A new Microsoft Defender for Endpoint (MDE) feature will help organizations prevent attackers and malware from using compromised or vulnerable systems to move through networks.

Once compromised vulnerable Windows devices are contained by the new feature, the enterprise endpoint security platform will instruct Windows systems on the network to block all communication to and from the device.

However, the new feature is limited since it only works with onboarded devices running Windows 10 and later or Windows Server 2019 and later.

“Only devices running on Windows 10 and above will perform the Contain action meaning that only devices running Windows 10 and above that are enrolled in Microsoft Defender for Endpoint will block ‘contained’ devices at this time,” Microsoft explains.

To contain a potentially compromised device, administrators are advised to go to the Device Inventory page of the Microsoft 365 Defender portal and select the device to contain. Next, they can select ‘Contain device’ from the actions menu in the device flyout. Lastly, they can type a comment on the contain device group and select ‘Confirm.’