We had a threat published on one of our endpoints. The endpoint is currently offline. We submitted the isolation request, but the endpoint did not come back online within the 3 day retry limit. Because of this, the endpoint did not get isolated when it finally did come back online. Is this normal behavior?
Microsoft Defender for Endpoint + Red Canary
The short answer is yes. This behavior is by design. Other EDR products will send isolation requests indefinitely until the endpoint comes back online. Once the endpoint comes back online it will be isolated/quarantined immediately.
Microsoft Defender for Endpoint has a 3-day retry rate limit. The reason for this, according to Microsoft is because queuing of isolation retry requests beyond the 3-day retry period could stack up pending actions for months until the machine comes back on line. Ultimately, this is a limitation of the MDE application.