With recent updates, Microsoft took another step towards thwarting network threats with Defender. As announced, Microsoft Defender now isolates all endpoints yet undiscovered to prevent lateral movement on a compromised network.
Microsoft Defender Isolates Undiscovered Endpoints For Enhanced Security
According to its recent announcement, the latest Defender for Endpoint update brings the feature to isolate undiscovered endpoints to contain potential attacks.
Cyberattacks on networks often allow lateral movement to the attackers, leading to a compromise of almost all connected devices. While Microsoft Defender for Endpoint prevents such attacks, blocking attacks through devices not onboarded could get difficult, leaving the threat persistent. However, with the recent updates, the Microsoft Defender for Endpoint now isolates undiscovered endpoints, barring lateral movements.
To achieve this, Microsoft Defender for Endpoint implements IP containing. It means the tool contains any IP address it detects on a network not associated with onboarded devices. This restriction of undiscovered IP address prevents any malicious device from connecting on the network.
As explained in Microsoft’s post, Defender achieves this device isolation via “automatic attack disruption” that disrupts lateral movements.
Containing an IP address associated with undiscovered devices or devices not onboarded to Defender for Endpoint is done automatically through automatic attack disruption. The Contain IP policy automatically blocks a malicious IP address when Defender for Endpoint detects the IP address to be associated with an undiscovered device or a device not onboarded.
Regarding automatic attack disruption, Microsoft explained,
Automatic attack disruption is designed to contain attacks in progress, limit the impact on an organization’s assets, and provide more time for security teams to remediate the attack fully. Attack disruption uses the full breadth of our extended detection and response (XDR) signals, taking the entire attack into account to act at the incident level.
Upon containing a suspicious IP, the tool will display the details in the Action Center for the users to review. Users may identify if the contained IP belongs to a known or an unknown device. They may also stop IP address containment at any time.
While IP containing may sound a new feature, Microsoft Defender for Endpoint also implements containing compromised critical assets and users already.
Specifically, the device containing feature is available with Defender for Endpoint Windows 10, Windows 2012 R2, Windows 2016, and Windows Server 2019+ devices, whereas containing user feature is supported on onboarded Microsoft Defender for Endpoint Windows 10 and 11 devices (Sense version 8740 and higher), Windows Server 2019+ devices, and Windows Servers 2012R2 and 2016 with the modern agent.
Other Security Upgrades With April Release
In addition to the IP containing policy for undiscovered endpoints, the April 2025 release of Microsoft Defender for Endpoint also brings with it two new ASR (Attack Surface Reduction) rules. These include,
- Block rebooting machine in Safe Mode. Since safe mode often disables security tools on a device, Defender for Endpoint now prevents execution of commands requiring rebooting in Safe Mode to prevent potential threats.
- Block use of copied or impersonated system tools. This rule prevents any executable files detected as copied files of Windows system tools, blocking potentially malicious copies.
To receive all these updates, users must make sure to update their systems with the latest release of Microsoft Defender for Endpoint.
Let us know your thoughts in the comments.