WDATP – Isolating infected machines

Windows Defender ATP recently added a new feature allowing Administrators to isolate any computer from accessing the network. This is very useful in scenarios where a compromised machine is actively trying to spread throughout the network .

By responding to the alarm you can click to see possible actions for the compromised host, where you can take several actions:

When we click Isolate Machine we are prompted to enter a comment.
If we look at the client after running the Isolate Machine Action it will take up to a few minutes, when the machine is isolated the client will receive a notification:

The client will now be unable to connect to the network. The same action is required to undo the isolation and user will receive a notification that the client is no longer isolated.

Note, isolation is only available on Win 10 1703 or newer.

Published by

Karim El-Melhaoui

Working as a Technical Architect in Advania Norway with focus on Microsoft Infrastructure, Cloud and security. My daily tasks are advisory, design and implementation of products and security measures for companies Continously focusing on developing my skillset and staying up to date within newest in Technology. Microsoft Certified Trainer, MCSE Cloud Platform & Infrastructure and Mobility, MCSA Windows Client, Server and Office 365

Leave a Reply

Your email address will not be published. Required fields are marked *