Microsoft has introduced automatic endpoint isolation as a preview feature in Defender for Endpoint, enabling the platform to autonomously disconnect compromised Windows workstations from the network without analyst intervention. This is an architectural change to enterprise containment workflows that SOC teams must evaluate and configure deliberately before enabling in production. Residual weaknesses in credential protection (CWE-316, CWE-522) and the risk of missed detections via Defender impairment techniques (T1562.001) mean isolation automation is a speed layer on existing detection, not a replacement for it.