You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/isolation-exclusions.md
+9-15Lines changed: 9 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -58,7 +58,7 @@ There are two steps to using isolation exclusion: defining isolation exclusion r
58
58
### Prerequisites
59
59
60
60
* Isolation exclusion is available on Windows (minimum client version 10.8470) and macOS (minimum client version 101.240902).
61
-
* Isolation exclusion must be enabled. Enabling isolation exclusion requires Security Admin permissions or above. To enable isolation exclusion, sign in to the [Microsoft Defender portal](https://security.microsoft.com) and go to **Settings** > **Endpoints** > **Advanced features** and enable **Isolation Exclusion Rules** feature.
61
+
* Isolation exclusion must be enabled. Enabling isolation exclusion requires Security Admin or Manage Security settings permissions or above. To enable isolation exclusion, sign in to the [Microsoft Defender portal](https://security.microsoft.com) and go to **Settings** > **Endpoints** > **Advanced features** and enable **Isolation Exclusion Rules** feature.
62
62
63
63
:::image type="content" source="./media/isolation-exclusions/enable-exclusions.png" alt-text="Screenshot showing how to enable isolation exclusions." lightbox="./media/isolation-exclusions/enable-exclusions.png":::
64
64
@@ -75,23 +75,23 @@ There are two steps to using isolation exclusion: defining isolation exclusion r
75
75
76
76
1. Select **+ Add exclusion rule**
77
77
78
-
:::image type="content" source="./media/isolation-exclusions/add-new-exclusion-rule.png" alt-text="Screenshot showing how to add a new isolation exclusion rule." lightbox="./media/isolation-exclusions/add-new-exclusion-rule.png":::
78
+
:::image type="content" source="./media/isolation-exclusions/add-new-exclusion-rule.png" alt-text="Screenshot showing how to add a new isolation exclusion rule.":::
79
79
80
80
1. The **Add new exclusion rule** dialog appears:
81
81
82
-
:::image type="content" source="./media/isolation-exclusions/exclusion-rule-definition.png" alt-text="Screenshot showing the fields required for defining an isolation exclusion rule.":::
82
+
:::image type="content" source="./media/isolation-exclusions/exclusion-rule-definition.png" alt-text="Screenshot showing the fields required for defining an isolation exclusion rule." lightbox="./media/isolation-exclusions/exclusion-rule-definition.png":::
83
83
84
84
Fill in the isolation exclusion parameters. Red asterisks denote mandatory parameters. The parameters and their valid values are described in the following table.
85
85
86
86
| Parameter | Description and valid values |
87
87
|:-----|:-----|
88
88
|**Rule name**| Provide a name for the rule. |
89
89
|**Rule description**| Describe the purpose of the rule. |
90
-
|**Process path** (Windows only) | The file path of an executable is simply its location on the endpoint. You can define one executable to be used in each rule.<br><br>Examples:<br>`C:\Windows\System\Notepad.exe`<br>`%WINDIR%\Notepad.exe.`<br><br>**Note**: Exclusion won't apply to any child processes created by the specified process. |
90
+
|**Process path** (Windows only) | The file path of an executable is simply its location on the endpoint. You can define one executable to be used in each rule.<br><br>Examples:<br>`C:\Windows\System\Notepad.exe`<br>`%WINDIR%\Notepad.exe.`<br><br>**Notes**:<br>- The executable must exist when isolation is applied, otherwise the exclusion rule will be ignored.<br>- Exclusion won't apply to any child processes created by the specified process. |
91
91
|**Service name** (Windows only) | Windows service short names can be used in cases you want to exclude a service (not an application) that is sending or receiving traffic. Service short names can be retrieved by running the *Get-Service* command from PowerShell. You can define one service to be used in each rule.<br><br>Example: termservice |
92
92
|**Package family name** (Windows only) | The Package Family Name (PFN) is a unique identifier assigned to Windows app packages. The PFN format follows this structure: `<Name>_<PublisherId>`<br><br>Package family names can be retrieved by running the *Get-AppxPackage* command from PowerShell. For example, to get the new Microsoft Teams PFN, run `Get-AppxPackage MSTeams`, and look for the value of the **PackageFamilyName** property.<br><br>Supported on:<br>- Windows 11 (24H2)<br>- Windows Server 2025<br>- Windows 11 (22H2) Windows 11, version 23H2 KB5050092<br>- Windows Server, Version 23H2<br>- Windows 10 22H2 - KB 5050081 |
93
93
