diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/live-response-error.png b/windows/security/threat-protection/microsoft-defender-atp/images/live-response-error.png
new file mode 100644
index 0000000000..a0bb10aff3
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/live-response-error.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
index 38818e6a2f..2a2e8465f2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
@@ -63,6 +63,10 @@ You'll need to enable the live response capability in the [Advanced features set
 - **Ensure that the device has an Automation Remediation level assigned to it**.<br>
 You'll need to enable, at least, the minimum Remediation Level for a given Device Group. Otherwise you won't be able to establish a Live Response session to a member of that group.
 
+    You'll receive the following error:
+
+    ![Image of error message](images/live-response-error.png)
+
 - **Enable live response unsigned script execution** (optional). <br>
 
     >[!WARNING]