Microsoft Enables Automatic Remediation in Defender for Endpoint

Microsoft this week announced that it has enabled automatic threat remediation in Microsoft Defender for Endpoint for users who opted into public previews.


Previously, the default automation level was set to Semi, meaning that users were required to approve any remediation. Now, for increased protection, the default was set to Full, and remediation is automatically applied to all identified threats.


For all alerts, Microsoft Defender for Endpoint automatically starts an investigation on the machine, inspecting files, processes, registry keys, services, and anything else that may contain threat-related evidence.


The result of such an investigation is a list of entities related to the alert, which are classified as malicious, suspicious, or clean. For each of the identified malicious entities, a remediation action is created, to either contain or remove.


Microsoft Defender for Endpoint defines, executes and manages these actions, without requiring intervention from security operations teams, the tech company explains.


These remediation actions are either automatically approved without warning, if the device automation level is set to Full, or require manual approval, if the automation level is set to Semi. Having remediation actions automatically applied could save time and help contain infections, Microsoft argues.


Remediation actions can be queued for devices that are not available and will be automatically triggered when these devices become available.


Admins can head to the Action Center to view all remediation actions (running, pending, or completed), and can also undo them, either for a specific device or across the organization, if a device or a file is not considered a threat.


Microsoft says it has decided to upgrade the default automation level to Full due to ..