Unmanaged Windows machines that have been infected are now isolated by Microsoft Defender

Microsoft Defender for Endpoint (MDE) now provides new functionality that allows businesses to prevent attackers from traveling laterally across the network using compromised unmanaged devices.

This new feature allows network managers to “contain” unmanaged Windows devices on their networks in the event that they have been hacked or are suspected of having been hacked.

The corporate endpoint security platform will direct Windows systems on the network to prohibit all communication to and from the device after it has been tagged as contained.

This can assist prevent hostile actors from spreading an infection that would otherwise do more damage by preventing them from moving laterally within the business via unmanaged devices.

“While the security operations analyst locates, identifies, and remediates the threat on the compromised device,” Microsoft writes, “this activity can help prevent surrounding devices from becoming compromised.”

While MDE-enrolled devices may be segregated to prevent malicious actors from compromising other devices, companies today may find it difficult to respond to a compromised device that isn’t secured by MDE.

In many circumstances, the time between the SOC analyst recognising the threat and the network team/IT resolving the problem implies that the device has already compromised other devices.

According to Microsoft, when an admin “contains” a device, any MDE onboarded device will block incoming and outgoing communication with that device.

Only onboarded MDE devices running Windows 10 and Windows Server 2019+ are supported by the new MDE capabilities.

This means that the enclosed system will be able to access additional devices that haven’t been onboarded, despite being isolated from all managed Windows devices on the network.

How do you keep infected Windows devices under control?

Administrators must take the following procedures to contain a possibly compromised device:

• Select the device to confine from the Microsoft 365 Defender portal’s ‘Device inventory’ page.
• From the device flyout’s actions menu, choose ‘Contain device.’
• Type a comment in the contain device popup and then click ‘Confirm.’

Microsoft Defender for Endpoint onboarded devices can take up to 5 minutes to start blocking communications once you confine an unmanaged device.

If any of the network’s enclosed devices changes its IP address, all enrolled devices will notice and start blocking communications with the new IP address.