Microsoft Defender receives an interesting update: What it means for your security

Microsoft has introduced a powerful new security capability in Defender for Endpoint aimed at blocking communications from and to undiscovered devices. The goal is to reduce the risk of cyberattacks by automatically restricting network activity from endpoints that haven’t been onboarded or recognized by the system. This update reinforces Microsoft’s push toward preventing lateral movement across enterprise networks, a common tactic in sophisticated cyberattacks.

Automatic IP containment blocks risky traffic

The new feature, currently in testing, is designed to automatically detect and contain IP addresses linked to unknown or unmanaged endpoints. These devices often represent significant risks, as they might lack proper security controls and evade standard monitoring. Once such a device is identified, Defender for Endpoint activates a containment policy, blocking communication to and from that IP without requiring manual intervention.

This process is part of what Microsoft calls “automatic attack disruption”, a system that can incriminate a malicious device and limit its activity by enforcing targeted restrictions. Rather than completely isolating the device, the system applies granular controls, blocking specific ports or directions of traffic depending on the threat level and role of the asset.

Admins can undo containment if needed

For added flexibility, administrators will be able to reverse the containment process through the Action Center, using a dedicated “Undo” button in the “Contain IP” menu. The feature will be available for devices running Windows 10, Windows Server 2012 R2, 2016, and 2019+, as long as they are onboarded to Defender for Endpoint.

This update could significantly enhance organizational security, especially in environments where unmanaged devices regularly appear on the network.