Microsoft Previews Auto Device Isolation in Defender as SANS Warns It Could Disable 18 Accounts
Updated
Updated · Computerworld · May 27
Microsoft Previews Auto Device Isolation in Defender as SANS Warns It Could Disable 18 Accounts
3 articles · Updated · Computerworld · May 27
Microsoft is testing automatic device isolation in Defender for Endpoint, a new auto attack disruption feature that cuts most network traffic while keeping infected machines linked to security services.
The tool is meant to stop machine-speed ransomware and lateral movement faster than human analysts can respond, with isolation scoped to an incident and reversible by operators.
A SANS paper said threshold-based autonomous enforcement can also cause broad disruption: in one 2025 phishing case, Defender's automated actions triggered emergency escalation before analysts realized the controls were system-driven.
In a lab with 18 users, researcher Marcio Enriquez said adversarial activity could push Defender past high-confidence thresholds and disable all 18 Active Directory identities, including the local domain administrator.
Microsoft declined to address the paper directly but said customers should keep auto attack disruption enabled by default, using granular tuning, exclusions and monitoring rather than opting out.
Can hackers weaponize Microsoft's new AI defender to shut down an entire company network?
As the EU AI Act nears, could automated defenses like Microsoft's be deemed too dangerous to use?
Is AI security becoming a bigger threat than the hackers it is designed to stop?
Maximizing Security with Microsoft Defender’s Automatic Device Isolation: Metrics, Misconfiguration Risks, and Operational Guidance
Overview
Microsoft Defender for Endpoint has introduced automatic device isolation in preview, a feature that disconnects compromised endpoints from the network to contain threats and prevent attackers from moving laterally. This immediate isolation limits the risk of further impact, such as data exfiltration or ransomware spread, while still allowing the device to communicate with Defender for Endpoint for ongoing monitoring. By quickly containing threats, security teams gain crucial time to investigate incidents and respond effectively to cyberattacks, strengthening the organization's overall security posture and reducing the chance of widespread damage.