From 045a005403cbce7d705a06dba3dccf5c96a18dc6 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 21 Oct 2020 13:31:45 -0700
Subject: [PATCH 01/20] Update automated-investigations.md

---
 .../automated-investigations.md                      | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index ef999e9cca..2db4f0fae9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -11,7 +11,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.author: deniseb
 author: denisebmsft
-ms.date: 09/30/2020
+ms.date: 10/21/2020
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
@@ -27,15 +27,21 @@ ms.custom: AIR
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
+**Applies to**
+
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806)
 
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh]
 
 Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. Security operations teams face challenges in addressing the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation capabilities that can help your security operations team address threats more efficiently and effectively. 
 
+Watch the following video to see how automated investigation and remediation works:
+
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh]
+
 Automated investigation uses various inspection algorithms and processes used by analysts to examine alerts and take immediate action to resolve breaches. These capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. The [Action center](auto-investigation-action-center.md) keeps track of all the investigations that were initiated automatically, along with details, such as investigation status, detection source, and any pending or completed actions.
 
 > [!TIP]
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink).
 
 ## How the automated investigation starts
 

From 53ec9ead7c4f5be95a5bd5750ee60b4ae2e77311 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 21 Oct 2020 14:23:08 -0700
Subject: [PATCH 02/20] Update automated-investigations.md

---
 .../automated-investigations.md               | 21 +++++++++----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 2db4f0fae9..375dc80d29 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -78,24 +78,23 @@ If an incriminated entity is seen in another device, the automated investigation
 
 ## How threats are remediated
 
-Depending on how you set up the device groups and their level of automation, each automated investigation either requires user approval (default) or automatically takes action to remediate threats.
-
-> [!NOTE]
-> Microsoft Defender for Endpoint tenants created on or after August 16, 2020 have **Full - remediate threats automatically** selected by default. You can keep the default setting, or change it according to your organizational needs. To change your settings, [adjust your device group settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
-
-You can configure the following levels of automation:
+Depending on how you set your organization's level of automation, each automated investigation either requires user approval (default) or automatically takes action to remediate threats. The following table describes each level of automation and how it works.
 
 |Automation level | Description|
-|---|---|
-|**Full - remediate threats automatically** | All remediation actions are performed automatically. Remediation actions that were taken can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab.<br/><br/>***This option is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.* <br/><br/>*If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**.* |
-|**Semi - require approval for core folders remediation** | Approval is required for remediation actions on files or executables that are in core folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md). <br/><br/>Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`). |
+|:---|:---|
+|**Full - remediate threats automatically** <br/>(also referred to as *full automation*)| With full automation, all remediation actions are performed automatically, and can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab. If necessary, a remediation action can be undone.<br/><br/>***Full automation is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.* <br/><br/>*If you do have a device group defined, you will have an additional device group called **Ungrouped devices (default)**, which is set to full automation.* |
+|**Semi - require approval for core folders remediation**  | Approval is required for remediation actions on files or executables that are in core folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md). <br/><br/>Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`). |
 |**Semi - require approval for non-temp folders remediation** | Approval is required for remediation actions on files or executables that are not in temporary folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/> Remediation actions can be taken automatically on files or executables that are in temporary folders. Temporary folders can include the following examples: <br/>- `\users\*\appdata\local\temp\*`<br/>- `\documents and settings\*\local settings\temp\*` <br/>- `\documents and settings\*\local settings\temporary\*`<br/>- `\windows\temp\*`<br/>- `\users\*\downloads\*`<br/>- `\program files\` <br/>- `\program files (x86)\*`<br/>- `\documents and settings\*\users\*` |
-|**Semi - require approval for any remediation** | Approval is required for any remediation action. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/>*This option is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.*<br/><br/>*If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
+|**Semi - require approval for any remediation** <br/>(also referred to as *semi automation*)| Approval is required for any remediation action. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/>*This option is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.*<br/><br/>*If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
 |**No automated response** | Automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. <br/><br/>***This option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up or changing your device groups to use **Full** or **Semi** automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups)* |
 
 
 > [!IMPORTANT]
-> If your tenant already has device groups defined, then the automation level settings are not changed for those device groups.
+> - New tenants (which include tenants that were created on or after August 16, 2020) with Microsoft Defender for Endpoint are set to full automation by default. 
+> - Full automation has proven to be reliable, efficient, and safe, and is recommended for all customers. Data collected and analyzed over the past year shows that customers who are using full automation had 40% more high-confidence malware samples removed than customers using lower levels of automation. Full automation frees up your critical security resources so they can focus more on your strategic initiatives.
+> - If your security team has defined device groups that include certain levels of automation, those settings are not changed by new default settings that are rolled out. However, we recommend using full automation wherever possible.
+> - You can keep your default automation setting, or change it according to your organizational needs. To change your settings, [set your level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
+
 
 ## Next steps
 

From af8acd4a7f6921baf4c1d9d72aeeae0ccf391267 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 21 Oct 2020 14:56:33 -0700
Subject: [PATCH 03/20] Create automation-levels.md

