Release from Isolation
Hope this will be informative for you. Please do share if you find worth sharing this.