Microsoft is adding a new layer to Defender for Endpoint aimed at cutting off hidden threats before they spread. The company is testing a feature that will automatically block all network traffic to and from devices that haven’t been discovered or onboarded into the Defender for Endpoint system.

Undiscovered endpoints are a major weak spot in enterprise security. Without visibility or enforcement, they can slip past monitoring tools, miss critical updates, and become prime targets for cyberattacks or data theft.

The goal is to stop attackers from using these unmanaged endpoints to move laterally across networks. According to Microsoft, the feature works by isolating the IP addresses of unknown or unprotected devices — essentially quarantining them until they’re brought under Defender’s control.

“Containing an IP address associated with undiscovered devices or devices not onboarded to Defender for Endpoint is done automatically through automatic attack disruption. The Contain IP policy automatically blocks a malicious IP address when Defender for Endpoint detects the IP address to be associated with an undiscovered device or a device not onboarded,” Microsoft said.

“Through automatic attack disruption, Defender for Endpoint incriminates a malicious device, identifies the role of the device to apply a matching policy to automatically contain a critical asset. The granular containment is done by blocking only specific ports and communication directions.”

Microsoft also noted that admins will have full control over the containment process. They will be able to immediately lift any restrictions and restore a device’s network access at any time via the Action Center.

“You can stop an IP address’ containment at any time. To stop containment, select the Contain IP action in the Action Center. In the flyout, select Undo. This action restores the IP address’ connection to the network,” Microsoft said.

It’s unclear when the new feature will roll out to users, but Microsoft has confirmed it will be available on Defender for Endpoint-onboarded devices running Windows 10, Windows Server 2012 R2, Windows Server 2016, and later versions, including Windows Server 2019 and above.