Skip to main content Link Menu Expand (external link) Document Search Copy Copied
TechWorkshop L300 Understanding XDR

Task 01: Enable AIR and set automatic remediation levels (MDE + MDO)

  1. In the leftmost pane of the Microsoft Defender portal, go to System > Settings.

  2. Select Endpoints.

  3. In the Endpoints menu, under Permissions, select Device groups.

    Containment-1.png

  4. Select + Add device group.

  5. In the flyout pane’s General step, enter the following, then select Next.

    Item value
    Device group name Pilot Lab
    Remediation level Full remediation

    Containment-2.png

  6. Under Devices, set the Name condition to Starts with, a value of win, then select Next.

    Containment-3.png

  7. On Preview devices, select Show preview to confirm matching devices.

    Containment-4.png

  8. Verify the lab VM (for example \winvm-mde) appears, then select Next.

    Containment-5.png

  9. Select Submit.

    Containment-6.png

  10. In the No user groups selected prompt, select Continue.

    Containment-7.png

  11. Select Done, then confirm the new device group is listed.

    Containment-8.png
    Containment-9.png

  12. In the leftmost pane, go to System > Settings > Email & collaboration.

    aacae27a-59a0-40e6-9289-4c3eb245679b.jpg

  13. Select MDO automation settings.

    Containment-11.png

  14. Under Message clusters, select Similar files and Similar URLs. Set Remediation action to Soft delete, then select Save.

    Containment-12.png