Forum Discussion
Remove a wiped device from Defender For Endpoint isolation
Scenario
A user's device had downloaded and executed malware, just prior to going to lunch. As we were unable to contact the user, we isolated the device via Defender For Endpoint.
After analysis, we determined that the device would require re-imaging. Our Support guys attempted to reimage via PXE boot but were unable to connect to the server (errrr...because isolated). They attempted to run the de-isolation script but it apparently didnt work.
The device was then wiped (using forensic equipment) and attempted to PXE boot again - still isolated.
Questions
1. How exactly does the isolation occur? What is the thing that actually isolates it. Agent? TPM? If it is server side, can we offboard the device or remove from azure etc in order to break the isolation?
2. Is the de-isolation script intended for such a purpose? It reported a bunch of errors:
3. If the device has been wiped, and now the de-isolation script can not be run on the machine without an OS, what are our options?
Cheers
Jason
2 Replies
- What you describe does seem unexpected, but regarding the errors: this is a Windows cmd script, not a powershell script, try running it in a classic Command Prompt window aka cmd.exe.
- Thanks, I wasn't the user who ran the script but yeah PS was used!
How do other organisations handle isolations - particularly when you want to reimage the device to remediate risk of malware?
