Skip to main content
Go to Red Canary Documentation
Red Canary Support

Defender for Endpoint Agent Stuck in Isolation

  • Updated .

Issue

A Microsoft Defender for Endpoint asset is currently isolated and will not remove isolation or restore connectivity.

Environment

Microsoft Defender for Endpoint

Resolution

When troubleshooting a device stuck in isolation, follow the troubleshooting guidance below.

  1. In the Defender XDR console, find the host under Assets > Devices and click the hostname to enter the Device Overview page
    • If the endpoint is missing from the Device Inventory, your Entra ID role may not have permission to the Device Group
  2. Next, click the three-dot menu and select Release from isolation, if the action does not show as pending
    • If this and other actions are greyed out, your user role may not have sufficient permissions to perform active remediation actions
    • Release Isolation
  3. After requesting release, allow a few minutes for the endpoint to deisolate
    • Because the Defender agent always initiates the connection, no changes are pushed to the agent and isolation will only be lifted after the agent next checks in
  4. If the endpoint was isolated while connected to a full tunnel VPN, have the end-user disconnect from or disable their VPN client
    • Devices that are behind a full VPN tunnel won't be able to reach the Microsoft Defender for Endpoint cloud service after the device is isolated.
    • Microsoft recommends using a split-tunneling VPN for agent-related traffic.
  5. Reboot the endpoint, if you have not already, as this may resolve any transient DNS or other network issues preventing the agent from checking in
  6.  Windows-only: If isolation persists, navigate to the Device Overview again and use the three-dot menu to select Download force release from isolation script
  7. Click the Download Script button
    • The deisolation script is specific to the device it was requested for and will not work for other endpoints
  8. Transfer the downloaded CMD script to the isolated endpoint then run it locally on the system as an administrator

See Take Response Actions on a Device on Microsoft Learn for additional information and system requirements

Cause

The Defender for Endpoint agent has quarantined the system but may have also lost the ability to communicate with the Defender XDR console, which is required to remove quarantine under normal circumstances.  A few reasons for loss in connectivity can include the following.

  • Environments that use Proxy Auto Configuration (PAC) files or WPAD settings, devices may not be able to recover from network isolation.  Use selective isolation in such cases.
  • Endpoints behind a full VPN tunnel won't be able to reach the Microsoft Defender for Endpoint cloud service after the device is isolated.  Use a split-tunneling VPN for agent-related traffic in such cases.
  • Isolation of a parent server running Microsoft Hyper-V blocks network traffic to all child virtual machines.

Comments

0 comments

Please sign in to leave a comment.