MICROSOFT Defender stopped a GPO-based ransomware incident at a large educational institution, with predictive shielding intercepting the attack before it deployed. The target had more than a couple of thousand devices, 33 servers, 11 domain controllers and 2 Entra Connect servers, all enrolled in Defender.
The attacker weaponised Group Policy Objects to disable Defender protections and to distribute ransomware via scheduled tasks, but predictive shielding hardened GPOs and blocked the tampering across about 700 devices. Defender’s hardening prevented roughly 97% of attempted encryption, and zero machines were encrypted via the GPO path. In total, more than 700 devices were protected, and the rapid attack disruption contained the incident, saving the customer from major recovery costs and downtime. According to MITRE ATT&CK techniques observed.