SHD / MC Checker

MC1411577 | Microsoft Defender: Automated investigation and response (AIR) integrated into antivirus with manual triggering removed



MC1411577 | Microsoft Defender: Automated investigation and response (AIR) integrated into antivirus with manual triggering removed

Classification planForChange
Last Updated 07/01/2026 18:33:15
Start Time 07/01/2026 18:32:59
End Time 10/01/2026 07:00:00
Action Required By Date 2026-09-01T07:00:00Z
Message Content

[What and Why]

As of September 1, 2026, automated investigation and response (AIR) will no longer run as a separate investigation experience or be available for manual triggering in Microsoft Defender.

The protection capabilities of AIR are already embedded within Microsoft Defender’s always-on antivirus protection stack today. Detection and response run automatically as part of default protection, without requiring a separate investigation workflow.

This change is part of our ongoing “shift left” effort to lift the onus of protection from customers by automating detection and response processes, helping ensure consistent outcomes across endpoints without reliance on a separate, manually initiated investigation experience.

With this update, the standalone AIR investigation experience is removed. For on-demand investigations, teams can run full antivirus scans as needed.

[Rollout Schedule]

  • Transition (Worldwide, GCC, GCC High, DoD): Beginning and completing in early September 2026

[Impact on Your Organization]

Who is affected

  • Admins and security teams using Microsoft Defender for Endpoint and Microsoft Defender XDR

Platforms/Services

  • Microsoft Defender for Endpoint across supported platforms

What will happen

  • Manual triggering of automated investigation and response (AIR) will no longer be available.
  • AIR will no longer run as a separate investigation experience.
  • Detection and response will occur automatically as part of always-on antivirus protection.
  • Full antivirus scans replace manual AIR investigations for on-demand analysis.
  • Any playbooks, scripts, or integrations that initiate AIR will stop working after September 1, 2026, and must be updated before that date.
  • Protection remains enabled by default.

[Action Required / Recommendations]

If you are not using AIR manually or through automation, no action is required to maintain protection.

Action is required for organizations using AIR in playbooks, scripts, or integrations, as these will no longer function after September 1, 2026.

  • Review and update any playbooks, scripts, or integrations that initiate AIR before September 1, 2026.
  • Replace AIR-based workflows with full antivirus scan workflows for on-demand investigations.
  • Update internal documentation that references AIR investigations.
  • Inform security and helpdesk teams of this change.

Learn more: 

[Compliance considerations]

Question Answer
Does the change alter how admins can monitor, report on, or demonstrate compliance activities? Yes. AIR will no longer appear as a distinct investigation type, which may affect monitoring and reporting workflows.