Microsoft will remove the ability to manually trigger automated investigations and retire the standalone Automated Investigation and Response (AIR) experience in Microsoft Defender XDR on September 1, 2026. The change, announced via a Microsoft Message center post, forces organizations that rely on manual investigation kickoffs to adapt their security operations before the cutoff.

The Specifics: What’s Being Retired

Two capabilities are going away:

  • Manual trigger for automated investigations. Today, analysts can navigate to an alert or the “Automated investigations” page and click “Run automated investigation” to have Defender immediately begin a machine-speed analysis of an entity (device, user, email, etc.). That option will disappear.
  • The standalone Automated Investigation and Response page. Located under “Actions & submissions” → “Automated investigations,” this dedicated view lists all AIR investigations and their statuses. After the deadline, this page will no longer be accessible.

What stays: AIR itself isn’t going anywhere. Automatically triggered investigations—started by alert policies, detections, or incident creation—will continue to work as before. Investigation data will still appear inside the unified incident view, alert stories, and the device timeline. The retirement only targets scenarios where a human explicitly tells the system to run an automated investigation out of band.

Practical Impact: Who Needs to Act

For most small and midsize shops using Defender for Endpoint or Defender for Business: You likely won’t notice a difference. These environments typically operate with default policies that already let alerts spawn automatic investigations. If your security team never visits the “Automated investigations” page to launch an investigation manually, the change is cosmetic.

For enterprise SOCs and MSSPs with mature playbooks: This requires a workflow review. Many larger teams have built runbooks around manual AIR triggers for triage of high-priority, unproven threats—say, a suspicious PowerShell command that didn’t fire a high-severity alert but feels off. Without the manual trigger, analysts will need alternative fast paths to deep investigation. Options include:
- Incident-investigation graph: From the incident page, the “Investigate” button opens an interactive graph showing relationships and timelines. While not a full automated investigation, it provides context for manual analysis.
- Advanced hunting: Kusto queries can replicate many AIR checks, though they demand skill and aren’t point-and-click.
- Custom detection rules: You can create rules that, when triggered, automatically create alerts or incidents that will, in turn, kick off automated investigations. This is the recommended replacement path for manual triggers on specific conditions.
- Microsoft Sentinel integration: For organizations already using Sentinel, analytics rules can orchestrate investigation steps, not just detection.

There’s also a subtle reporting change. The standalone AIR page offered a consolidated list of all investigations across devices—a kind of SOC dashboard. After retirement, you’ll find investigation history per incident or per device. If your team relies on that list for daily standups or metrics, plan a replacement using Microsoft Graph security APIs or the advanced hunting table AlertEvidence.

The Road to Deprecation: A Timeline of AIR Changes

Microsoft introduced Automated Investigation and Response in 2019 as a response to alert fatigue—automatically examining entities, quarantining files, and resolving low-confidence alerts without human input. Early versions lived inside Windows Defender Advanced Threat Protection. Over the next few years, the capability broadened to cover Office 365, identity, and cloud app alerts, eventually folding into the unified Microsoft 365 Defender—now Microsoft Defender XDR.

Throughout, Microsoft maintained two investigation paths: fully automatic (triggered by alert logic) and manually initiated (available from the alert view and the standalone page). The latter was often a safety net—a way for analysts to “ask for a second opinion” from the automation when they didn’t fully trust a low-severity alert.

By late 2024, Microsoft began hinting at consolidation. The “Automated investigation” button started disappearing from some alert contexts in preview rings. A February 2025 Message center post (MC953824) first publicly disclosed the deprecation plan, with the September 1, 2026, final cut-off. The message explicitly stated: “We recommend migrating to the new unified investigation experience that is integrated with Microsoft Defender XDR.”

This moves AIR closer to a pure “auto” model. It aligns with the broader industry push toward autonomous SOC tools—where human intervention shifts from initiating investigations to reviewing their outputs—and with Microsoft’s own Security Copilot integration, which adds generative AI insight on top of automated findings.

Action Plan: Steps to Take Now

With over a year until the deadline, you can methodically adjust. Here’s what to tackle right away, quarterly, and near the cutover.

Immediate (next 30 days)

  • Audit manual AIR usage: Run a query in advanced hunting to count events where ActionType equals “ManualInvestigationTriggered” or similar (available in the DeviceEvents table for recent months). If the count is near zero, deprecation won’t affect you.
  • Review alert policies: Confirm that all critical alert types (malware, suspicious activity, credential theft) have appropriate severity settings and that automated investigation is enabled for those alert categories. Check in the Microsoft Defender portal under “Settings” → “Microsoft Defender XDR” → “Alert service settings.”
  • Notify the SOC: Ensure Tier 2/3 analysts and detection engineers know the button is going away, so they don’t depend on it in new playbooks.

Short-term (next quarter)

  • Map manual triggers to custom detections: For each scenario where you manually fire an investigation, write a custom detection rule in the “Custom detections” blade that approximates the trigger logic. For example, if you often manually investigate emails with a specific subject pattern, create a detection rule that matches that pattern and generates an alert with a severity that automatically initiates an AIR.
  • Test the post-deprecation workflow: On a subset of devices or a test tenant, simulate incidents without using the manual trigger and see if your team can reach the same conclusions via the incident graph, advanced hunting, or live response.

Long-term (by mid-2026)

  • Retire manual trigger playbooks: Remove steps that reference “Click Run automated investigation” from runbooks and replace them with the new detection-to-automated-investigation flow.
  • Adjust compliance or reporting documentation: If your audit procedures mention the standalone AIR page as a key control, update them to reference per-incident investigation records.
  • Train on the unified investigation experience: Ensure all analysts are proficient in the incident graph, advanced hunting, and custom detections, as these will become the primary hands-on tools for human-led deep dives.

A note on APIs and automation

If you used the Microsoft 365 Defender API to trigger automated investigations programmatically (the RunAutomatedInvestigation action), that will also stop working after the deadline. Migration options include creating incidents via the API with appropriate severity to trigger an automatic investigation, or using the live response API for responsive actions on endpoints.

Outlook: What’s Next for Defender XDR

The manual AIR retirement is one piece of a larger compacting of the Defender XDR interface. Expect the “Actions & submissions” hub to slim down further, with more capabilities embedding directly into the incident and device views. Microsoft is also investing heavily in Security Copilot, which can already summarize investigations, generate hunting queries, and guide analysts through manual steps—effectively filling the gap left by the disappearing manual trigger.

For most organizations, the removal will be a nudge toward a more scalable, “trust the platform” security posture. But for the minority who relied on that manual button as a quick-look tool, now is the time to build smarter triggers that let the automation do what it was designed to do—without your hand on the launch button.