Ensure that essential functions continue in the event of a breach, while limiting broader network exposure
Network isolation refers to how Microsoft Defender for Endpoint restricts a compromised device’s communication within the network in order to contain threats and prevent lateral movement. But oftentimes when isolating devices, certain critical services like management tools or security solutions need to remain operational.
That's why Defender for Endpoint has launched selective isolation exclusions, which allow you to exclude specific devices, processes, IP addresses, or services from unilateral network isolation actions. This allows essential functions (e.g., remote remediation or monitoring) to continue in the event of a breach, while limiting broader network exposure.
Isolation Modes
There are two modes available:
- Full isolation:
- In this mode, the device is completely isolated from the network, and no exceptions are allowed. All traffic is blocked, except for essential communications with the Defender agent.
- Exclusions cannot be applied in full isolation mode. This is the most secure option, suitable for scenarios where a high level of containment is necessary.
- [New] Selective isolation:
- Selective isolation allows administrators to apply exclusions to ensure that critical tools and network communications can still function, even while maintaining the device’s isolated state.
- ⚠️ Note: Any exclusion weakens device isolation and increases security risks. To minimize risk, configure exclusions only when absolutely necessary. Regularly review and update exclusions to align with security policies.
To get started, read the isolation exclusions documentation.
Learn more
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
Microsoft