This Microsoft Defender for Endpoints article will show how to enable Automated Investigation and Remediation (AIR) for Windows machines.
AIR allows us to automate the entire end-to-end process of detecting, alerting and taking immediate action to resolve the issue. AIR starts once an alert is triggered and an incident is created.
On each AIR investigation, a verdict is determined based on the results, which can be:
- Malicious
- Suspicious
- No threats
Enable AIR
AIR works by creating a device group and assigning a remediation policy to it.
To enable AIR, Open the Microsoft Defender console.
Click on Settings
![](https://ntweekly-3e2e1f4957bdf35452c0-endpoint.azureedge.net/blobntweekly18036ad1fb/wp-content/uploads/2023/08/image-1.png)
Click on Endpoints
![](https://ntweekly-3e2e1f4957bdf35452c0-endpoint.azureedge.net/blobntweekly18036ad1fb/wp-content/uploads/2023/08/image-2.png)
Click Device Group
![](https://ntweekly-3e2e1f4957bdf35452c0-endpoint.azureedge.net/blobntweekly18036ad1fb/wp-content/uploads/2023/08/image-3.png)
Click Add device group
![](https://ntweekly-3e2e1f4957bdf35452c0-endpoint.azureedge.net/blobntweekly18036ad1fb/wp-content/uploads/2023/08/image-4.png)
Name the device group and select the remediation level from the drop-down list below.
![](https://ntweekly-3e2e1f4957bdf35452c0-endpoint.azureedge.net/blobntweekly18036ad1fb/wp-content/uploads/2023/08/image-5.png)
To track active AIR cases, open Action Center and review all cases.
![](https://ntweekly-3e2e1f4957bdf35452c0-endpoint.azureedge.net/blobntweekly18036ad1fb/wp-content/uploads/2023/08/image-6.png)