Enable Defender for Endpoint Automated Investigation

This Microsoft Defender for Endpoints article will show how to enable Automated Investigation and Remediation (AIR) for Windows machines.

AIR allows us to automate the entire end-to-end process of detecting, alerting and taking immediate action to resolve the issue. AIR starts once an alert is triggered and an incident is created.

On each AIR investigation, a verdict is determined based on the results, which can be:

  • Malicious
  • Suspicious
  • No threats

Enable AIR

AIR works by creating a device group and assigning a remediation policy to it.

To enable AIR, Open the Microsoft Defender console.

Click on Settings

Click on Endpoints

Click Device Group

Click Add device group

Name the device group and select the remediation level from the drop-down list below.

To track active AIR cases, open Action Center and review all cases.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.