Let’s say that you have device that you believe has a security threat serious enough that it should be ‘unplugged’ from the network. Doing so physically makes it hard to troubleshoot any incident unless you are in front of that machine. However, Defender for Endpoint allows you to isolate the machine from the network while still remaining connected to the Defender for Endpoint console.
To initiate the device isolation navigate to:
https://security.microsoft.com
and select the Device inventory option from the menu on the left hand side. That should show you a list of all devices that Defender for Endpoint knows about. Select the device you wish to isolate from the list that appears.
In the top right side of the device page you will find the option to Isolate a device. If you can’t see that option check the ellipse (three dots). Select the ellipse to display the menu shown above. In that menu should be an option Isolate device, which you should select.
You’ll now see a dialog appear as shown above asking you to confirm that you wish to isolate the selected device. You also have the option here to allow Outlook, Teams and Skype for Business while device is isolated if desired. You’ll also need to enter a reason for isolating the device. When all that is done, select the Confirm button.
You should now see the action confirmed in the security console as shown above. You also have the ability to cancel this if needed here.
Almost immediately, the device being isolated will warn the current use that isolation is taking place and the network is disabled as shown above. At that point the user will no longer be able to navigate beyond their current machine (i.e. no browsing Internet or local LAN, no printing and no emails). More importantly, any other covert sessions will also be blocked preventing a security threat from spreading.
As an administrator you will however be able to launch a Live response session in the Defender console, as shown above, to triage the device and run PowerShell scripts if needed.
If you now look in the menu in the top right of this device when you have completed your work, you will see an option Release from isolation as shown above, for that device.
You will once again need to provide a reason why this device is being released from insolation and then select the Confirm button to complete the process.
The Action center will appear again as the isolation is removed. You again, have the option to cancel this if you wish.
The history of the actions taken to isolate and release the device can be found in the Action center menu option under the Actions & submissions heading on the left in the Microsoft Security center.
Defender for Endpoint allow you to quickly and easily isolate a suspected device from all network connections but allow it to remain connected to the Defender console for remote troubleshooting. If you want to read more about this process then consult the Microsoft documentation here:
CIAOPS 
Hi @directorcia could you tell me:
– how MDE disable network interface (or is it just outside traffic?) in a given device ?
– on what level the MDE device isolation works ?
LikeLiked by 1 person
Hi @directorcia could you tell me:
– how MDE disable network interface (or is it just outside traffic?) in a given device ?
– on what level the MDE device isolation works ?
LikeLiked by 1 person
It disables all traffic not from the portal, thus normal internal and external. The isolation is total, no traffic at any layer gets through except from the MDE portal.
LikeLike
There are several isolation layers that take effect – note the items discussing impact of VPN’s on isolation and several exceptions that may be allowed if desired (subject to operating system version)
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide#isolate-devices-from-the-network
LikeLike
MDE disables all traffic, internal and external to the device when it is isolated. The only traffic allowed is to the MDE portal.
LikeLike