Microsoft is rolling out a new security feature in its Defender for Endpoint platform designed to block cyberattacks before they can spread across corporate networks. The company announced that the new feature will automatically block traffic to and from endpoints that have not yet been discovered or onboarded, reducing the risk of lateral movement by attackers.
This proactive security measure will help prevent hackers from using unprotected or unknown devices as a bridge to access other systems within an organization. With this enhancement, Microsoft Defender for Endpoint becomes more efficient in identifying threats and stopping them in real time.
How the New IP Containment Feature Works
The new feature works by automatically containing the IP addresses of devices that haven’t been discovered or officially onboarded to Microsoft Defender for Endpoint. This containment stops any data from being sent or received by these devices, thereby cutting off potential attack routes.
Microsoft explains that when Defender detects a suspicious or unknown IP address, it immediately applies a containment policy. This policy blocks communication on certain network ports and in specific directions, effectively limiting any chance for an attacker to move laterally across the network.
Here’s what Microsoft had to say about the process:
“Containing an IP address associated with undiscovered devices or devices not onboarded to Defender for Endpoint is done automatically through automatic attack disruption. The Contain IP policy automatically blocks a malicious IP address when Defender for Endpoint detects the IP address to be associated with an undiscovered device or a device not onboarded.”
In simpler terms, if a device hasn’t been officially added to the Defender system, it won’t be allowed to send or receive network data. This prevents attackers from jumping from one device to another — a common tactic in advanced cyberattacks.
Targeted Containment for Maximum Security
One of the key strengths of this update is its granular control. Defender doesn’t just shut down all traffic blindly. Instead, it evaluates the device’s role in the network and applies a tailored policy. The containment focuses on specific network ports and traffic directions, minimizing disruption while still keeping the threat under control.
This method is called “automatic attack disruption,” and it allows Defender for Endpoint to act fast without requiring manual intervention from IT administrators. Once an issue is detected, the system identifies the device as malicious, applies an appropriate policy, and contains the threat in real time.
Supported Systems and Manual Overrides
This new IP containment capability will be available on Defender for Endpoint-managed devices running:
Windows 10
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019 and newer
Administrators will also have the option to manually remove the IP containment when needed. This can be done via the Action Center in Microsoft Defender. Simply select the “Contain IP” action and then choose “Undo” to restore the connection.
Defender’s Growing Capabilities Over Time
This latest update builds on Microsoft’s previous efforts to isolate and neutralize threats on networks. Since June 2022, Defender for Endpoint has had the ability to isolate compromised Windows devices, both managed and unmanaged. Once a device was flagged, the system would block all communication to prevent further spread of the attack.
In October 2023, Microsoft also extended this isolation feature to macOS and Linux systems. Now, organizations with mixed operating systems can benefit from the same level of protection.
Another major enhancement came in the form of user account isolation. When Defender detects that a user account has been compromised — particularly in ransomware attacks where hackers have hands-on-keyboard access — the system can isolate that account to stop the attack in its tracks.
Why This Update Matters
In modern cyberattacks, lateral movement is one of the most dangerous tactics. Once attackers breach one device, they often try to move across the network to reach high-value targets such as servers or data centers. Blocking this movement is essential for reducing the impact of a breach.
By automatically blocking communication from unknown devices, Microsoft Defender adds another strong layer of defense. It gives organizations time to identify the device, assess the risk, and onboard it securely before allowing it full network access.
For businesses using Microsoft Defender for Endpoint, this means faster detection, better protection, and less time spent cleaning up after attacks.
Conclusion
Microsoft continues to enhance Defender for Endpoint to meet the needs of modern enterprise security. The new IP containment feature is a smart move that strengthens network defenses against undiscovered threats and unmanaged devices.
With features like automatic attack disruption, user account isolation, and cross-platform support, Microsoft Defender for Endpoint is becoming a comprehensive solution for endpoint security. Organizations looking to stay ahead of cybercriminals should take note of these updates and ensure they are using the latest capabilities.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : CVE-2025-3102, OttoKit WordPress Plugin Exploit Gives Hackers Full Site Control
Pingback: Google Chrome 136 Update Stops Websites from Tracking Your Browsing History