deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Update manage-auto-investigation.md

Browse Source
This commit is contained in:
Denise Vangel-MSFT 2020-12-15 06:36:56 -08:00
parent 601df53a55
commit 2f11e48f56
1 changed files with 19 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
View File

@ -17,7 +17,7 @@ ms.collection:
- m365-security-compliance
- m365initiative-defender-endpoint
ms.topic: conceptual
ms.date: 09/15/2020
ms.date: 12/15/2020
---
# Review and approve remediation actions following an automated investigation
@ -98,33 +98,30 @@ In Microsoft Defender for Endpoint, all verdicts are [tracked and viewable in th
4. Select an item to view more details about that remediation action.
## Undo completed actions
You can undo actions that have been completed automatically (or manually) from the
Remediation actions that have been taken automatically or manually can be undone from the Action Center History page.
Supported action sources:
- Automated investigation
- Microsoft Defender Antivirus
- Manual response actions
- Supported Actions:
- Isolate device
- Restrict code execution
- Quarantine a file
- Remove a registry key
- Stop a service
- Disable a driver
- Remove a scheduled task
if youve determined that a device or a file is not a threat, you can undo remediation actions that were taken, whether those actions were taken automatically or manually. In the Action center, on the **History** tab, you can undo any of the following actions:
if youve determined that a machine or a file is clean, you can multi-select a list of actions and undo them all at the same time
| Action source | Supported Actions |
|:---|:---|
| - Automated investigation <br/>- Microsoft Defender Antivirus <br/>- Manual response actions | - Isolate device <br/>- Restrict code execution <br/>- Quarantine a file <br/>- Remove a registry key <br/>- Stop a service <br/>- Disable a driver <br/>- Remove a scheduled task |
1. Select the actions you want to cancel.
### To undo multiple actions at one time
2. Click Undo at the right-side pane.
1. Go to the Action center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
2. On the **History** tab, select the actions that you want to undo.
3. In the pane on the right side of the screen, select **Undo**.
### To remove a file from quarantine
![Action center](images/autoir-action-center-1.png)
For a single file, you can roll back and remove a file from quarantine in all the machines in which it was located.
1. Select one of the actions related to this file.
2. Check Apply to X more instances of this file
3. Click Undo.
1. Go to the Action center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
2. On the **History** tab, select a file that has the Action type **Quarantine file**.
3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**.
![Quarantine file](images/autoir-quarantine-file-1.png)