Important
The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what’s new.
Applies to:
- Microsoft 365 Defender
Threat protection features in Microsoft 365 Defender can result in certain remediation actions. Here are some examples:
- Automated investigations can result in remediation actions that are taken automatically or await your approval.
- Antivirus, antimalware, and other threat protection features can result in remediation actions, such as blocking a file, URL, or process, or sending an artifact to quarantine.
- Your security operations team can take remediation actions manually, such as during advanced hunting or while investigating alerts or incidents.
Note
You must have appropriate permissions to approve or reject remediation actions. For more information, see the prerequisites.
Review pending actions in the Action center
It’s important to approve (or reject) pending actions as soon as possible so that your automated investigations can proceed and complete in a timely manner.
- Go to Microsoft 365 Defender portal and sign in.
- In the navigation pane, choose Action center.
- In the Action center, on the Pending tab, select an item in the list. Its flyout pane opens. Here’s an example.
- Review the information in the flyout pane, and then take one of the following steps:
- Select Open investigation page to view more details about the investigation.
- Select Approve to initiate a pending action.
- Select Reject to prevent a pending action from being taken.
- Select Go hunt to go into Advanced hunting.
Undo completed actions
If you’ve determined that a device or a file is not a threat, you can undo remediation actions that were taken, whether those actions were taken automatically or manually. In the Action center, on the History tab, you can undo any of the following actions:
| Action source | Supported Actions |
|---|---|
| – Automated investigation – Microsoft Defender Antivirus – Manual response actions |
– Isolate device – Restrict code execution – Quarantine a file – Remove a registry key – Stop a service – Disable a driver – Remove a scheduled task |
Undo one remediation action
- Go to the Action center (https://security.microsoft.com/action-center) and sign in.
- On the History tab, select an action that you want to undo.
- In the pane on the right side of the screen, select Undo.
Undo multiple remediation actions
- Go to the Action center (https://security.microsoft.com/action-center) and sign in.
- On the History tab, select the actions that you want to undo. Make sure to select items that have the same Action type. A flyout pane opens.
- In the flyout pane, select Undo.
To remove a file from quarantine across multiple devices
- Go to the Action center (https://security.microsoft.com/action-center) and sign in.
- On the History tab, select a file that has a Quarantine file Action type.
- In the pane on the right side of the screen, select Apply to X more instances of this file, and then select Undo.