|**Direction**| The connection direction (Inbound/Outbound). Examples:<br><br>**Outbound connection**: If the device initiates a connection, for instance, an HTTPS connection to a remote backend server, define only an outbound rule. Example: The device sends a request to 1.1.1.1 (outbound). In this case, no inbound rule is needed, as the response from the server is automatically accepted as part of the connection.<br><br>**Inbound connection**: If the device is listening to incoming connections, define an **inbound rule**.|
94
-
|**Remote IP**| The IP (or IPs) with which communication is allowed while the device is isolated from the network.<br><br>Supported IP formats:<br>- IPv4/IPv6, with optional CIDR notation<br>- A comma-separated list of valid IPs<br><br>Valid input examples:<br>- Single IP address: `1.1.1.1`<br>- IPV6 address: `2001:db8:85a3::8a2e:370:7334`<br>- IP address with CIDR notation (IPv4 or IPv6): `1.1.1.1/24`<br> This example defines a range of IP addresses. In this case, it includes all IPs from 1.1.1.0 to 1.1.1.255. The /24 represents the subnet mask, which specifies that the first 24 bits of the address are fixed, and the remaining 8 bits define the address range.|
94
+
|**Remote IP**| The IP (or IPs) with which communication is allowed while the device is isolated from the network.<br><br>Supported IP formats:<br>- IPv4/IPv6, with optional CIDR notation<br>- A comma-separated list of valid IPs<br>Up to 20 IP addresses can be defined per rule.<br><br>Valid input examples:<br>- Single IP address: `1.1.1.1`<br>- IPV6 address: `2001:db8:85a3::8a2e:370:7334`<br>- IP address with CIDR notation (IPv4 or IPv6): `1.1.1.1/24`<br> This example defines a range of IP addresses. In this case, it includes all IPs from 1.1.1.0 to 1.1.1.255. The /24 represents the subnet mask, which specifies that the first 24 bits of the address are fixed, and the remaining 8 bits define the address range.|
95
95
96
96
1. Save and apply changes.
97
97
@@ -103,17 +103,17 @@ There are two steps to using isolation exclusion: defining isolation exclusion r
103
103
1. Select **Isolate device** and choose **Selective isolation**.
104
104
1. Check **Use isolation exclusions to allow specific communication while the device is isolated** and enter a comment.
105
105
106
-
:::image type="content" source="./media/isolation-exclusions/apply-exclusion-rule.png" alt-text="Screenshot showing how to apply an exclusion rule to a device.":::
106
+
:::image type="content" source="./media/isolation-exclusions/apply-exclusion-rule.png" alt-text="Screenshot showing how to apply an exclusion rule to a device.":::
107
107
108
108
1. Select **Confirm**.
109
109
110
110
Exclusions that were applied to a specific device can be reviewed in the Action Center history.
111
111
112
112
:::image type="content" source="./media/isolation-exclusions/review-exclusions.png" alt-text="Screenshot showing exclusions in the Action Center history." lightbox="./media/isolation-exclusions/review-exclusions.png":::
113
113
114
-
###API Configuration
114
+
#### Apply selective isolation via API
115
115
116
-
To trigger isolation with exclusions via API, set the IsolationType parameter to "Selective". See [Isolate machine API](/defender-endpoint/api/isolate-machine) for detail.
116
+
Alternatively, you can apply selective isolation via API. To do so, set the **IsolationType** parameter to *Selective*. For more information, see [Isolate machine API](/defender-endpoint/api/isolate-machine).
117
117
118
118
## Exclusion Logic
119
119
@@ -147,13 +147,7 @@ Rule 3:
147
147
148
148
## Considerations and limitations
149
149
150
-
When a device is isolated, any new isolation exclusion rules added from the portal won't apply to the currently isolated device. Instead, newly added exclusions will only take effect for future isolation requests.
151
-
152
-
If an exclusion needs to be applied to a device that is already isolated, the following steps must be taken:
153
-
154
-
1. Unisolate the device.
155
-
1. Ensure that the relevant, correctly defined exclusion rule is in place.
156
-
1. Reisolate the device for the updated exclusion rule to take effect.
150
+
Changes to exclusion rules only impact new isolation requests. Devices that were already isolated remain with the exclusions that were defined when they were applied. To apply updated exclusion rules to isolated devices, release those devices from isolation and then reisolate them.
157
151
158
152
This behavior ensures that isolation rules remain consistent throughout the duration of an active isolation session.
0 commit comments