Undo Automatic Investigation Remediations

%3CLINGO-SUB%20id%3D%22lingo-sub-2386301%22%20slang%3D%22en-US%22%3EUndo%20Automatic%20Investigation%20Remediations%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2386301%22%20slang%3D%22en-US%22%3E%3CP%3EAccording%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Fmanage-auto-investigation%3Fview%3Do365-worldwide%23undo-completed-actions%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ethe%20documentation%3C%2FA%3E%2C%20you%20can%20undo%20automatic%20investigation%20remediations%20for%20things%20such%20as%20Task%20Scheduler%20entries%20and%20quarantine.%26nbsp%3B%20This%20is%20particularly%20useful%20for%20getting%20buy-in%20to%20enabling%20fully%20automated%20remediation%2C%20rather%20than%20approval%20based.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22firefox_2021-05-26_08-13-36.png%22%20style%3D%22width%3A%20905px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F283794i228FDB16A9BE0BDE%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22firefox_2021-05-26_08-13-36.png%22%20alt%3D%22firefox_2021-05-26_08-13-36.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EIn%20my%20environment%2C%20there%20is%20no%20option%20for%20undo%20in%20the%20flyout%20pane%20for%20either%20a%20single%20historic%20action%20centre%20entry%20or%20multiple.%26nbsp%3B%20Specifically%2C%20I%20am%20trying%20to%20undo%20the%20removal%20of%20a%20scheduled%20task.%20Are%20there%20prerequisites%20for%20this%2C%20or%20am%20I%20missing%20something%20else%3F%26nbsp%3B%20Devices%20are%20Windows%2010%202004%2C%20hybrid%20Azure%20AD%20joined%2C%20using%20MDAV%20as%20the%20engine%2C%20and%20still%20onboarded%20to%20MDE.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

According to the documentation, you can undo automatic investigation remediations for things such as Task Scheduler entries and quarantine.  This is particularly useful for getting buy-in to enabling fully automated remediation, rather than approval based.

 

firefox_2021-05-26_08-13-36.png

In my environment, there is no option for undo in the flyout pane for either a single historic action centre entry or multiple.  Specifically, I am trying to undo the removal of a scheduled task. Are there prerequisites for this, or am I missing something else?  Devices are Windows 10 2004, hybrid Azure AD joined, using MDAV as the engine, and still onboarded to MDE.

 

 

 

 

0 Replies