From 0089cdae4f9fdb24e129e8838ca981bbd266901f Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Mon, 28 Sep 2020 15:53:30 -0700
Subject: [PATCH] Update automated-investigations.md

---
 .../microsoft-defender-atp/automated-investigations.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index ffa07d00d3..df01a2271f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -79,11 +79,11 @@ You can configure the following levels of automation:
 
 |Automation level | Description|
 |---|---|
-|**Full - remediate threats automatically** | All remediation actions are performed automatically.<br/><br/>***This option is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, and that have no device groups defined.* <br/><br/> *If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**.* |
-|**Semi - require approval for core folders remediation** | An approval is required on files or executables that are in the operating system directories, such as your **Windows** and **Program files** folders. <br/><br/> Files or executables in other folders are automatically remediated, if those files or executables are determined to be malicious.<br/><br/>|
-|**Semi - require approval for non-temp folders remediation** | An approval is required on files or executables that are not in temporary folders. <br/><br/> Examples of temporary folders include the user's **Downloads** folder, the user's `\AppData\Local\Temp` folder, and local settings for documents. Files or executables in temporary folders are automatically be remediated if they are determined to be malicious. |
-|**Semi - require approval for any remediation** | An approval is needed for any remediation action. <br/><br/>*This option is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, and that have no device groups defined*.<br/><br/> *If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
-|**No automated response** | Devices do not get any automated investigations run on them. <br/><br/>***This option is not recommended**, because it fully disables automated investigation and remediation capabilities, and reduces the security posture of your organization's devices.* |
+|**Full - remediate threats automatically** | All remediation actions are performed automatically. Remediation actions that were taken can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab.<br/><br/>**This option is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet. <br/><br/>If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**. |
+|**Semi - require approval for core folders remediation** | Approval is required for remediation actions on files or executables that are in core folders. These pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md). <br/><br/>Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. Core folders include operating system directories, such as the **Windows** and **Program files** folders (`'System': ['?:\windows\*']`). |
+|**Semi - require approval for non-temp folders remediation** | Approval is required for remediation actions on files or executables that are not in temporary folders. These pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/> Remediation actions can be taken automatically on files or executables that are in temporary folders. Temporary folder locations can include the following: <br/>- `?:\users\*\appdata\local\temp\*`<br/>- `?:\documents and settings\*\local settings\temp\*` <br/>- `?:\documents and settings\*\local settings\temporary\*`<br/>- `?:\windows\temp\*`<br/>- `?:\users\*\downloads\*', r'?:\downloads\*`<br/>- `?:\program files\*', r'?:\program files (x86)\*`<br/>- `?:\documents and settings\*', r'?:\users\*` |
+|**Semi - require approval for any remediation** | Approval is required for any remediation action. <br/><br/>This option is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.<br/><br/>If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.|
+|**No automated response** | Automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. <br/><br/>**This option is not recommended**, because it reduces the security posture of your organization's devices. |
 
 
 > [!IMPORTANT]