Microsoft Defender now isolates unmanaged Windows devices that have been compromised

Microsoft Defender now isolates unmanaged Windows devices that have been compromised. Image Credit: Microsoft

Image:
Microsoft Defender now isolates unmanaged Windows devices that have been compromised. Image Credit: Microsoft

When an admin 'contains' a device, any MDE onboarded device will restrict incoming and outgoing communication with that device

Microsoft has introduced a new capability for Microsoft Defender for Endpoint (MDE) that will allow enterprises to prevent attackers from moving laterally across the network using compromised unmanaged devices.

This new capability gives network administrators the ability to "contain" unmanaged Windows devices on their networks in the event that such devices have been hacked or are suspected of having been compromised.

"Starting today, when a device that is not enrolled in Microsoft Defender for Endpoint is suspected of being compromised, as a SOC analyst, you will be able to 'Contain' it," Microsoft said.

"As a result, any device enrolled in Microsoft Defender for Endpoint will now block any incoming/outgoing communication with the suspected device."

Microsoft says 71% of human-operated ransomware attacks are started by hacking an unmanaged device, which is often one that is connected to the internet. Once this device is compromised it is exploited to target further devices.

While MDE-enrolled devices may be isolated to prevent malicious actors from compromising other devices, reacting to a compromised device that isn't protected by MDE can be difficult for enterprises today.

The delay between the SOC analyst recognising the danger and the network team/IT remediating the issue means that the device may have already compromised other devices in many cases.

When an admin "contains" a device, any MDE onboarded device will restrict incoming and outgoing communication with that device, according to Microsoft.

If a contained device changes its IP address, then all MDE devices will be able to detect this change and will begin blocking communications with the contained device's new IP address.

If the contained device's IP is utilised by another device on the network, a warning will appear when an attempt is made to contain the device, along with a link to advanced hunting, a query-based threat-hunting tool.

The newly introduced MDE functionality is only supported on onboarded MDE devices running Windows 10 and Windows Server 2019+ devices.

It comes months after Microsoft introduced a new security feature for Windows to block insecure drivers. That feature, announced in March, enables Windows users to block drivers that have known vulnerabilities by using Windows Defender Application Control (WDAC) and a vulnerable driver blocklist.

It's part of Microsoft's Core Isolation suite of security capabilities for devices that employ virtualisation-based security, according to the company.

It works with hypervisor-protected code integrity (HVCI) enabled devices running Windows 10, Windows 11, and Windows Server 2016 and higher, as well as Windows 10 computers in S mode.