Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

If your organization is using Defender for Endpoint (or Defender for Business), automated investigation and remediation capabilities can save your security operations team time and effort. As outlined in this blog post, these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. Learn more about automated investigation and remediation.

To configure automated investigation and remediation:

  1. Turn on the features; and
  2. Set up device groups.


  • Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.

Turn on automated investigation and remediation

  1. As a global administrator or security administrator, go to the Microsoft 365 Defender portal ( and sign in.

  2. In the navigation pane, choose Settings.

  3. Select Endpoints, then select Advanced features.

  4. Turn on both Automated Investigation and Automatically resolve alerts.

Set up device groups


This procedure does not apply to Defender for Business.

  1. In the Microsoft 365 Defender portal (, on the Settings page, under Permissions, select Device groups.

  2. Select + Add device group.

  3. Create at least one device group, as follows:

    • Specify a name and description for the device group.
    • In the Automation level list, select a level, such as Full - remediate threats automatically. The automation level determines whether remediation actions are taken automatically, or only upon approval. To learn more, see Automation levels in automated investigation and remediation.
    • In the Members section, use one or more conditions to identify and include devices.
    • On the User access tab, select the Azure Active Directory groups who should have access to the device group you're creating.
  4. Select Done when you're finished setting up your device group.

Next steps

See also