Force release from isolation in MDE

It rarely happens, but if it happens, you have a solution…

One of the best response actions in Microsoft Defender for Endpoint (A part of Microsoft 365 Defender) is isolate device. This locks the device in the network stack and will connect any threat actor immediately from the device, or stop the user from doing what they are doing.

This action do have some extra great features. For instance, it will allow connection to the Defender backend which allow SecOps to continue to monitor, run live response (another action which gives SecOps shell access to the endpoint) to further analyze any suspicious behavior.

So what’s force release from isolation?

force release from Isolation is a batch script which will add some registry values to the endpoint to force it to release from isolation. This could be used if something happens on the network side where the endpoint is connected or if there is any other error that could break the release from isolation function from the portal.

Even though it’s very rarely necessary, it’s great to have such feature if something happens.

Downloading script

  • Go to device page and click on the more actions menu
  • Select force release from isolation
  • Run the script with administrative privileges

Script information

  • The script can only be downloaded from the Defender portal ( https://security.microsoft.com )
  • The script is only working for 3 days after download
  • The script is only working for the specific endpoint you download it for
  • Must be executed with local admin privileges

Minimum Requirements

  • Supports only Windows
  • The following Windows versions are supported:
    • Windows 10 21H2 and 22H2 with KB KB5023773
    • Windows 11 version 21H2, all editions with KB5023774
    • Windows 11 version 22H2, all editions with KB5023778

for further information, please visit https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide#forcibly-release-device-from-isolation

Happy Hunting!

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.