draft

2025-05-12 21:37:22 +00:00 · 2020-12-15 06:18:42 -08:00 · 2020-12-15 06:18:42 -08:00 · 601df53a55
commit 601df53a55
parent 3429575d86
1 changed files with 31 additions and 0 deletions
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
@ -97,6 +97,37 @@ In Microsoft Defender for Endpoint, all verdicts are [tracked and viewable in th

 4. Select an item to view more details about that remediation action.
 
+## Undo completed actions
+You can undo actions that have been completed automatically (or manually) from the 
+Remediation actions that have been taken automatically or manually can be undone from the Action Center History page.  
+
+Supported action sources: 
+ - Automated investigation 
+ - Microsoft Defender Antivirus 
+ - Manual response actions 
+ - Supported Actions: 
+ - Isolate device 
+ - Restrict code execution 
+ - Quarantine a file 
+ - Remove a registry key 
+ - Stop a service 
+ - Disable a driver 
+ - Remove a scheduled task 
+
+if you’ve determined that a machine or a file is clean, you can multi-select a list of actions and undo them all at the same time 
+
+1. Select the actions you want to cancel. 
+
+2. Click Undo at the right-side pane. 
+
+![Action center](images/autoir-action-center-1.png)
+For a single file, you can roll back and remove a file from quarantine in all the machines in which it was located.
+1.	Select one of the actions related to this file.
+2.	Check ‘Apply to X more instances of this file’
+3.	Click Undo.
+
+![Quarantine file](images/autoir-quarantine-file-1.png)
+
 ## Next steps

 - [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide)