Microsoft Defender for Endpoint Safe Attachments

Customer is using the default "Send safe samples automatically" and wanted to know how Microsoft would classify if the document has PII so user is prompted to allow, especially a Macro enabled Excel File

Will Microsoft Defender for Endpoint treat the file downloaded from Internet and Internal downloads (Internal Email Outlook attachment / SharePoint Online) the same way.

• I would expect it to work the same way but is there a difference that we should be aware off.

When a device is marked for Full Isolation in MDE, is it blocking Windows Firewall / killing specific process.

• They have very complex VPN Tunnel environment, and they are afraid Isolating the device might impact their VPN configuration and end-up rebuilding the device.

What is an expected timeline for Microsoft Defender for Endpoint to confirm a file is malicious (I understand, it will vary from file to file, but is there any recommended statement i can share with the Customer.)