Forum Discussion

smelias's avatar
smelias
Copper Contributor
Nov 08, 2023

Defender PC Isolation Questions

Hi,

 

We know we can "isolate" a PC using defender if there's a detected comprise. However how does this actually work? Is it using the existing software firewall on the PC to accomplish this via policies? I'm asking because we have a "chicken or egg" issue once the device is isolated. Yes Azure defender can continue monitoring the device, (so local L2/L3 communications are working "restrictive"), however can we add another service to the restrictive mode (aka Intune auto-rebuild)? It would be a great feature to trigger a "auto rebuild" once the PC is isolated. Is this possible today?

  • jbmartin6's avatar
    jbmartin6
    Iron Contributor
    It may be possible, but what would the use of isolate be in that case? Just trigger the auto-rebuild directly. That process takes it offline so I don't see where MDE isolation adds anything. The whole point of MDE isolation is to be able to continue investigating the host, such as for files or memory artifacts, without allowing it to be used by an attacker.

Resources