---
 .../automation-levels.md                      | 44 +++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 windows/security/threat-protection/microsoft-defender-atp/automation-levels.md

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
new file mode 100644
index 0000000000..698a67f5b8
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
@@ -0,0 +1,44 @@
+---
+title: Automation levels in automated investigation and remediation
+description: Get an overview of automation levels and how they work in Microsoft Defender for Endpoint
+keywords: automated, investigation, level, defender atp
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.technology: windows
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.date: 10/21/2020
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: 
+- m365-security-compliance 
+- m365initiative-defender-endpoint 
+ms.topic: conceptual
+ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
+ms.custom: AIR
+---
+
+# Automation levels in automated investigation and remediation capabilities
+
+Depending on how you set your organization's level of automation, each automated investigation either requires user approval (default) or automatically takes action to remediate threats. The following table describes each level of automation and how it works.
+
+|Automation level | Description|
+|:---|:---|
+|**Full - remediate threats automatically** <br/>(also referred to as *full automation*)| With full automation, remediation actions are performed automatically, and can be viewed in the [Action Center](auto-investigation-action-center.md) on the **History** tab. If necessary, a remediation action can be undone.<br/><br/>***Full automation is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.* <br/><br/>*If you do have a device group defined, you will have an additional device group called **Ungrouped devices (default)**, which is set to full automation.* |
+|**Semi - require approval for any remediation** <br/>(also referred to as *semi-automation*)| With this level of semi-automation, approval is required for *any* remediation action. Such pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/>*This level of semi-automation is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.*<br/><br/>*If you do have a device group defined, you will have an additional device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
+|**Semi - require approval for core folders remediation**  | Approval is required for remediation actions on files or executables that are in core folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md). <br/><br/>Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`). |
+|**Semi - require approval for non-temp folders remediation** | Approval is required for remediation actions on files or executables that are not in temporary folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/> Remediation actions can be taken automatically on files or executables that are in temporary folders. Temporary folders can include the following examples: <br/>- `\users\*\appdata\local\temp\*`<br/>- `\documents and settings\*\local settings\temp\*` <br/>- `\documents and settings\*\local settings\temporary\*`<br/>- `\windows\temp\*`<br/>- `\users\*\downloads\*`<br/>- `\program files\` <br/>- `\program files (x86)\*`<br/>- `\documents and settings\*\users\*` |
+|**No automated response** | Automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. <br/><br/>***This option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up or changing your device groups to use **Full** or **Semi** automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups)* |
+
+
+> [!IMPORTANT]
+> - New tenants (which include tenants that were created on or after August 16, 2020) with Microsoft Defender for Endpoint are set to full automation by default. 
+> - Full automation has proven to be reliable, efficient, and safe, and is recommended for all customers. Data collected and analyzed over the past year shows that customers who are using full automation had 40% more high-confidence malware samples removed than customers using lower levels of automation. Full automation frees up your critical security resources so they can focus more on your strategic initiatives.
+> - If your security team has defined device groups that include certain levels of automation, those settings are not changed by new default settings that are rolled out. However, we recommend using full automation wherever possible.
+> - You can keep your default automation setting, or change it according to your organizational needs. To change your settings, [set your level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
+

From ac0927ddeb62d224f460b8122b7b5008a72a1718 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 21 Oct 2020 15:45:31 -0700
Subject: [PATCH 04/20] new article

split How Threats Are Remediated into a separate article about automation levels
---
 .../automated-investigations.md               | 17 ----------
 .../automation-levels.md                      | 33 ++++++++++++-------
 2 files changed, 22 insertions(+), 28 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 375dc80d29..0b78652e93 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -78,23 +78,6 @@ If an incriminated entity is seen in another device, the automated investigation
 
 ## How threats are remediated
 
-Depending on how you set your organization's level of automation, each automated investigation either requires user approval (default) or automatically takes action to remediate threats. The following table describes each level of automation and how it works.
-
-|Automation level | Description|
-|:---|:---|
-|**Full - remediate threats automatically** <br/>(also referred to as *full automation*)| With full automation, all remediation actions are performed automatically, and can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab. If necessary, a remediation action can be undone.<br/><br/>***Full automation is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.* <br/><br/>*If you do have a device group defined, you will have an additional device group called **Ungrouped devices (default)**, which is set to full automation.* |
-|**Semi - require approval for core folders remediation**  | Approval is required for remediation actions on files or executables that are in core folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md). <br/><br/>Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`). |
-|**Semi - require approval for non-temp folders remediation** | Approval is required for remediation actions on files or executables that are not in temporary folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/> Remediation actions can be taken automatically on files or executables that are in temporary folders. Temporary folders can include the following examples: <br/>- `\users\*\appdata\local\temp\*`<br/>- `\documents and settings\*\local settings\temp\*` <br/>- `\documents and settings\*\local settings\temporary\*`<br/>- `\windows\temp\*`<br/>- `\users\*\downloads\*`<br/>- `\program files\` <br/>- `\program files (x86)\*`<br/>- `\documents and settings\*\users\*` |
-|**Semi - require approval for any remediation** <br/>(also referred to as *semi automation*)| Approval is required for any remediation action. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/>*This option is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.*<br/><br/>*If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
-|**No automated response** | Automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. <br/><br/>***This option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up or changing your device groups to use **Full** or **Semi** automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups)* |
-
-
-> [!IMPORTANT]
-> - New tenants (which include tenants that were created on or after August 16, 2020) with Microsoft Defender for Endpoint are set to full automation by default. 
-> - Full automation has proven to be reliable, efficient, and safe, and is recommended for all customers. Data collected and analyzed over the past year shows that customers who are using full automation had 40% more high-confidence malware samples removed than customers using lower levels of automation. Full automation frees up your critical security resources so they can focus more on your strategic initiatives.
-> - If your security team has defined device groups that include certain levels of automation, those settings are not changed by new default settings that are rolled out. However, we recommend using full automation wherever possible.
-> - You can keep your default automation setting, or change it according to your organizational needs. To change your settings, [set your level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
-
 
 ## Next steps
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
index 698a67f5b8..8a2e6cab15 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
@@ -25,20 +25,31 @@ ms.custom: AIR
 
 # Automation levels in automated investigation and remediation capabilities
 
-Depending on how you set your organization's level of automation, each automated investigation either requires user approval (default) or automatically takes action to remediate threats. The following table describes each level of automation and how it works.
+Automation levels determine whether remediation actions are taken automatically or only upon approval. Microsoft Defender for Endpoint offers several options for setting your level of automation. 
+
+> [!TIP]
+> For best results, we recommend using full automation. Data collected and analyzed over the past year shows that customers who are using full automation had 40% more high-confidence malware samples removed than customers using lower levels of automation. Full automation can help free up your security operations resources to focus more on your strategic initiatives.
+
+## Levels of automation
+
+The following table describes each level of automation and how it works.
 
 |Automation level | Description|
 |:---|:---|
-|**Full - remediate threats automatically** <br/>(also referred to as *full automation*)| With full automation, remediation actions are performed automatically, and can be viewed in the [Action Center](auto-investigation-action-center.md) on the **History** tab. If necessary, a remediation action can be undone.<br/><br/>***Full automation is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.* <br/><br/>*If you do have a device group defined, you will have an additional device group called **Ungrouped devices (default)**, which is set to full automation.* |
-|**Semi - require approval for any remediation** <br/>(also referred to as *semi-automation*)| With this level of semi-automation, approval is required for *any* remediation action. Such pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/>*This level of semi-automation is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.*<br/><br/>*If you do have a device group defined, you will have an additional device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
-|**Semi - require approval for core folders remediation**  | Approval is required for remediation actions on files or executables that are in core folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md). <br/><br/>Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`). |
-|**Semi - require approval for non-temp folders remediation** | Approval is required for remediation actions on files or executables that are not in temporary folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/> Remediation actions can be taken automatically on files or executables that are in temporary folders. Temporary folders can include the following examples: <br/>- `\users\*\appdata\local\temp\*`<br/>- `\documents and settings\*\local settings\temp\*` <br/>- `\documents and settings\*\local settings\temporary\*`<br/>- `\windows\temp\*`<br/>- `\users\*\downloads\*`<br/>- `\program files\` <br/>- `\program files (x86)\*`<br/>- `\documents and settings\*\users\*` |
-|**No automated response** | Automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. <br/><br/>***This option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up or changing your device groups to use **Full** or **Semi** automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups)* |
+|**Full - remediate threats automatically** <br/>(also referred to as *full automation*)| With full automation, remediation actions are performed automatically. All remediation actions that are taken can be viewed in the [Action Center](auto-investigation-action-center.md) on the **History** tab. If necessary, a remediation action can be undone.<br/><br/>***Full automation is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.* <br/><br/>*If you do have a device group defined, you will have an additional device group called **Ungrouped devices (default)**, which is set to full automation.* |
+|**Semi - require approval for any remediation** <br/>(also referred to as *semi-automation*)| With this level of semi-automation, approval is required for *any* remediation action. Such pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.<br/><br/>*This level of semi-automation is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.*<br/><br/>*If you do have a device group defined, you will have an additional device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
+|**Semi - require approval for core folders remediation** <br/>(also a type of *semi-automation*)  | With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are in core folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`).<br/><br/>Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. <br/><br/>Pending actions for files or executables in core folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab. <br/><br/>Actions that were taken on files or executables in other folders can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab. |
+|**Semi - require approval for non-temp folders remediation** <br/>(also a type of *semi-automation*)| With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are *not* in temporary folders. <br/><br/>Temporary folders can include the following examples: <br/>- `\users\*\appdata\local\temp\*`<br/>- `\documents and settings\*\local settings\temp\*` <br/>- `\documents and settings\*\local settings\temporary\*`<br/>- `\windows\temp\*`<br/>- `\users\*\downloads\*`<br/>- `\program files\` <br/>- `\program files (x86)\*`<br/>- `\documents and settings\*\users\*`<br/><br/>Remediation actions can be taken automatically on files or executables that are in temporary folders. <br/><br/>Pending actions for files or executables that are not in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.<br/><br/>Actions that were taken on files or executables in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **History** tab.   |
+|**No automated response** <br/>(also referred to as *no automation*) | With no automation, automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. However, other threat protection features, such as [protection from potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus), can be in effect, depending on how your antivirus and next-generation protection is configured.<br/><br/>***This option is not recommended**, because it reduces the security posture of your organization's devices*. [Consider setting up your automation level to *Full automation* (or at least *Semi-automation)*](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups). |
+
+## Important points about automation levels
+
+- New tenants (which include tenants that were created on or after August 16, 2020) with Microsoft Defender for Endpoint are set to full automation by default. 
+
+- Full automation has proven to be reliable, efficient, and safe, and is recommended for all customers. Full automation frees up your critical security resources so they can focus more on your strategic initiatives.
+
+- If your security team has defined device groups that include certain levels of automation, those settings are not changed by new default settings that are rolled out. However, we recommend using full automation wherever possible.
 
 
-> [!IMPORTANT]
-> - New tenants (which include tenants that were created on or after August 16, 2020) with Microsoft Defender for Endpoint are set to full automation by default. 
-> - Full automation has proven to be reliable, efficient, and safe, and is recommended for all customers. Data collected and analyzed over the past year shows that customers who are using full automation had 40% more high-confidence malware samples removed than customers using lower levels of automation. Full automation frees up your critical security resources so they can focus more on your strategic initiatives.
-> - If your security team has defined device groups that include certain levels of automation, those settings are not changed by new default settings that are rolled out. However, we recommend using full automation wherever possible.
-> - You can keep your default automation setting, or change it according to your organizational needs. To change your settings, [set your level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
+- You can keep your default automation setting, or change it according to your organizational needs. To change your settings, [set your level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
 

From db67fcfc1dac121750a596246538b87d20d67cfb Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 21 Oct 2020 15:49:06 -0700
Subject: [PATCH 05/20] Update TOC.md

---
 windows/security/threat-protection/TOC.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 632fbafb38..3c1a11247e 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -397,6 +397,7 @@
 
 ### [Automated investigation and response (AIR)]()
 #### [Overview of AIR](microsoft-defender-atp/automated-investigations.md)
+#### [Automation levels in AIR](microsoft-defender-atp/automation-levels.md)
 #### [Configure AIR capabilities](microsoft-defender-atp/configure-automated-investigations-remediation.md)
 
 ### [Advanced hunting]()

From 890d77d9fe6902b16f45cece944709390ef926fd Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 21 Oct 2020 15:59:13 -0700
Subject: [PATCH 06/20] Update automated-investigations.md

---
 .../microsoft-defender-atp/automated-investigations.md       | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 0b78652e93..a0d5e99a7f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -78,6 +78,11 @@ If an incriminated entity is seen in another device, the automated investigation
 
 ## How threats are remediated
 
+As alerts are triggered, and an automated investigation runs, the investigation can result in one or more remediation actions. 
+
+Depending on the [level of automation](automation-levels.md) set for your organization, remediation actions can occur automatically or only upon approval by your security operations team. 
+
+All remediation actions, whether pending or completed, can be viewed in Action Center. To learn more, see [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation).
 
 ## Next steps
 

From 5d2546be2e459874322b86e542e9b17e2846b9ab Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 21 Oct 2020 16:12:15 -0700
Subject: [PATCH 07/20] Update automation-levels.md

---
 .../microsoft-defender-atp/automation-levels.md       | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
index 8a2e6cab15..91c7b65c7c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
@@ -25,10 +25,10 @@ ms.custom: AIR
 
 # Automation levels in automated investigation and remediation capabilities
 
-Automation levels determine whether remediation actions are taken automatically or only upon approval. Microsoft Defender for Endpoint offers several options for setting your level of automation. 
+Automation levels determine whether remediation actions are taken automatically or only upon approval following an automated investigation. Microsoft Defender for Endpoint offers several levels of automation. This article describes the various levels of automation and includes recommendations to consider.
 
 > [!TIP]
-> For best results, we recommend using full automation. Data collected and analyzed over the past year shows that customers who are using full automation had 40% more high-confidence malware samples removed than customers using lower levels of automation. Full automation can help free up your security operations resources to focus more on your strategic initiatives.
+> For best results, we recommend using full automation when you set your level of automation. Data collected and analyzed over the past year shows that customers who are using full automation had 40% more high-confidence malware samples removed than customers who are using lower levels of automation. Full automation can help free up your security operations resources to focus more on your strategic initiatives.
 
 ## Levels of automation
 
@@ -40,7 +40,7 @@ The following table describes each level of automation and how it works.
 |**Semi - require approval for any remediation** <br/>(also referred to as *semi-automation*)| With this level of semi-automation, approval is required for *any* remediation action. Such pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.<br/><br/>*This level of semi-automation is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.*<br/><br/>*If you do have a device group defined, you will have an additional device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
 |**Semi - require approval for core folders remediation** <br/>(also a type of *semi-automation*)  | With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are in core folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`).<br/><br/>Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. <br/><br/>Pending actions for files or executables in core folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab. <br/><br/>Actions that were taken on files or executables in other folders can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab. |
 |**Semi - require approval for non-temp folders remediation** <br/>(also a type of *semi-automation*)| With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are *not* in temporary folders. <br/><br/>Temporary folders can include the following examples: <br/>- `\users\*\appdata\local\temp\*`<br/>- `\documents and settings\*\local settings\temp\*` <br/>- `\documents and settings\*\local settings\temporary\*`<br/>- `\windows\temp\*`<br/>- `\users\*\downloads\*`<br/>- `\program files\` <br/>- `\program files (x86)\*`<br/>- `\documents and settings\*\users\*`<br/><br/>Remediation actions can be taken automatically on files or executables that are in temporary folders. <br/><br/>Pending actions for files or executables that are not in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.<br/><br/>Actions that were taken on files or executables in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **History** tab.   |
-|**No automated response** <br/>(also referred to as *no automation*) | With no automation, automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. However, other threat protection features, such as [protection from potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus), can be in effect, depending on how your antivirus and next-generation protection is configured.<br/><br/>***This option is not recommended**, because it reduces the security posture of your organization's devices*. [Consider setting up your automation level to *Full automation* (or at least *Semi-automation)*](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups). |
+|**No automated response** <br/>(also referred to as *no automation*) | With no automation, automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. However, other threat protection features, such as [protection from potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus), can be in effect, depending on how your antivirus and next-generation protection features are configured.<br/><br/>***Using the *no automation* option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up your automation level to full automation (or at least semi-automation)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups)*. |
 
 ## Important points about automation levels
 
@@ -53,3 +53,8 @@ The following table describes each level of automation and how it works.
 
 - You can keep your default automation setting, or change it according to your organizational needs. To change your settings, [set your level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
 
+## Next steps
+
+- [Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint](configure-automated-investigations-remediation.md)
+
+- [Visit the Action Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center)
\ No newline at end of file

From 1a3ded1919a5114c4d44256f67f266d9a07c04b3 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 21 Oct 2020 16:18:44 -0700
Subject: [PATCH 08/20] Update automated-investigations.md

---
 .../microsoft-defender-atp/automated-investigations.md    | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index a0d5e99a7f..337e0a464e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -78,7 +78,9 @@ If an incriminated entity is seen in another device, the automated investigation
 
 ## How threats are remediated
 
-As alerts are triggered, and an automated investigation runs, the investigation can result in one or more remediation actions. 
+As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. 
+
+As verdicts are reached, automated investigations can result in one or more [remediation actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#remediation-actions). Examples of remediation actions include sending a file to quarantine, stopping a service, removing a scheduled task, and more.  
 
 Depending on the [level of automation](automation-levels.md) set for your organization, remediation actions can occur automatically or only upon approval by your security operations team. 
 
@@ -86,7 +88,9 @@ All remediation actions, whether pending or completed, can be viewed in Action C
 
 ## Next steps
 
-- [Learn about the automated investigations dashboard](manage-auto-investigation.md)
+- [Get an overview of the automated investigations dashboard](manage-auto-investigation.md)
+
+- [Learn more about automation levels](automation-levels.md)
 
 - [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide)
 

From bdcb7933a7dbe6cb4005f6fa53b622de1846a6b9 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 21 Oct 2020 16:19:59 -0700
Subject: [PATCH 09/20] Update automation-levels.md

---
 .../microsoft-defender-atp/automation-levels.md              | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
index 91c7b65c7c..31a8dc069f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
@@ -44,12 +44,11 @@ The following table describes each level of automation and how it works.
 
 ## Important points about automation levels
 
-- New tenants (which include tenants that were created on or after August 16, 2020) with Microsoft Defender for Endpoint are set to full automation by default. 
-
 - Full automation has proven to be reliable, efficient, and safe, and is recommended for all customers. Full automation frees up your critical security resources so they can focus more on your strategic initiatives.
 
-- If your security team has defined device groups that include certain levels of automation, those settings are not changed by new default settings that are rolled out. However, we recommend using full automation wherever possible.
+- New tenants (which include tenants that were created on or after August 16, 2020) with Microsoft Defender for Endpoint are set to full automation by default. 
 
+- If your security team has defined device groups that include certain levels of automation, those settings are not changed by new default settings that are rolled out. However, we recommend using full automation wherever possible.
 
 - You can keep your default automation setting, or change it according to your organizational needs. To change your settings, [set your level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
 

From 7eac63f1af1ccc04327ddf8996579bbb6f7ac0f0 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Thu, 22 Oct 2020 15:42:26 +0530
Subject: [PATCH 10/20] removed broken link added correct link

as per the user report #8502 , so i replaced to correct link
correct link **https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection**
---
 .../install-md-app-guard.md                                     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
index 8aba080ae4..0ffe36bd82 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
@@ -17,7 +17,7 @@ ms.custom: asr
 # Prepare to install Microsoft Defender Application Guard
 
 **Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)
 
 ## Review system requirements
  

From dc2a78cf52d500445b5d345d50a01b374ff9772d Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 22 Oct 2020 08:28:05 -0700
Subject: [PATCH 11/20] Update automation-levels.md

---
 .../microsoft-defender-atp/automation-levels.md            | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
index 31a8dc069f..6601b6222a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
@@ -25,7 +25,12 @@ ms.custom: AIR
 
 # Automation levels in automated investigation and remediation capabilities
 
-Automation levels determine whether remediation actions are taken automatically or only upon approval following an automated investigation. Microsoft Defender for Endpoint offers several levels of automation. This article describes the various levels of automation and includes recommendations to consider.
+Microsoft Defender for Endpoint offers several levels of automation for automated investigation and remediation (AIR). Automation levels determine whether remediation actions are taken automatically or only upon approval following an automated investigation.  
+- Full automation (this is recommended option) means remediation actions are taken automatically.
+- Semi-automation means some remediation actions are taken automatically, but other remediation actions await approval before being taken.
+-  
+
+This article describes the various levels of automation and includes recommendations to consider.
 
 > [!TIP]
 > For best results, we recommend using full automation when you set your level of automation. Data collected and analyzed over the past year shows that customers who are using full automation had 40% more high-confidence malware samples removed than customers who are using lower levels of automation. Full automation can help free up your security operations resources to focus more on your strategic initiatives.

From 7285d47360c3ab77f2da3b01ee47e3aace4fd7b7 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 22 Oct 2020 08:36:44 -0700
Subject: [PATCH 12/20] AIR edits

---
 .../microsoft-defender-atp/automation-levels.md      | 12 +++++-------
 ...configure-automated-investigations-remediation.md |  2 +-
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
index 6601b6222a..bde4bcaba8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
@@ -26,14 +26,12 @@ ms.custom: AIR
 # Automation levels in automated investigation and remediation capabilities
 
 Microsoft Defender for Endpoint offers several levels of automation for automated investigation and remediation (AIR). Automation levels determine whether remediation actions are taken automatically or only upon approval following an automated investigation.  
-- Full automation (this is recommended option) means remediation actions are taken automatically.
-- Semi-automation means some remediation actions are taken automatically, but other remediation actions await approval before being taken.
--  
-
-This article describes the various levels of automation and includes recommendations to consider.
+- *Full automation* (this is recommended option) means remediation actions are taken automatically.
+- *Semi-automation* means some remediation actions are taken automatically, but other remediation actions await approval before being taken. (See the table later in this article for more details.)
+- Remediation actions, whether pending or completed, are tracked in the Action Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). 
 
 > [!TIP]
-> For best results, we recommend using full automation when you set your level of automation. Data collected and analyzed over the past year shows that customers who are using full automation had 40% more high-confidence malware samples removed than customers who are using lower levels of automation. Full automation can help free up your security operations resources to focus more on your strategic initiatives.
+> For best results, we recommend using full automation with automated investigation and remediation. Data collected and analyzed over the past year shows that customers who are using full automation had 40% more high-confidence malware samples removed than customers who are using lower levels of automation. Full automation can help free up your security operations resources to focus more on your strategic initiatives.
 
 ## Levels of automation
 
@@ -51,7 +49,7 @@ The following table describes each level of automation and how it works.
 
 - Full automation has proven to be reliable, efficient, and safe, and is recommended for all customers. Full automation frees up your critical security resources so they can focus more on your strategic initiatives.
 
-- New tenants (which include tenants that were created on or after August 16, 2020) with Microsoft Defender for Endpoint are set to full automation by default. 
+- New tenants (which include tenants that were created on or after August 16, 2020) with Microsoft Defender for Endpoint are set to full automation by default.
 
 - If your security team has defined device groups that include certain levels of automation, those settings are not changed by new default settings that are rolled out. However, we recommend using full automation wherever possible.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
index 17ad143b5d..67bd1bd7dc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
@@ -31,7 +31,7 @@ ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
 
 If your organization is using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). 
 
-To configure automated investigation and remediation, you [turn on the features](#turn-on-automated-investigation-and-remediation), and then you [set up device groups](#set-up-device-groups).
+To configure automated investigation and remediation, [turn on the features](#turn-on-automated-investigation-and-remediation), and then [set up device groups](#set-up-device-groups).
 
 ## Turn on automated investigation and remediation
 

From 53a56f31937c8bb342e5a63530921f9f43e97bb2 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 22 Oct 2020 08:38:56 -0700
Subject: [PATCH 13/20] Update automated-investigations.md

---
 .../microsoft-defender-atp/automated-investigations.md        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 337e0a464e..66f88aa097 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -36,7 +36,7 @@ Your security operations team receives an alert whenever a malicious or suspicio
 
 Watch the following video to see how automated investigation and remediation works:
 
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh]
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4bOeh]
 
 Automated investigation uses various inspection algorithms and processes used by analysts to examine alerts and take immediate action to resolve breaches. These capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. The [Action center](auto-investigation-action-center.md) keeps track of all the investigations that were initiated automatically, along with details, such as investigation status, detection source, and any pending or completed actions.
 
@@ -84,7 +84,7 @@ As verdicts are reached, automated investigations can result in one or more [rem
 
 Depending on the [level of automation](automation-levels.md) set for your organization, remediation actions can occur automatically or only upon approval by your security operations team. 
 
-All remediation actions, whether pending or completed, can be viewed in Action Center. To learn more, see [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation).
+All remediation actions, whether pending or completed, can be viewed in Action Center. To learn more, see [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation).
 
 ## Next steps
 

From 87f3407458443cc5ac74cbad5b1a5d89fda96082 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 22 Oct 2020 08:44:19 -0700
Subject: [PATCH 14/20] Update automation-levels.md

---
 .../microsoft-defender-atp/automation-levels.md           | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
index bde4bcaba8..0b13399ff2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
@@ -11,7 +11,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.author: deniseb
 author: denisebmsft
-ms.date: 10/21/2020
+ms.date: 10/22/2020
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
@@ -25,13 +25,13 @@ ms.custom: AIR
 
 # Automation levels in automated investigation and remediation capabilities
 
-Microsoft Defender for Endpoint offers several levels of automation for automated investigation and remediation (AIR). Automation levels determine whether remediation actions are taken automatically or only upon approval following an automated investigation.  
+Automated investigation and remediation (AIR) capabilities in Microsoft Defender for Endpoint can be configured to one of several levels of automation. Your automation level affects whether remediation actions that follow an automated investigation are taken automatically or only upon approval.  
 - *Full automation* (this is recommended option) means remediation actions are taken automatically.
 - *Semi-automation* means some remediation actions are taken automatically, but other remediation actions await approval before being taken. (See the table later in this article for more details.)
-- Remediation actions, whether pending or completed, are tracked in the Action Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). 
+- All remediation actions, whether pending or completed, are tracked in the Action Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). 
 
 > [!TIP]
-> For best results, we recommend using full automation with automated investigation and remediation. Data collected and analyzed over the past year shows that customers who are using full automation had 40% more high-confidence malware samples removed than customers who are using lower levels of automation. Full automation can help free up your security operations resources to focus more on your strategic initiatives.
+> For best results, we recommend using full automation when you [configure AIR](configure-automated-investigations-remediation.md). Data collected and analyzed over the past year shows that customers who are using full automation had 40% more high-confidence malware samples removed than customers who are using lower levels of automation. Full automation can help free up your security operations resources to focus more on your strategic initiatives.
 
 ## Levels of automation
 

From 82dda2532d6f9fc2f42062adbf11338c70ec4a6f Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 22 Oct 2020 08:52:13 -0700
Subject: [PATCH 15/20] Update automation-levels.md

---
 .../microsoft-defender-atp/automation-levels.md             | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
index 0b13399ff2..93cb715b57 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
@@ -25,9 +25,9 @@ ms.custom: AIR
 
 # Automation levels in automated investigation and remediation capabilities
 
-Automated investigation and remediation (AIR) capabilities in Microsoft Defender for Endpoint can be configured to one of several levels of automation. Your automation level affects whether remediation actions that follow an automated investigation are taken automatically or only upon approval.  
-- *Full automation* (this is recommended option) means remediation actions are taken automatically.
-- *Semi-automation* means some remediation actions are taken automatically, but other remediation actions await approval before being taken. (See the table later in this article for more details.)
+Automated investigation and remediation (AIR) capabilities in Microsoft Defender for Endpoint can be configured to one of several levels of automation. Your automation level affects whether remediation actions following AIR investigations are taken automatically or only upon approval.  
+- *Full automation* (recommended) means remediation actions are taken automatically on artifacts determined to be malicious.
+- *Semi-automation* means some remediation actions are taken automatically, but other remediation actions await approval before being taken. (See the table in [Levels of automation](#levels-of-automation).)
 - All remediation actions, whether pending or completed, are tracked in the Action Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). 
 
 > [!TIP]

From 2f426ae5634b52c94270f3f30666bc39049dd409 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 22 Oct 2020 08:55:06 -0700
Subject: [PATCH 16/20] Update automation-levels.md

---
 .../microsoft-defender-atp/automation-levels.md               | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
index 93cb715b57..b53fbc4720 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
@@ -51,9 +51,9 @@ The following table describes each level of automation and how it works.
 
 - New tenants (which include tenants that were created on or after August 16, 2020) with Microsoft Defender for Endpoint are set to full automation by default.
 
-- If your security team has defined device groups that include certain levels of automation, those settings are not changed by new default settings that are rolled out. However, we recommend using full automation wherever possible.
+- If your security team has defined device groups with a level of automation, those settings are not changed by the new default settings that are rolling out. 
 
-- You can keep your default automation setting, or change it according to your organizational needs. To change your settings, [set your level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
+- You can keep your default automation settings, or change them according to your organizational needs. To change your settings, [set your level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
 
 ## Next steps
 

From e2aea7ed2816132ac2d78931936ffec8ef32df20 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 22 Oct 2020 09:01:11 -0700
Subject: [PATCH 17/20] Update automated-investigations.md

---
 .../microsoft-defender-atp/automated-investigations.md        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 66f88aa097..42a409f78e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -80,11 +80,11 @@ If an incriminated entity is seen in another device, the automated investigation
 
 As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. 
 
-As verdicts are reached, automated investigations can result in one or more [remediation actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#remediation-actions). Examples of remediation actions include sending a file to quarantine, stopping a service, removing a scheduled task, and more.  
+As verdicts are reached, automated investigations can result in one or more remediation actions. Examples of remediation actions include sending a file to quarantine, stopping a service, removing a scheduled task, and more. (See [Remediation actions](manage-auto-investigation.md#remediation-actions).)  
 
 Depending on the [level of automation](automation-levels.md) set for your organization, remediation actions can occur automatically or only upon approval by your security operations team. 
 
-All remediation actions, whether pending or completed, can be viewed in Action Center. To learn more, see [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation).
+All remediation actions, whether pending or completed, can be viewed in Action Center. If necessary, your security operations team can undo a remediation action. (See [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation).)
 
 ## Next steps
 

From 835ec07b5b005a9c2e0ce630aa14372b47b321a7 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 22 Oct 2020 09:25:02 -0700
Subject: [PATCH 18/20] Update install-md-app-guard.md

---
 .../install-md-app-guard.md                                   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
index 0ffe36bd82..55f10b708a 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
@@ -8,7 +8,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
-ms.date: 02/19/2019
+ms.date: 10/21/2020
 ms.reviewer: 
 manager: dansimp
 ms.custom: asr
@@ -17,7 +17,7 @@ ms.custom: asr
 # Prepare to install Microsoft Defender Application Guard
 
 **Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)]https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
 ## Review system requirements
  

From 273ab96c468c7beb0241070a83d8d9e9fda357cc Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Thu, 22 Oct 2020 09:53:47 -0700
Subject: [PATCH 19/20] Update automation-levels.md

---
 .../microsoft-defender-atp/automation-levels.md               | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
index b53fbc4720..9fa9ebd762 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md
@@ -39,8 +39,8 @@ The following table describes each level of automation and how it works.
 
 |Automation level | Description|
 |:---|:---|
-|**Full - remediate threats automatically** <br/>(also referred to as *full automation*)| With full automation, remediation actions are performed automatically. All remediation actions that are taken can be viewed in the [Action Center](auto-investigation-action-center.md) on the **History** tab. If necessary, a remediation action can be undone.<br/><br/>***Full automation is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.* <br/><br/>*If you do have a device group defined, you will have an additional device group called **Ungrouped devices (default)**, which is set to full automation.* |
-|**Semi - require approval for any remediation** <br/>(also referred to as *semi-automation*)| With this level of semi-automation, approval is required for *any* remediation action. Such pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.<br/><br/>*This level of semi-automation is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.*<br/><br/>*If you do have a device group defined, you will have an additional device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
+|**Full - remediate threats automatically** <br/>(also referred to as *full automation*)| With full automation, remediation actions are performed automatically. All remediation actions that are taken can be viewed in the [Action Center](auto-investigation-action-center.md) on the **History** tab. If necessary, a remediation action can be undone.<br/><br/>***Full automation is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.*  |
+|**Semi - require approval for any remediation** <br/>(also referred to as *semi-automation*)| With this level of semi-automation, approval is required for *any* remediation action. Such pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.<br/><br/>*This level of semi-automation is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.*|
 |**Semi - require approval for core folders remediation** <br/>(also a type of *semi-automation*)  | With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are in core folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`).<br/><br/>Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. <br/><br/>Pending actions for files or executables in core folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab. <br/><br/>Actions that were taken on files or executables in other folders can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab. |
 |**Semi - require approval for non-temp folders remediation** <br/>(also a type of *semi-automation*)| With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are *not* in temporary folders. <br/><br/>Temporary folders can include the following examples: <br/>- `\users\*\appdata\local\temp\*`<br/>- `\documents and settings\*\local settings\temp\*` <br/>- `\documents and settings\*\local settings\temporary\*`<br/>- `\windows\temp\*`<br/>- `\users\*\downloads\*`<br/>- `\program files\` <br/>- `\program files (x86)\*`<br/>- `\documents and settings\*\users\*`<br/><br/>Remediation actions can be taken automatically on files or executables that are in temporary folders. <br/><br/>Pending actions for files or executables that are not in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.<br/><br/>Actions that were taken on files or executables in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **History** tab.   |
 |**No automated response** <br/>(also referred to as *no automation*) | With no automation, automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. However, other threat protection features, such as [protection from potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus), can be in effect, depending on how your antivirus and next-generation protection features are configured.<br/><br/>***Using the *no automation* option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up your automation level to full automation (or at least semi-automation)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups)*. |

From 049d42c6f904d75e4ad2e760eb7a3db81c3b133a Mon Sep 17 00:00:00 2001
From: Tina Burden <v-tibur@microsoft.com>
Date: Thu, 22 Oct 2020 09:57:27 -0700
Subject: [PATCH 20/20] pencil edit

---
 .../install-md-app-guard.md                                     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
index 55f10b708a..1903c17792 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
@@ -17,7 +17,7 @@ ms.custom: asr
 # Prepare to install Microsoft Defender Application Guard
 
 **Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)]https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
 ## Review system requirements