|
2 | 2 | title: Take response actions on a device in Microsoft Defender for Endpoint |
3 | 3 | description: Take response actions on a device such as isolating devices, collecting an investigation package, managing tags, running an antivirus scan, and restricting app execution. |
4 | 4 | ms.service: defender-endpoint |
5 | | -ms.author: diannegali |
6 | | -author: diannegali |
| 5 | +ms.author: painbar |
| 6 | +author: paulinbar |
7 | 7 | ms.localizationpriority: medium |
8 | | -ms.date: 07/01/2025 |
9 | | -manager: deniseb |
| 8 | +ms.date: 09/01/2025 |
| 9 | +manager: bagol |
10 | 10 | audience: ITPro |
11 | 11 | ms.collection: |
12 | 12 | - m365-security |
@@ -278,7 +278,7 @@ When a device is being isolated, the following notification is displayed to info |
278 | 278 | When you have identified an unmanaged device that is compromised or potentially compromised, you might want to contain that device from the network to prevent the potential attack from moving laterally across the network. When you contain a device any Microsoft Defender for Endpoint onboarded device blocks incoming and outgoing communication with that device. This action can help prevent neighboring devices from becoming compromised while the security operations analyst locates, identifies, and remediates the threat on the compromised device. |
279 | 279 |
|
280 | 280 | > [!NOTE] |
281 | | -> Blocking incoming and outgoing communication with a 'contained' device is supported on onboarded Microsoft Defender for Endpoint Windows 10, Windows 11, and Windows Server 2019+ devices. An exception is [containing IP addresses of undiscovered devices](#contain-ip-addresses-of-undiscovered-devices). This capability isn't supported on Windows Server devices. |
| 281 | +> Blocking incoming and outgoing communication with a 'contained' device is supported on onboarded Microsoft Defender for Endpoint Windows 10 and Windows Server 2019+ devices. |
282 | 282 |
|
283 | 283 | Once devices are contained, we recommend investigating and remediating the threat on the contained devices as soon as possible. After remediation, you should remove the devices from containment. |
284 | 284 |
|
@@ -330,7 +330,7 @@ You're be able to stop containing a device at any time. |
330 | 330 | Defender for Endpoint can also contain IP addresses associated with devices that are undiscovered or are not onboarded to Defender for Endpoint. The capability to contain an IP address prevents attackers from spreading attacks to other non-compromised devices. Containing an IP address results in Defender for Endpoint-onboarded devices blocking incoming and outgoing communication with devices using the contained IP address |
331 | 331 |
|
332 | 332 | > [!NOTE] |
333 | | -> The contain IP addresses capability isn't supported on Windows Server devices. |
| 333 | +> Blocking incoming and outgoing communication with a 'contained' device is supported on onboarded Defender for Endpoint Windows 10, Windows 11, Windows 2012 R2, and Windows 2016 devices. |
334 | 334 |
|
335 | 335 | Containing an IP address associated with undiscovered devices or devices not onboarded to Defender for Endpoint is done automatically through [automatic attack disruption](/defender-xdr/automatic-attack-disruption). The Contain IP policy automatically blocks a malicious IP address when Defender for Endpoint detects the IP address to be associated with an undiscovered device or a device not onboarded. |
336 | 336 |
|
|
0 commit comments