From 145bc6a6e257c9cc37e67b13a9c4fbc06efc3649 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 3 Sep 2020 09:26:56 -0700
Subject: [PATCH 1/5] Update automated-investigations.md

---
 .../automated-investigations.md                  | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index bd94cf5240..74a468a884 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -72,19 +72,21 @@ You can configure the following levels of automation:
 
 |Automation level | Description|
 |---|---|
-|**Full - remediate threats automatically** | All remediation actions are performed automatically.<br/><br/>*This option is selected by default for Microsoft Defender ATP tenants created on or after August 16, 2020.*|
+|**Full - remediate threats automatically** | All remediation actions are performed automatically.<br/><br/>***This option is recommended** and is selected by default for Microsoft Defender ATP tenants created on or after August 16, 2020, and have no device groups defined. <br/>If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**.*|
 |**Semi - require approval for core folders remediation** | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder. <br/><br/> Files or executables in all other folders are automatically remediated, if needed.|
 |**Semi - require approval for non-temp folders remediation** | An approval is required on files or executables that are not in temporary folders. <br/><br/> Files or executables in temporary folders, such as the user's download folder or the user's temp folder, are automatically be remediated (if needed).|
-|**Semi - require approval for any remediation** | An approval is needed for any remediation action. <br/><br/>*This option is selected by default for Microsoft Defender ATP tenants created before August 16, 2020.*|
-|**No automated response** | Devices do not get any automated investigations run on them. <br/><br/>*This option is not recommended, because it fully disables automated investigation and remediation capabilities, and reduces the security posture of your organization's devices.* |
+|**Semi - require approval for any remediation** | An approval is needed for any remediation action. <br/><br/>*This option is selected by default for Microsoft Defender ATP tenants created before August 16, 2020, and have no device groups defined. <br/>If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
+|**No automated response** | Devices do not get any automated investigations run on them. <br/><br/>***This option is not recommended**, because it fully disables automated investigation and remediation capabilities, and reduces the security posture of your organization's devices.* |
 
 
 > [!IMPORTANT]
 > A few points of clarification regarding automation levels and default settings:
-> - If your tenant already has device groups defined, the automation level settings are not changed.
-> - If your tenant was onboarded to Microsoft Defender ATP before August 16, 2020, your organization's first device group is set to **Semi - require approval for any remediation** by default. 
-> - If your tenant is onboarded on or after August 16, 2020, when your organization's first device group is set to **Full - remediate threats automatically**.
-> - To change an automation level, edit your [device groups](configure-automated-investigations-remediation.md#set-up-device-groups).
+> - If your tenant already has device groups defined, the automation level settings are not changed for those device groups.
+> - If your tenant was onboarded to Microsoft Defender ATP *before* August 16, 2020, and you have not defined a device group, your organization's default setting is **Semi - require approval for any remediation**.
+> - If your tenant was onboarded to Microsoft Defender ATP *before* August 16, 2020, and you do have a device group defined, you also have an **Ungrouped devices (default)** device group that is set to **Semi - require approval for any remediation**. 
+> - If your tenant was onboarded to Microsoft Defender ATP *on or after* August 16, 2020, and you have not defined a device group, your orgnaization's default setting is **Full - remediate threats automatically**.
+> - If your tenant was onboarded to Microsoft Defender ATP *on or after* August 16, 2020, and you do have a device group defined, you also have an **Ungrouped devices (default)** device group that is set to **Full - remediate threats automatically**.
+> - To change an automation level, **[edit your device groups](configure-automated-investigations-remediation.md#set-up-device-groups)**.
 
 
 ### A few points to keep in mind

From 830a1b80112346399f4978e45f69210dea3beceb Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 3 Sep 2020 09:30:51 -0700
Subject: [PATCH 2/5] Update automated-investigations.md

---
 .../microsoft-defender-atp/automated-investigations.md          | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 74a468a884..21159782f8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -10,11 +10,13 @@ ms.sitesec: library
 ms.pagetype: security
 ms.author: deniseb
 author: denisebmsft
+ms.date: 09/03/2020
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: conceptual
+ms.reviewer: ramarom, evaldm, isco, mabraitm
 ---
 
 # Overview of automated investigations

From 490622d84b68ab21148537e953f23ae2d765d736 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 3 Sep 2020 09:31:14 -0700
Subject: [PATCH 3/5] Update automated-investigations.md

---
 .../microsoft-defender-atp/automated-investigations.md           | 1 +
 1 file changed, 1 insertion(+)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 21159782f8..807094bae7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -17,6 +17,7 @@ audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: conceptual
 ms.reviewer: ramarom, evaldm, isco, mabraitm
+ms.custom: AIR
 ---
 
 # Overview of automated investigations

From 479c5cb0cd30f13bda9940f8e085f10304d919f9 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 3 Sep 2020 09:43:10 -0700
Subject: [PATCH 4/5] Update configure-automated-investigations-remediation.md

---
 .../configure-automated-investigations-remediation.md            | 1 +
 1 file changed, 1 insertion(+)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
index a4c17d2c2a..d58f9ec52b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
@@ -15,6 +15,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: conceptual
+ms.reviewer: ramarom, evaldm, isco, mabraitm
 ---
 
 # Configure automated investigation and remediation capabilities in Microsoft Defender Advanced Threat Protection

From b6c05c1025d799418bdfd3cb6cc78ee68445b829 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 3 Sep 2020 09:43:19 -0700
Subject: [PATCH 5/5] Update auto-investigation-action-center.md

---
 .../microsoft-defender-atp/auto-investigation-action-center.md   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
index cb7648e275..0c4f1d9b83 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
@@ -14,6 +14,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
+ms.reviewer: ramarom, evaldm, isco, mabraitm
 ---
 
 # View details and results of automated investigations