Configure Remove Host Isolation capability in Microsoft Defender for Endpoint

  • Release version: Zurich
  • Updated March 12, 2026
  • 1 minute to read

    • If needed, remove the isolation of a host that was previously isolated from the network in Microsoft Defender for Endpoint. You can prevent any other malicious activities or potential attacks on other hosts.

    Before you begin

    Table 1. Requirements for Remove Isolation capability
    Capability Required Input Description
    Remove Isolation Comment (Required) Comment to associate with the action.

    Role required: sn_si.admin or sn_si.analyst

    Procedure

    1. Navigate to Security Incidents > Show All Incidents.
    2. Select the security incident that you want to review with the Microsoft Defender for Endpoint information.
    3. In the Related Links section, select Run EDR Profile(s).
    4. Browse and select a profile with Remove Isolation capability selected from the list of available profiles, and select Submit.
      Alternatively, you can perform the following steps:
      1. Select Show All Related Lists in the related lists section.
      2. Select the Configuration Item related list.
      3. Select Remove Isolation and select the corresponding capabilities.
    5. Validate the automation activity and activities section.
    6. View the data, and validate the isolate host details on the related lists.
    7. Validate the automation activities of the execution.