How To Use Device Isolation Exclusions in Defender

Realistic cyberpunk Doberman in Levacloud-branded suit looking at a smartphone on a remote beach, with a sign that says “wifi 1000 miles” — visualizing device isolation exclusions.

Device Isolation Exclusions in Defender

Device isolation in Microsoft Defender for Endpoint blocks nearly all network connections to and from a device to contain a threat, while still allowing Defender to manage it. Exclusions let you allow specific, trusted connections so the device can still reach what it needs while staying isolated.

In this guide, you’ll learn when to use these exclusions, the different types you can configure, and the best practices to make sure they help your security, not weaken it. We’ll also cover common mistakes to avoid and answer the most frequently asked questions, so you can set up isolation exclusions with confidence before an incident occurs.

Did You Know We Can Help You With Defender At Zero Cost?

    • Learn-as-you-do style training in your own environment.
    • Immediate knowledge transfer to get your team up-to-speed on Defender.
    • Ask experts questions live as they come up.
    • All calls are recorded so you can use them for future training.
    • Get best practices for configuring Defender features.
    • Findings, recommendations, and a high-level roadmap for next steps.

Check Your Eligibility For Free Funding

This field is for validation purposes and should be left unchanged.
Name(Required)

Why Device Isolation Matters

You know that when a threat is detected on an endpoint, speed matters. Device isolation in Defender for Endpoint lets you contain that risk by cutting off almost all network traffic immediately. This reduces the attacker’s ability to move to other systems, steal data, or spread malicious code.

Without isolation, even a single compromised device can become a launch point for further attacks. By limiting its communication, you keep the impact contained while you investigate and remediate. Exclusions make this process flexible, allowing the device to maintain only the connections you trust, such as a security update server or a remote management tool.

At Levacloud, we often see organizations wait until an incident to think about isolation. The problem is that during an active threat, there’s little time to decide which systems an isolated device still needs to reach. Planning your Defender for Endpoint exclusions in advance ensures that when isolation is triggered, you can act without disrupting critical security or business processes.

When to Use Device Isolation Exclusions

You shouldn’t configure device isolation exclusions for every endpoint. They’re meant for specific, high-value scenarios where an isolated device still needs limited access to trusted resources.

Common examples include:

  • Access to security remediation tools – Allow the endpoint to download patches or run cleanup scripts from approved servers.
  • Remote investigation access – Permit a secure connection for your security team to collect logs or run diagnostics.
  • Critical business functions – Maintain access to a line-of-business application that must continue operating, even during containment.

The key is to plan these Defender for Endpoint exclusions in advance. Broad or poorly considered rules can give an attacker room to operate, which defeats the purpose of isolation. At Levacloud, we recommend keeping the list as short as possible and regularly reviewing it to make sure it aligns with your current infrastructure and security strategy.

Sign Up To Our Newsletter

We’ll keep you up to date on the latest in Microsoft Cybersecurity.

Types of Device Isolation Exclusions

When a device is put into isolation mode in Microsoft Defender for Endpoint, it loses most of its network access. Device isolation exclusions give you a way to selectively restore certain connections without removing the protection that isolation provides. The goal is to allow only what is absolutely necessary for security or business continuity.

Here’s a deeper look at the main types of exclusions you can configure, and when each is most useful:

IP Address or Subnet Exclusions

These allow an isolated device to communicate with a specific IP address or an entire subnet.

  • For critical, on-premises services such as WSUS update servers, management servers, or a secure remote access gateway.
  • Use the most specific IP possible and avoid adding large ranges unless there is a clear, documented business case.
  • Broad subnets can create unmonitored pathways for attackers to move laterally, especially if other endpoints in that range are not fully secured.

Domain Name Exclusions

This lets you approve connections to specific domains, which can be important for cloud services or vendor-hosted security tools.

  • To maintain access to a trusted SaaS platform, cloud storage, or a vendor’s remediation tool.
  • Verify the domain is under your direct control or from a vendor you trust and actively monitor. If possible, use DNS filtering to ensure the device connects only to that domain’s legitimate IPs.
  • If the approved domain is ever compromised (e.g., via DNS hijacking), the attacker could exploit the open path.

Process or Application-Based Exclusions

In certain configurations, you can grant a specific application or process permission to communicate during isolation (only in specific scenarios).

  • For remote support software, advanced diagnostic tools, or automated cleanup utilities that require network connectivity.
  • Scope this tightly. Limit permissions to only the exact process or executable needed and confirm it’s signed by a trusted certificate.
  • If an attacker can inject malicious code into that process, they could exploit the allowed connection.

Combined Exclusions for Complex Scenarios

Sometimes you’ll need to layer exclusions. For example, allowing a process to connect only to a specific domain. This reduces the risk compared to giving that process unrestricted internet access.

At Levacloud, we often help clients map their Defender for Endpoint exclusions. Every allowed connection should have a clear operational purpose, be documented, and reviewed regularly. Over time, we’ve found that organizations that keep their isolation exclusions minimal and highly specific have a much stronger security posture and faster recovery times after an incident.

Are You Dealing With A Microsoft Cybersecurity Challenge?

You have a pressing issue, but you’re not sure if Levacloud can help. We get it. Everyone has unique challenges they face in their IT environments. Schedule a free call today and talk us through it.

We’ll let you know how we can best support you.

How to Configure Device Isolation Exclusions

You can set up device isolation exclusions in the Microsoft 365 Defender portal. While the process is straightforward, the key is in applying it deliberately and testing it before you rely on it during an incident.

Step 1 – Open Device Isolation Settings

  1. Sign in to the Microsoft 365 Defender portal.
  2. Go to Settings > Endpoints > Advanced features.
  3. Locate Device isolation in the list and make sure it’s turned on.

Step 2 – Define Your Exclusions

  • Open Isolation Exclusions from the settings panel.
  • Add the IP address, subnet, or domain name you want to allow.
  • For process-based exclusions (if applicable in your configuration), specify the exact executable path.

Step 3 – Apply Scope to Device Groups

  • Assign the exclusions to the relevant device groups in Defender for Endpoint.
  • Avoid applying globally unless every device truly requires the same exclusion.

Step 4 – Test Before You Need It

  • Put a non-production device into isolation.
  • Confirm that the allowed connection works exactly as intended — and nothing else does.
  • Document your results so you can repeat the process quickly in a live incident.

Step 5 – Review and Update Regularly

  • Revisit your Defender for Endpoint exclusions at least quarterly.
  • Remove entries that are no longer needed.
  • Keep your documentation synced with any changes.

We can help you to configure and validate isolation exclusions as part of a broader Defender for Endpoint deployment, ensuring that the setup works seamlessly during incident response without creating unnecessary exposure.

Not sure if your device isolation exclusions are set up right?

Our team of Microsoft-Certified security experts can help.

Best Practices for Device Isolation and Exclusions

The power of device isolation in Microsoft Defender for Endpoint comes from how restrictive it is. Every exclusion you add creates a potential pathway back into your network, which is why you should approach them with caution.

Keep the List Minimal

Only allow what is absolutely required for investigation, remediation, or essential business continuity.
Avoid long exclusion lists that include non-critical systems. We’ve seen cases where over-generous exclusions allowed attackers to maintain network access, making isolation ineffective.

Be Specific

Choose the narrowest possible scope — a single IP, domain, or process. Avoid ranges, wildcards, or generic entries.
Avoid approving an entire subnet or multiple domains just because it’s “easier” during a crisis. This opens far more access than you may realise.

Document the Reason for Each Exclusion

Record why it’s needed, who approved it, and when it should be reviewed.
Avoid leaving undocumented exclusions in place. Over time, teams forget why they exist — and attackers can exploit them.

Review Regularly

Remove outdated exclusions promptly. Review at least quarterly, or more often if your environment changes frequently.
Avoid assuming “set it and forget it” works. Stale exclusions often outlive the systems they were meant for.

Test Under Controlled Conditions

Run periodic isolation tests on non-production devices to confirm both allowed and blocked connections behave as expected.
Avoid waiting for a real incident to discover that your exclusions don’t work — or worse, allow too much.

Align With Your Incident Response Plan

Plan your exclusions in advance, so when a device is isolated, there’s no guesswork. At Levacloud, we align configurations with your playbooks to ensure security and continuity go hand in hand.
Avoid scrambling during an active threat to figure out what should and shouldn’t be allowed, it slows response time and increases your risk.

How Levacloud Can Help with Device Isolation

Correctly configuring device isolation exclusions in Microsoft Defender for Endpoint isn’t just about ticking boxes, it’s about balancing containment and connectivity without introducing unnecessary risk. At Levacloud, we help you plan, configure, and test these exclusions so they work exactly as intended when you need them most.

We integrate isolation planning into your wider security strategy, align it with your incident response playbooks, and ensure every exclusion has a clear operational purpose. That way, you’re ready to act fast while keeping threats locked down.

Ask Us A Question

Wondering if Levacloud can solve your Microsoft Cybersecurity related challenge? Drop us a message!

This field is for validation purposes and should be left unchanged.

Conclusion

Device isolation is one of the most effective containment tools in Microsoft Defender for Endpoint, but its power depends on how you configure it. Thoughtfully planned exclusions can keep your remediation process moving without opening the door to more risk.

By setting them up in advance, testing them regularly, and keeping them tightly scoped, you ensure your isolation strategy supports your security goals instead of undermining them.

If you’re ready to review your Defender for Endpoint setup and make sure your device isolation exclusions are optimized, the Levacloud team can help you put the right plan in place.

FAQ’s: Device Isolation Exclusions in Defender

Do device isolation exclusions apply to all devices automatically?

No. Exclusions are scoped to the device groups you assign them to in Microsoft Defender for Endpoint. Applying them globally is possible, but it’s rarely the safest choice.

Can I configure different exclusions for different device groups?

Yes. Scoping by device group lets you keep exclusions precise and relevant to specific systems.

Will device isolation exclusions remain after a device is removed from isolation?

No. These exclusions only apply during isolation. Once the device is reconnected to the network normally, standard network and security policies take over.

Can I test device isolation without impacting production devices?

Yes. Use a non-production endpoint to simulate isolation and verify your planned exclusions behave as expected.

What’s the difference between device isolation exclusions and other Defender for Endpoint exclusions?

Device isolation exclusions control which network connections are allowed in isolation mode. Antivirus exclusions control what files or processes Defender ignores during scans — they serve a different purpose.

Should I configure device isolation exclusions before or during an incident?

Before. Pre-configuring ensures faster containment during an active threat.

Can device isolation be triggered automatically?

Yes. In Defender for Endpoint, certain automated investigation and remediation workflows can isolate a device based on specific alerts or indicators.

Do isolation exclusions override firewall rules?

No. Firewall rules still apply. If a firewall blocks traffic, an isolation exclusion will not bypass it.

Can I limit exclusions to certain ports or protocols?

Not directly in the isolation exclusion settings. To control ports and protocols, you’d combine exclusions with firewall or network security rules.

Will isolation affect VPN connections?

Yes. In most cases, VPN traffic is blocked unless you specifically add the VPN server to your isolation exclusions.

What happens if I remove an exclusion while a device is isolated?

The connection allowed by that exclusion will stop working immediately for that isolated device.

Post Reviewed by Gareth Young, CISSP

This blog post was reviewed and validated by Gareth Young, a Microsoft Security and Compliance Expert with 15 years of experience in Microsoft solutions. As the founder of Levacloud, Gareth specializes in Security, Modern Work and Security Arcitecture. He holds multiple Microsoft certifications, including: AZ-500, MS-500, SC-400, MS-101, MS-100, MS-900 as well as the CISSP certification.

Gareth Young
LinkedIn

Related Posts