Microsoft Enabled Automatic Threat Remediation in Microsoft Defender for Endpoint for Users


This week, Microsoft revealed that it has allowed Microsoft Defender for Endpoint automated vulnerability remediation for users who have opted for public previews.

The default automation level had previously been set to Semi, meaning users were expected to authorize any remediation. The default was set to Complete for enhanced security, and remediation is immediately extended to all threats found.

Microsoft Defender for Endpoint immediately begins a system investigation, reviewing files, procedures, registry keys, utilities, and everything else that might contain threat-related evidence for all warnings.

Such an investigation results in a list of alert-related individuals that are categorized as hostile, suspect, or clean. A remediation action is generated for any of the malicious entities found, either to contain or to delete.

The tech company states that Microsoft Defender for Endpoint identifies, performs and handles these activities, without involving interference from security operations teams.

This remediation activities are either automatically approved without warning, if the system automation level is set to Complete, or, if the automation level is set to Semi, require manual approval. Microsoft claims that making remediation steps immediately implemented could save time and help suppress infections.

Remediation activities for devices which are not available will be queued and will be activated immediately as these devices become available.

Admins may go to the Action Center to monitor all remediation activities (running, ongoing, or completed) and, if a system or file is not deemed a hazard, they can still undo them, either with a single device or in the enterprise.

Due to enhanced malware identification accuracy, enhanced automatic investigative infrastructure, and the option to reverse any remediation, Microsoft says it has chosen to update the default automation level to Complete.

In addition, the firm states that full automation has helped thousands of clients effectively contain and remedy attacks, and that it even frees up essential security tools.

The default automation standard for new customers has also been changed to Full, and it will also be modified for those that have opted in for public previews beginning February 16, 2021. Organizations have the option, however, to modify the default level of automation according to their needs.

Reference Source: 


EDR Tools

EDR Solutions

EDR Software

Melina Richardson
Melina Richardson is a Cyber Security Enthusiast, Security Blogger, Technical Editor, Certified Ethical Hacker, Author at Cybers Guards. Previously, he worked as a security news reporter.