Manage automation file uploads

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

Enable the content analysis capability so that certain files and email attachments can automatically be uploaded to the cloud for additional inspection in Automated investigation.

Microsoft uses various file investigation mechanisms to inspect and analyze files.

Identify the files and email attachments by specifying the file extension names and email attachment extension names.

For example, if you add exe and bat as file or attachment extension names, then all files or attachments with those extensions will automatically be sent to the cloud for additional inspection during Automated investigation.


Microsoft securely stores the files submitted for a six-month period. Files are promptly deleted after six months.

Add file extension names and attachment extension names.

  1. Log in to Microsoft Defender XDR using an account with the Security administrator or Global administrator role assigned.

  2. In the navigation pane, select Settings > Endpoints > Rules > Automation uploads.

  3. Toggle the content analysis setting between On and Off.

  4. Configure the following extension names and separate extension names with a comma:

    • File extension names - Suspicious files except email attachments will be submitted for additional inspection


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.