Merge pull request #1301 from MicrosoftDocs/diannegali-updatecontaindevice

diannegali · web-flow · commit 2f8effbaac7d · 2024-09-09T16:17:39.000+01:00
updated contain device
diff --git a/defender-endpoint/respond-machine-alerts.md b/defender-endpoint/respond-machine-alerts.md
@@ -5,7 +5,7 @@ ms.service: defender-endpoint
 ms.author: diannegali
 author: diannegali
 ms.localizationpriority: medium
-ms.date: 12/15/2023
+ms.date: 09/09/2024
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -266,11 +266,13 @@ When a device is being isolated, the following notification is displayed to info
 
 ## Contain devices from the network
 
-When you have identified an unmanaged device that is compromised or potentially compromised, you might want to contain that device from the network. When you contain a device any Microsoft Defender for Endpoint onboarded device will block incoming and outgoing communication with that device. This action can help prevent neighboring devices from becoming compromised while the security operations analyst locates, identifies, and remediates the threat on the compromised device.
+When you have identified an unmanaged device that is compromised or potentially compromised, you might want to contain that device from the network to prevent the potential attack from moving laterally across the network. When you contain a device any Microsoft Defender for Endpoint onboarded device will block incoming and outgoing communication with that device. This action can help prevent neighboring devices from becoming compromised while the security operations analyst locates, identifies, and remediates the threat on the compromised device.
 
 > [!NOTE]
 > Blocking incoming and outgoing communication with a 'contained' device is supported on onboarded Microsoft Defender for Endpoint Windows 10 and Windows Server 2019+ devices.
 
+Once devices are contained, we recommend investigating and remediating the threat on the contained devices as soon as possible. After remediation, you should remove the devices from containment.
+
 ### How to contain a device
 
 1. Go to the **Device inventory** page and select the device to contain.
@@ -283,6 +285,9 @@ When you have identified an unmanaged device that is compromised or potentially
 
 :::image type="content" alt-text="Screenshot of the contain device menu item." source="/defender/media/defender-endpoint/contain_device_popup.png" lightbox="/defender/media/defender-endpoint/contain_device_popup.png":::
 
+> [!IMPORTANT]
+> Containing a large number of devices might cause performance issues on Defender for Endpoint-onboarded devices. To prevent any issues, Microsoft recommends containing up to 100 devices at any given time.
+
 ### Contain a device from the device page
 
 A device can also be contained from the device page by selecting **Contain device** from the action bar:
