Skip to main content

Microsoft Defender XDR Host Isolation/Remediation

  • Updated

Host Isolation/Remediations are recommended for endpoints and/or servers running Defender XDR.  This allows the MDR SoC analysts the option to perform the following remediation options for potentially infected devices:

  • Quick Scan
  • Full Scan
  • Isolate Host

 

Process:

To add Microsoft Defender for Endpoint (WindowsDefenderATP) to your application, follow these steps:
Note: If you already added the Permissions for WindowsDefenderATP, you can skip to step 6

  1. Sign in to Azure Portal: Go to the Azure portal and log in with your credentials.
  2. Navigate to App Registrations: In the left-hand menu, select Microsoft Entra ID (formerly Azure AD), then choose App registrations.
  3. Find Your Application: Locate the application you want to configure or create a new one by clicking New registration.
  4. Add API Permissions:
    • Go to the API permissions section of your application.
    • Click Add a permission.
    • Select APIs my organization uses and search for WindowsDefenderATP.
    • Choose WindowsDefenderATP from the list.
    • Select the required permissions, such as Machine.Isolate, Machine.ReadWrite.All, and Machine.Scan under Application permissions.
  5. Grant Admin Consent: After adding the permissions, click Grant admin consent to apply them globally.
  6. Now return to the MDR Portal and head to the MDR Profile section. Under Remediation Excluded Hosts, you will need to enter an IP Address. If you do not have a host to exclude, please use a default address, such as 1.1.1.1 (There will need to be at least one entry before the system allows you to configure Remediation.)
  • In the Microsoft Defender XDR integration you will see an option at the bottom called "Remediation".  Click on the Blue Configure button to begin the setup process. 

                         

  • Next, select your desired Isolation/Remediation option: Do not perform remediations, Requires approval, Always approve. Hit Save at the bottom complete this process. 

 

 

Note: Please contact MDR Support by creating a ticket in your MDR Portal if you would like to schedule a test to verify your Microsoft Defender XDR Remediation (Host Isolation). 

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles