{"id":17132,"date":"2026-07-02T04:01:10","date_gmt":"2026-07-01T19:01:10","guid":{"rendered":"https:\/\/m365jp.net\/?p=17132"},"modified":"2026-07-02T04:01:38","modified_gmt":"2026-07-01T19:01:38","slug":"mc1411577-microsoft-defender-automated-investigation-and-response-air-integrated-into-antivirus-with-manual-triggering-removed","status":"publish","type":"post","link":"https:\/\/m365jp.net\/index.php\/2026-07-02-mc1411577-microsoft-defender-automated-investigation-and-response-air-integrated-into-antivirus-with-manual-triggering-removed","title":{"rendered":"MC1411577 | Microsoft Defender: Automated investigation and response (AIR) integrated into antivirus with manual triggering removed"},"content":{"rendered":"<div class=\"postie-post\">\n<div>\n<hr>\n<table id=\"section\">\n<tbody>\n<tr>\n<th width=\"95%\">MC1411577 | Microsoft Defender: Automated investigation and response (AIR) integrated into antivirus with manual triggering removed<\/th>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr>\n<table id=\"data\">\n<tbody>\n<tr>\n<th>Classification<\/th>\n<td>planForChange<\/td>\n<\/tr>\n<tr>\n<th>Last Updated<\/th>\n<td>07\/01\/2026 18:33:15<\/td>\n<\/tr>\n<tr>\n<th>Start Time<\/th>\n<td>07\/01\/2026 18:32:59<\/td>\n<\/tr>\n<tr>\n<th>End Time<\/th>\n<td>10\/01\/2026 07:00:00<\/td>\n<\/tr>\n<tr>\n<th>Action Required By Date<\/th>\n<td>2026-09-01T07:00:00Z<\/td>\n<\/tr>\n<tr>\n<th>Message Content<\/th>\n<td>\n<p><b>[What and Why]<\/b><\/p>\n<p>As of September 1, 2026, automated investigation and response (AIR) will no longer run as a separate investigation experience or be available for manual triggering in Microsoft Defender.  <\/p>\n<p>The protection capabilities of AIR are already embedded within Microsoft Defender\u2019s always-on antivirus protection stack today. Detection and response run automatically as part of default protection, without requiring a separate investigation workflow.<\/p>\n<p>This change is part of our ongoing \u201cshift left\u201d effort to lift the onus of protection from customers by automating detection and response processes, helping ensure consistent outcomes across endpoints without reliance on a separate, manually initiated investigation   experience.<\/p>\n<p>With this update, the standalone AIR investigation experience is removed. For on-demand investigations, teams can run full antivirus scans as needed.<\/p>\n<p><b>[Rollout Schedule]<\/b><\/p>\n<ul>\n<li><b>Transition (Worldwide, GCC, GCC High, DoD): <\/b>Beginning and completing in  <b>early September 2026<\/b><\/li>\n<\/ul>\n<p><b>[Impact on Your Organization]<\/b><\/p>\n<p><i>Who is affected<\/i><\/p>\n<ul>\n<li>Admins and security teams using Microsoft Defender for Endpoint and Microsoft Defender XDR<\/li>\n<\/ul>\n<p><i>Platforms\/Services<\/i><\/p>\n<ul>\n<li>Microsoft Defender for Endpoint across supported platforms<\/li>\n<\/ul>\n<p><i>What will happen<\/i><\/p>\n<ul>\n<li>Manual triggering of automated investigation and response (AIR) will no longer be available.<\/li>\n<li>AIR will no longer run as a separate investigation experience.<\/li>\n<li>Detection and response will occur automatically as part of always-on antivirus protection.<\/li>\n<li>Full antivirus scans replace manual AIR investigations for on-demand analysis.<\/li>\n<li>Any playbooks, scripts, or integrations that initiate AIR will <b>stop working after September 1, 2026<\/b>, and must be updated before that date.<\/li>\n<li>Protection remains enabled by default.<\/li>\n<\/ul>\n<p><b>[Action Required \/ Recommendations]<\/b><\/p>\n<p>If you are <b>not using AIR<\/b> manually or through automation,&nbsp;<b>n<\/b><b>o action is required<\/b> to maintain protection.<\/p>\n<p><b>Action is required for organizations using AIR<\/b> in playbooks, scripts, or integrations, as these<b>  <\/b>will no longer function after September 1, 2026.<\/p>\n<ul>\n<li><b>Review and update<\/b> any playbooks, scripts, or integrations that initiate AIR  <b>before September 1, 2026<\/b>.<\/li>\n<li>Replace AIR-based workflows with full antivirus scan workflows for on-demand investigations.<\/li>\n<li>Update internal documentation that references AIR investigations.<\/li>\n<li>Inform security and helpdesk teams of this change.<\/li>\n<\/ul>\n<p><b>Learn more:&nbsp;<\/b><\/p>\n<ul>\n<li><a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/mdav-scan-best-practices\" target=\"_blank\">Microsoft Defender Antivirus full scan considerations and best practices | Microsoft Defender for Endpoint | Microsoft Defender | Microsoft Learn<\/a><b><br \/>  <\/b><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/automated-investigations\" target=\"_blank\">Overview of automated investigations | Microsoft Defender for Endpoint | Microsoft Defender | Microsoft Learn<\/a><b><br \/>  <\/b><\/li>\n<\/ul>\n<p><b>[Compliance considerations]<\/b><\/p>\n<table class=\"table table-bordered\">\n<tbody>\n<tr>\n<td>Question<\/td>\n<td>Answer<\/td>\n<\/tr>\n<tr>\n<td>Does the change alter how admins can monitor, report on, or demonstrate compliance activities?<\/td>\n<td>Yes. AIR will no longer appear as a distinct investigation type, which may affect monitoring and reporting workflows.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>MC1411577 | Microsoft Defender: Automated investigation and response (AIR) integrated into antivirus with manu [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-17132","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/17132","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/comments?post=17132"}],"version-history":[{"count":0,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/17132\/revisions"}],"wp:attachment":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/media?parent=17132"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/categories?post=17132"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/tags?post=17132"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}