Device Isolation
Isolate compromised devices from the network while maintaining management connectivity through Microsoft Defender for Endpoint.
Warning: Device isolation blocks all network traffic except Defender for Endpoint management channel. Users will lose access to all network resources.
Isolation Types
| Type | Description |
|---|---|
| Full isolation | Block all network connections except management |
| Selective isolation | Block specific protocols while allowing others |
Workflow
- Identify compromised device from security alert
- Select device and choose Isolate action
- Confirm isolation with reason and notes
- Device is isolated within minutes
- Investigate using Defender for Endpoint tools
- Release isolation when threat is remediated
Isolated Device Capabilities
- Defender for Endpoint communication maintained
- Live response sessions available
- Evidence collection possible
- Automated investigation continues
API Reference
POST /api/security/devices/:id/isolate— Isolate devicePOST /api/security/devices/:id/release— Release isolationGET /api/security/devices/:id/isolation-status— Get status
Last updated on