deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Update automated-investigations.md

Browse Source
This commit is contained in:
Denise Vangel-MSFT 2020-09-28 15:53:30 -07:00
parent 6b1363115c
commit 0089cdae4f
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
View File

@ -79,11 +79,11 @@ You can configure the following levels of automation:
|Automation level | Description| |Automation level | Description|
|---|---| |---|---|
|**Full - remediate threats automatically** | All remediation actions are performed automatically.<br/><br/>***This option is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, and that have no device groups defined.* <br/><br/> *If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**.* | |**Full - remediate threats automatically** | All remediation actions are performed automatically. Remediation actions that were taken can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab.<br/><br/>**This option is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet. <br/><br/>If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**. |
|**Semi - require approval for core folders remediation** | An approval is required on files or executables that are in the operating system directories, such as your **Windows** and **Program files** folders. <br/><br/> Files or executables in other folders are automatically remediated, if those files or executables are determined to be malicious.<br/><br/>| |**Semi - require approval for core folders remediation** | Approval is required for remediation actions on files or executables that are in core folders. These pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md). <br/><br/>Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. Core folders include operating system directories, such as the **Windows** and **Program files** folders (`'System': ['?:\windows\*']`). |
|**Semi - require approval for non-temp folders remediation** | An approval is required on files or executables that are not in temporary folders. <br/><br/> Examples of temporary folders include the user's **Downloads** folder, the user's `\AppData\Local\Temp` folder, and local settings for documents. Files or executables in temporary folders are automatically be remediated if they are determined to be malicious. | |**Semi - require approval for non-temp folders remediation** | Approval is required for remediation actions on files or executables that are not in temporary folders. These pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/> Remediation actions can be taken automatically on files or executables that are in temporary folders. Temporary folder locations can include the following: <br/>- `?:\users\*\appdata\local\temp\*`<br/>- `?:\documents and settings\*\local settings\temp\*` <br/>- `?:\documents and settings\*\local settings\temporary\*`<br/>- `?:\windows\temp\*`<br/>- `?:\users\*\downloads\*', r'?:\downloads\*`<br/>- `?:\program files\*', r'?:\program files (x86)\*`<br/>- `?:\documents and settings\*', r'?:\users\*` |
|**Semi - require approval for any remediation** | An approval is needed for any remediation action. <br/><br/>*This option is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, and that have no device groups defined*.<br/><br/> *If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*| |**Semi - require approval for any remediation** | Approval is required for any remediation action. <br/><br/>This option is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.<br/><br/>If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.|
|**No automated response** | Devices do not get any automated investigations run on them. <br/><br/>***This option is not recommended**, because it fully disables automated investigation and remediation capabilities, and reduces the security posture of your organization's devices.* | |**No automated response** | Automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. <br/><br/>**This option is not recommended**, because it reduces the security posture of your organization's devices. |
> [!IMPORTANT] > [!IMPORTANT]