Microsoft Defender for Endpoint Can Now Block Bad Unmanaged Devices

Microsoft Defender for Endpoint users now have a new "Contain" feature for compromised devices, Microsoft announced on Thursday.

The Contain option in Microsoft Defender for Endpoint will block a device's communications with other devices. The blocking will happen even should the IP address of the compromised device be changed.

One noteworthy aspect of the Contain feature is that it'll work on devices "not enrolled in Microsoft Defender for Endpoint."

These nonenrolled devices might be Internet of Things-types of devices where an organization's network access controls are lacking. IT pros may have trouble locating such devices. Addressing the problem might be a hands-on ordeal, the announcement suggested.

The Contain feature is similar to a device Isolation feature in Microsoft Defender for Endpoint, but it doesn't require device enrollment to work. Once a device is contained, it takes about five minutes for the blocked communications to take effect for other devices, Microsoft noted in this document.

The role-based access control permissions needed by IT pros to use the Contain feature are "similar to device isolation," Microsoft indicated. Those exact permissions weren't spelled out, though.

Exactly how the new Contain feature works wasn't explained. It has a few safeguards. If the compromised device is a network device, such as a router, Microsoft Defender for Endpoint will display a warning message that containing it "may cause network connectivity issues." Also, trying to contain a device that shares IP connections with other devices will pop up a warning message.

The Contain feature in Microsoft Defender for Endpoint is currently limited to the Windows platform. It just works with devices running Windows 10 (or newer) or Windows Server 2019 (or newer) operating systems.

However, the announcement promised that "additional platform support" for the Contain feature would be coming.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube