Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Microsoft Enables Automatic Remediation in Defender for Endpoint

Microsoft this week announced that it has enabled automatic threat remediation in Microsoft Defender for Endpoint for users who opted into public previews.

Microsoft this week announced that it has enabled automatic threat remediation in Microsoft Defender for Endpoint for users who opted into public previews.

Previously, the default automation level was set to Semi, meaning that users were required to approve any remediation. Now, for increased protection, the default was set to Full, and remediation is automatically applied to all identified threats.

For all alerts, Microsoft Defender for Endpoint automatically starts an investigation on the machine, inspecting files, processes, registry keys, services, and anything else that may contain threat-related evidence.

The result of such an investigation is a list of entities related to the alert, which are classified as malicious, suspicious, or clean. For each of the identified malicious entities, a remediation action is created, to either contain or remove.

Microsoft Defender for Endpoint defines, executes and manages these actions, without requiring intervention from security operations teams, the tech company explains.

These remediation actions are either automatically approved without warning, if the device automation level is set to Full, or require manual approval, if the automation level is set to Semi. Having remediation actions automatically applied could save time and help contain infections, Microsoft argues.

Remediation actions can be queued for devices that are not available and will be automatically triggered when these devices become available.

Admins can head to the Action Center to view all remediation actions (running, pending, or completed), and can also undo them, either for a specific device or across the organization, if a device or a file is not considered a threat.

Microsoft says it has decided to upgrade the default automation level to Full due to increased malware detection accuracy, improved automated investigation infrastructure, and the option to undo any remediation.

Furthermore, the company notes that full automation has helped successfully contain and remediate threats for thousands of customers, and that it also frees up critical security resources.

The default automation level has already been changed to Full for new customers, and, starting February 16, 2021, it will also be updated for those who have opted in for public previews. However, organizations have the option to change the default automation level according to their needs.

Related: Microsoft Defender for Endpoint on Linux Goes Live

Related: Microsoft Introduces Device Vulnerability Report in Defender for Endpoint

Related: New Microsoft Defender ATP Capability Blocks Malicious Behaviors

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Endpoint Security

The Zero Day Dilemma

Application Security

Less than a week after patching critical security defects affecting multiple enterprise-facing products, VMware is warning that one of the flaws is being exploited...