Microsoft is testing a powerful new security feature in Defender for Endpoint that will help stop hackers from moving across networks by automatically blocking unknown or unmanaged devices.

This feature, announced earlier this week, works by containing the IP addresses of devices that haven’t been discovered or aren’t yet protected by Defender for Endpoint. The goal is to prevent cyber attackers from using these devices to spread malware or move laterally through the network.

How the Feature Works

When Defender detects a suspicious device, it can automatically block all incoming and outgoing connections to and from that device. This is known as “IP containment.” Microsoft explains that this is part of its automatic attack disruption system, which quickly responds to threats without needing manual intervention.


“The Contain IP policy automatically blocks a malicious IP address when Defender for Endpoint detects the IP to be linked with an undiscovered or unmanaged device,” Microsoft said in a blog post.

The system uses smart rules to block only certain types of traffic—such as specific ports or directions—so that essential operations can still run safely.

Supported Devices and Manual Controls

This feature works on Defender-onboarded systems running:

  • Windows 10
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019 and newer

Admins also have the ability to manually undo the IP block at any time by going into the Action Center and selecting “Undo” under the “Contain IP” option.

READ
Netflix Begins Testing OpenAI-Powered Search Feature on iOS

Part of a Bigger Security Push

This update is part of Microsoft’s ongoing efforts to make Defender for Endpoint smarter and more proactive. Since June 2022, Defender has been able to isolate hacked or unmanaged Windows devices to stop attacks from spreading. In October 2023, similar support was added for macOS and Linux devices.

Microsoft has also extended this protection to user accounts, allowing automatic isolation if a user’s account is compromised during ransomware or hands-on-keyboard attacks.