Team: Huntress EDR
Summary: Host isolation on the latest agent (0.13.54+) will result in on-screen notifications informing end users of the next steps.
Host Isolation - End User Notification Feature
Starting with Huntress Agent version 0.13.54 and newer, the end user will receive an on-screen notification if Huntress isolates a host. This notification opens with the default browser app or the primary HTML file viewer. The notification preview below dynamically displays the Account Name associated with the partner in the Huntress portal and urges the end user to contact the partner for additional information.
Incident reports will still be sent for all host isolation events, even if an on-screen host notification is not received.
Note: The notification appears only once and can be dismissed by the end user. Users should be informed to contact their IT administrator if they get this notification.
Q. What if no user is logged in at the time of isolation? What if a user logs on after isolation is applied?
A. No notifications directly on the host will be sent if no users are signed on. Only users who are logged on at the time of isolation will receive the notification via the browser or HTML file viewer. Isolation will be applied to the host and an incident report with details will still be generated as normal with no additional alerting.
Q. What if multiple users are logged in to the host at the same time?
A. Each logged in user will receive a browser / HTML file notification, even if they are not the active user on the host.
Q. Will roaming users receive notifications?
A. Roaming user profiles will not receive host isolation notifications.
Q. What happens if the host is a server?
A. Each logged in user will receive browser / HTML file notifications, the same as a workstation. If no user is logged in, no notification will be sent via the host directly. Incident reports will still be sent.
Q. What browser or HTML File viewer will be used for the notification?
A. The notification will appear on the default application registered to view HTML files on the host. Browsers (Chrome, Firefox, Safari, Edge, Internet Explorer, Opera, etc...) as well as non-browser HTML file viewer applications (ex: text editors) are supported. If a custom HTML viewer has not been assigned, the notification will open in the default system-registered application instead. You do not need to specify which one to use.
Q. What if the host is running multiple versions of Windows?
A. Notifications will be sent to any registered Windows version that supports host isolation. These include Windows 10 and 11, Server 2016, 2019, 2022, as well as different versions like Home, Education and Pro.
Q. Will additional notifications be sent when host isolation is removed?
A. No. Notifications are only sent when a host is isolated. No additional notifications are sent when the host is released. Notifications are also not sent if host isolation fails to apply or host isolation release fails to complete.
Q. Is it possible to not receive an on-screen notification even if the user is signed in?
A. Notifications will only apply when a host is isolated via the Windows Filtering Platform (WFP), which is the primary mechanism used to enforce isolation. If WFP fails, Group Policy Objects (GPO) will be used to apply host isolation instead. In these instances, host side notifications will not generate. The use of GPO to apply host isolation is infrequent and does not regularly occur, but is a failback if WFP fails.