New Containment Feature for Microsoft Defender

Microsoft has introduced a new feature for Microsoft Defender for Endpoint (MDE), aimed at helping organizations contain cyber attacks executed via compromised devices. Such attacks are typically used for lateral network movements, a technique attackers use to move deeper into a network after initial access. This new feature allows network administrators to contain Windows devices in the event of a confirmed or suspected compromise. By doing so, Microsoft Defender will block incoming and outgoing communications with compromised devices. This approach significantly limits possible attack actions, as an attacker will no longer be able to move across an organization’s network. 

“New functional features of Microsoft Defender will protect the devices neighboring those compromised, as the latter will be simply isolated,” stated Microsoft. 

Containing a device with the new feature is quite simple. First, go to the Device Inventory page and select the device to be contained. Then, choose the ‘Contain device’ option from the Actions menu of the device and confirm the action.

In the meantime, security operations analysts will be able to locate, identify, and remediate a threat on the compromised device. However, there is one important caveat for this new feature’s functionality: blocking incoming and outgoing communications for a contained device is currently supported only on Windows 10 and Windows Server 2019+ systems.


Back to overview