Microsoft Defender for Endpoint (MDE) must enable Full remediation for Device groups.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-275998	SRG-APP-000279	MSDE-00-001450	SV-275998r1119728_rule	2025-07-15	1

Description
Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. Full remediation is necessary to automatically investigate and remediate devices without human intervention which lowers SOC fatigue. This is also required for Attack Disruption.

Description

Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. Full remediation is necessary to automatically investigate and remediate devices without human intervention which lowers SOC fatigue. This is also required for Attack Disruption.

ℹ️ Check
Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Device groups (under Permissions). 2. For all device groups: Verify the remediation column is set to Full remediation. If the remediation column for all Device groups is not set to "Full remediation", this is a finding.

✔️ Fix
Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Device groups (under Permissions). 2. Enter each Device group and enable Full remediation.