WDATP – Isolating infected machines

Windows Defender ATP recently added a new feature allowing Administrators to isolate any computer from accessing the network. This is very useful in scenarios where a compromised machine is actively trying to spread throughout the network .

By responding to the alarm you can click to see possible actions for the compromised host, where you can take several actions:

When we click Isolate Machine we are prompted to enter a comment.
If we look at the client after running the Isolate Machine Action it will take up to a few minutes, when the machine is isolated the client will receive a notification:

The client will now be unable to connect to the network. The same action is required to undo the isolation and user will receive a notification that the client is no longer isolated.

Note, isolation is only available on Win 10 1703 or newer.

Leave a Reply

Your email address will not be published. Required fields are marked *