Microsoft has confirmed that all Windows Defender for Endpoint users will be updated to fully automatic threat remediation, starting in February 2021.
The move won't affect any endpoint settings but can significantly boost protection for endpoint users, in turn drastically reducing security incidents.
Microsoft Enables Automatic Endpoint Security
Microsoft is upgrading the automatic security remediation level from "Semi" to "Auto" for all customers using public preview versions of Windows Defender for Endpoint.
The reason appears intrusive but is data-driven.
Data collected and analysed over the past year shows that organizations who are using full automation have had 40% more high-confidence malware samples removed than customers using lower levels of automation. Full automation also frees up our customers' critical security resources so they can focus more on their strategic initiatives.
A 40 percent higher removal rate is a significant security increase that organizations cannot afford to ignore.
Furthermore, switching to automatic remediation protects other computers on the network. When the removal process begins automatically, other devices stand a far greater chance of remaining secure.
When the remediation process is set to "Semi," as many organizations are, the removal process can only begin with the network administrator's say-so.
The time between receiving an alert, logging in, and figuring out the issue is vital. A rapid response can stop dangerous malware or other threats from infecting more devices. If there is a period of inaction or the admin doesn't see the alert quickly, more devices could be compromised.
Security Automation Isn't for Every Endpoint
Of course, some administrators and organizations won't want to use automatic remediation.
The new default automation level can be kept (this is recommended) or changed according to your organizational needs. This change does not impact or override device group definitions that were previously set to control automation level.
However, Microsoft notes that since the introduction of automatic remediation, its malware detection and removal rates have significantly improved, and it has upgraded its automatic detection infrastructure. Most importantly, for network administrators, you can roll-back and undo the automatic remediation actions.
The change to automatic remediation is a step up from the current level. When Microsoft first introduced the automatic remediation feature, the default level was set to "Semi," ensuring all customers had the chance to respond to a security issue in their own time.
However, since that time, Microsoft has "seen thousands of cases where organizations with fully automated tenants have successfully contained and remediated threats, while other companies, left with the default 'Semi' level, have remained at high risk."
The choice between the two options rests with the organization and administrators, ultimately.