This Microsoft Defender for Endpoints article will show how to enable Automated Investigation and Remediation (AIR) for Windows machines.
AIR allows us to automate the entire end-to-end process of detecting, alerting and taking immediate action to resolve the issue. AIR starts once an alert is triggered and an incident is created.
On each AIR investigation, a verdict is determined based on the results, which can be:
- No threats
AIR works by creating a device group and assigning a remediation policy to it.
To enable AIR, Open the Microsoft Defender console.
Click on Settings
Click on Endpoints
Click Device Group
Click Add device group
Name the device group and select the remediation level from the drop-down list below.
To track active AIR cases, open Action Center and review all cases.