Microsoft added two preview capabilities to Defender for Endpoint in its May 2026 release: automatic device isolation as part of automatic attack disruption, and scheduled antivirus scans for Linux endpoints. Both features address the same core problem in enterprise security, which is that attackers move faster than manual response can contain them.

This guide covers how each feature works, what you need before enabling them, and how to configure them in your environment.
What Is Defender for Endpoint Automatic Device Isolation?
Defender for Endpoint automatic device isolation is a new preview feature that disconnects a compromised workstation from the network automatically when the platform detects active attack behavior. The isolation triggers without waiting for a security operator to act.
When Defender for Endpoint isolates a device, the endpoint loses access to most network communication. It retains connectivity to the Defender for Endpoint service itself, which keeps monitoring the device and collecting telemetry for the duration of the isolation.
Microsoft built the feature to cut off ransomware propagation and block lateral movement before attackers reach additional systems on your network.
Current Preview Limitations
Automatic device isolation currently works only on end-user workstations that are onboarded and managed by Microsoft Defender for Endpoint. It does not cover servers or unmanaged devices in this preview stage.
How Automatic Isolation Fits Into Attack Disruption
Automatic device isolation operates as one component of Microsoft’s broader automatic attack disruption system. That system combines multiple automated responses during an active threat, and device isolation is the most aggressive containment action it can apply at the endpoint level.
Microsoft previously gave admins the ability to manually contain unmanaged Windows devices. It later added user account isolation in October 2023 to block lateral movement in hands-on-keyboard ransomware attacks. Automatic device isolation extends that logic to workstations by removing the manual trigger entirely.
The feature also connects to a separate capability Microsoft began testing in 2026, which automatically blocks traffic to and from undiscovered Windows endpoints to prevent attackers from reaching non-compromised devices on the network.
For environments that face data exfiltration attempts or active credential abuse, automatic isolation gives Defender a way to act at the endpoint layer before your team processes the alert.
For the full feature list in this release cycle, see the Microsoft Defender for Endpoint May 2026 release notes.
Prerequisites for Automatic Device Isolation
Before automatic device isolation can trigger in your environment:
- Devices must be onboarded and managed by Microsoft Defender for Endpoint
- Only end-user workstations qualify in the current preview
- Automatic attack disruption must be active in your tenant
No separate toggle enables automatic isolation. Defender for Endpoint applies it automatically based on its threat signals once devices meet the onboarding requirements above.
How to View Automatic Isolation Actions
After Defender isolates a device, you can review the action from three locations in the Defender portal.
Via the incident Activities tab:
- Open the relevant incident in the Defender portal
- Select the Activities tab
- Locate the device isolation action and confirm its status
Via the device page:
- Go to Assets > Devices
- Open the affected device
- Check the isolation status shown on the device overview
Via Action Center:
- Open Action Center in the Defender portal
- Review the full action history and current isolation state for the device
All three views confirm that isolation occurred and show whether it remains active.
For full details on how isolation works, see the automatic attack disruption isolation documentation.
How to Release a Device from Automatic Isolation
Microsoft does not end isolation automatically. A security operator must release the device after completing investigation and mitigating the risk.
From Device inventory:
- Open the Defender portal
- Navigate to Assets > Devices
- Select the isolated device
- Choose Release from isolation from the action menu
From the device page:
- Open the affected device page directly
- Select Release from isolation from the available actions
The device reconnects to the network after you confirm the release. Operators can release a device at any time, including before investigation is complete, if operational needs require it.
What Is New in Linux Antivirus Scheduling for Defender for Endpoint?
Also launching in preview in May 2026, administrators can now configure scheduled antivirus scans on Linux endpoints managed by Defender for Endpoint. Previously, this required custom cron jobs managed outside Defender’s centralized tooling.
The new scheduling feature supports three modes:
- Hourly quick scans: run a quick scan at a defined interval (every N hours)
- Daily quick scans: run a quick scan once per day at a specific time
- Weekly scans: run either a quick scan or a full scan on a specified day and time
Daily and weekly schedules can coexist on the same device. A common configuration pairs a daily quick scan for routine coverage with a weekly full scan for deeper inspection.
If you manage Linux endpoints alongside Windows systems, you can now run a Microsoft Defender virus scan across both platforms from the same centralized portal. If you also manage Linux systems with kernel-level security concerns, see the guide on CVE-2026-46333: How to Fix the Linux Kernel Privilege Escalation Vulnerability.
For official Microsoft documentation on this feature, see Schedule antivirus scans on Linux.
Prerequisites for Linux Scheduled Scans
Before configuring scheduled scans on Linux:
- Microsoft Defender for Endpoint must be installed and onboarded on a supported Linux distribution
- Devices must run agent version 101.26032.0000 or later in the production ring
- Devices must report as healthy to the Defender service
If you plan to use the Defender portal method (Security Settings Management), you also need permissions to create and assign security policies.
If you plan to use managed JSON configuration, you need the ability to deploy files to /etc/opt/microsoft/mdatp/managed on target devices.
Method 1: Configure Scheduled Scans via the Defender Portal
This method uses Security Settings Management in the Microsoft Defender portal. Microsoft recommends it for large-scale fleet deployment.
- Configure your tenant to support Security Settings Management
- In the Defender portal, go to System > Settings > Endpoints > Configuration management > Enforcement scope and select the Linux platform
- Tag target devices with the MDE-Management tag
- Create a Microsoft Entra group for your Linux devices (use a dynamic group based on OS type to include all Defender-onboarded Linux devices automatically, so you do not need to update the group as devices are added)
- In the Defender portal, go to Endpoints > Configuration management > Endpoint security policies and select Create new policy
- Set Platform to Linux
- Select the Microsoft Defender Antivirus template and click Create policy
- Enter a name and description on the Basics page, then select Next
- On the Configuration settings page, scroll to the Schedule Scan section and configure your scan schedule
- On the Assignments page, select the Entra group created above
- On the Review + create page, select Save
Most devices receive the policy within minutes. Some devices may take up to 24 hours to enroll and apply the policy.
Method 2: Configure Scheduled Scans via Managed JSON
This method suits enterprise environments that already use configuration management tools such as Puppet or Ansible to manage Defender settings.
If you currently use an mdatp_managed.json file for other Defender settings such as exclusions or antivirus preferences, append the scheduled scan configuration to your existing file rather than replacing it. Replacing the file removes your current settings.
Push the configuration to /etc/opt/microsoft/mdatp/managed/mdatp_managed.json:
{
"antivirusEngine": {
"scheduledScan": "enabled"
},
"scheduledScan": {
"weeklyConfiguration": {
"dayOfWeek": 7,
"scanType": "full",
"timeOfDay": 180
},
"dailyConfiguration": {
"timeOfDay": 180
},
"runScanWhenIdle": true,
"lowPriorityScheduledScan": true,
"checkForDefinitionsUpdate": true,
"ignoreExclusions": true,
"randomizeScanStartTime": 3
}
}The example above runs a weekly full scan on Saturday at 3:00 AM and a daily quick scan at 3:00 AM, with low CPU priority and a 3-hour randomized start window to avoid simultaneous scans across your fleet.
Key settings reference:
| Setting | Description | Example value |
|---|---|---|
timeOfDay | Minutes from midnight (device local time) | 120 = 2:00 AM |
dayOfWeek | 0 = disabled, 1 to 7 = Sunday to Saturday, 8 = every day | 7 = Saturday |
scanType | Scan type for weekly scans only | full or quick |
runScanWhenIdle | Delays scan until system is idle | true |
lowPriorityScheduledScan | Reduces CPU impact during the scan | true |
checkForDefinitionsUpdate | Checks for updates before the scan starts | true |
randomizeScanStartTime | Hours of randomization window (0 to 23) | 3 |
ignoreExclusions | Runs scan without honoring configured exclusions | false |
Note: If you configure both
intervalandtimeOfDayfor daily scans, Defender creates two independent quick scan schedules. Both run at their defined times, which can result in multiple scans per day.
Method 3: Configure Scheduled Scans via Command Line (mdatp CLI)
Use this method for testing or single-device configuration. Microsoft does not recommend it for fleet-wide deployment.
Enable scheduled scans:
mdatp config scheduled-scan settings feature --value enabledConfigure a daily quick scan at 2:00 AM (120 minutes from midnight):
mdatp config scheduled-scan quick-scan time-of-day --value 120Configure an interval-based quick scan every 6 hours:
mdatp config scheduled-scan quick-scan hourly-interval --value 6Configure a weekly full scan every Wednesday at 3:00 AM:
mdatp config scheduled-scan weekly-scan --day-of-week 4 --time-of-day 180 --scan-type fullConfiguration Precedence
When you configure scheduled scans through more than one method, Defender portal policies (Security Settings Management) take precedence over local configuration from managed JSON or the mdatp CLI.
If settings conflict, the portal policy wins. Use CLI-based configuration only in testing environments where you do not push managed policies centrally.
How to Verify Scheduled Scans Are Running
After configuring scheduled scans, confirm the configuration applies and scans execute as expected.
Check current configuration:
mdatp health --details scheduled_scanThis command shows the current scheduled scan settings applied to the device.
View scan history:
mdatp scan listThis command displays completed and ongoing scans.
Verify via the Defender portal:
- Go to Assets > Devices
- Open the target Linux device
- In the Overview tab, find the Device health status section
- Check the Last full scan and Last quick scan fields
What Else Is New in Defender for Endpoint (May 2026)
Microsoft released several additional updates alongside the two preview features above.
- Enhanced exposure score in Defender Vulnerability Management (Preview): The updated exposure score model incorporates exploit prediction scoring (EPSS) data and asset context factors such as internet-facing status and asset criticality. This gives security teams more accurate risk prioritization across their vulnerability backlog.
- Custom data collection (GA): Custom data collection is now generally available. Organizations can expand telemetry collection beyond default configurations using rule-based filtering for specific events from endpoint devices. The maximum event limit per rule increased from 25,000 to 75,000 events per device within a 24-hour rolling window.
- Offline security intelligence updates for Linux (GA): Admins can now configure offline security intelligence update settings for Linux directly from the Defender portal and the Intune portal.
- Selective Response Actions (Preview): Selective Response Actions lets organizations control how high-impact security response actions apply to Tier-0 systems and other high-value assets. This helps maintain operational stability for critical infrastructure during active incident response.
Frequently Asked Questions
Do scheduled scans require real-time protection to be enabled on Linux?
No. Scheduled scans run independently of real-time protection and work even when real-time protection is disabled or the device runs in passive or on-demand mode.
Can daily and weekly scans run together on the same Linux device?
Yes. Daily and weekly configurations coexist on the same device. A common setup pairs daily quick scans for routine coverage with a weekly full scan for deeper inspection.
What scan type do daily scans use?
Daily scans always use the quick scan type. Full scan type is only configurable for weekly scans.
What happens if a Linux device is offline when a scheduled scan should run?
If the device is asleep, the scan runs when the device resumes. If the device is off, the scan runs at the next scheduled scan time.
What time zone does Linux scan scheduling use?
All scheduled scan times evaluate using the device’s local time zone.
Does automatic device isolation apply to all endpoint types?
In the current preview, automatic device isolation covers only end-user workstations onboarded and managed by Defender for Endpoint. Servers and unmanaged devices are not supported at this stage.
Can operators release an isolated device before investigation is complete?
Yes. Operators can release a device from isolation at any time using the Release from isolation action in the Device inventory or on the device page.
