Admins in charge of securing Windows devices protected by Microsoft Defender for Endpoint can now “contain” a compromised unmanaged device to prevent lateral movement of data and slow down hackers.