Forum Discussion
smelias
Nov 08, 2023Copper Contributor
Defender PC Isolation Questions
Hi,
We know we can "isolate" a PC using defender if there's a detected comprise. However how does this actually work? Is it using the existing software firewall on the PC to accomplish this via policies? I'm asking because we have a "chicken or egg" issue once the device is isolated. Yes Azure defender can continue monitoring the device, (so local L2/L3 communications are working "restrictive"), however can we add another service to the restrictive mode (aka Intune auto-rebuild)? It would be a great feature to trigger a "auto rebuild" once the PC is isolated. Is this possible today?
- jbmartin6Iron ContributorIt may be possible, but what would the use of isolate be in that case? Just trigger the auto-rebuild directly. That process takes it offline so I don't see where MDE isolation adds anything. The whole point of MDE isolation is to be able to continue investigating the host, such as for files or memory artifacts, without allowing it to be used by an attacker.