If you're using Defender for Endpoint, you can specify an automation level so that when a threat is detected on a device, the entity can be remediated automatically or only upon approval by your security team. You can configure automated investigation and remediation with device groups.
Note
In Defender for Business, automated investigation is configured automatically. See advanced features.
Set up device groups
In the Microsoft Defender portal (https://security.microsoft.com), on the Settings page, under Permissions, select Device groups.
Select + Add device group.
Create at least one device group, as follows:
Specify a name and description for the device group.
In the Automation level list, select a level, such as Full - remediate threats automatically. The automation level determines whether remediation actions are taken automatically, or only upon approval. To learn more, see Automation levels in automated investigation and remediation.
In the Members section, use one or more conditions to identify and include devices.
Select Done when you're finished setting up your device group.
Note
The Automated Investigation option has been removed from the advanced features setting in Defender for Endpoint. Automated investigation is now enabled by default.
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.