Automated Investigation and Response (AIR) Becomes a Native Antivirus Experience
Microsoft is continuing to enhance its security platform by streamlining and automating threat response across the Microsoft Defender ecosystem. A key development is the deeper integration of Automated Investigation and Response (AIR) with Microsoft Defender Antivirus, along with the removal of older manual configuration and triggering options that administrators previously relied on. This will be effective from September 1, 2026.
What is Microsoft Defender AIR?
Automated Investigation and Response (AIR) is a feature within Microsoft Defender for Endpoint that leverages threat intelligence, behavioral analytics, and investigation algorithms to automatically assess security alerts, determine the scope of potential attacks, and take appropriate remediation actions.
Instead of requiring security analysts to manually review every alert, AIR can:
- Analyze detected threats.
- Correlate related alerts and incidents.
- Identify affected devices and files.
- Recommend or automatically perform remediation actions.
- Log all activities in the Microsoft Defender Action Center.
This automation reduces investigation time and allows security teams to focus on more complex threats rather than routine tasks.
Stronger Integration with Defender Antivirus
Microsoft Defender Antivirus is now a foundational requirement for AIR. It must be running in either active or passive mode for AIR to function properly. If Defender Antivirus is disabled or removed, AIR will not operate effectively.
This shift reflects Microsoft’s broader strategy of integrating antivirus into its Extended Detection and Response (XDR) ecosystem. When Defender Antivirus detects malware, AIR can immediately initiate investigations, collect additional data, and trigger remediation workflows without human intervention.
Removal of Manual Enablement
Previously, administrators could enable or manage AIR through the Advanced Features settings in Defender for Endpoint. Microsoft has removed this option, making AIR enabled by default.
As stated in Microsoft’s documentation:
“The Automated Investigation option has been removed from the advanced features setting in Defender for Endpoint. Automated investigation is now enabled by default.”
This aligns with Microsoft’s move toward secure-by-default configurations, ensuring organizations benefit from automated investigations without requiring manual setup.
Changes to Manual Triggering
While AIR can still be initiated through certain alerts or incident workflows, Microsoft is shifting toward automation as the primary approach.
In modern environments:
- A detection (such as from Defender Antivirus) generates an alert.
- An incident is automatically created.
- AIR begins investigation.
- Remediation actions are recommended or executed based on automation settings.
- Results are logged in the Action Center.
This reduces the time between detection and response, improving overall security effectiveness.
Benefits for Security Teams
- Faster response times due to automatic investigation initiation.
- Consistent security posture with AIR enabled by default.
- Reduced alert fatigue through automated triage and remediation.
- Stronger integration within Microsoft’s XDR ecosystem across endpoints, identity, email, and cloud.
Administrator Considerations
Although AIR is now always enabled, administrators still control how remediation actions are handled through automation levels and device group settings.
Security teams should:
- Review automation settings for device groups.
- Monitor the Action Center regularly.
- Validate remediation approval workflows.
- Ensure Defender Antivirus remains active on all protected devices.
Final Thoughts
Microsoft’s deeper integration of AIR with Defender Antivirus and the removal of manual enablement options mark a significant move toward autonomous security operations. By making AIR a default capability, Microsoft enables faster detection, quicker remediation, and stronger protection with reduced administrative effort.
For security teams, automated investigation is no longer optional, it is now a core, always-on component of the Microsoft Defender security ecosystem.
You can connect with our Microsoft office 365 services team if you have any questions on the above or require support.
