| MC1411577 | Microsoft Defender: Automated investigation and response (AIR) integrated into antivirus with manual triggering removed |
|---|
| Classification | planForChange | ||||
|---|---|---|---|---|---|
| Last Updated | 07/01/2026 18:33:15 | ||||
| Start Time | 07/01/2026 18:32:59 | ||||
| End Time | 10/01/2026 07:00:00 | ||||
| Action Required By Date | 2026-09-01T07:00:00Z | ||||
| Message Content |
[What and Why] As of September 1, 2026, automated investigation and response (AIR) will no longer run as a separate investigation experience or be available for manual triggering in Microsoft Defender. The protection capabilities of AIR are already embedded within Microsoft Defender’s always-on antivirus protection stack today. Detection and response run automatically as part of default protection, without requiring a separate investigation workflow. This change is part of our ongoing “shift left” effort to lift the onus of protection from customers by automating detection and response processes, helping ensure consistent outcomes across endpoints without reliance on a separate, manually initiated investigation experience. With this update, the standalone AIR investigation experience is removed. For on-demand investigations, teams can run full antivirus scans as needed. [Rollout Schedule]
[Impact on Your Organization] Who is affected
Platforms/Services
What will happen
[Action Required / Recommendations] If you are not using AIR manually or through automation, no action is required to maintain protection. Action is required for organizations using AIR in playbooks, scripts, or integrations, as these will no longer function after September 1, 2026.
Learn more:
[Compliance considerations]
|