When automatic and auto-approved remediations are enabled, and when manual remediations are required by the MSP for an incident, the incident should not be resolved until manually resolved by the MSP.

Example event:

There has been a compromised user within Active Directory and one of the manual remediation tasks is to reset the user's password. Huntress isolates the host.

One of the steps for remediation in the example above was to reboot the host, which part of our standard patching our RMM did reboot the host. When the machine booted back up, Huntress thought that was a remediation step which took the host out of isolation automatically. However, the user's password had not been changed and by removing isolation had opened the machine up to further attacks.

The incident should remain active until the password has been rotated and should only be manually resolved. The host should also remain isolated until all manual remediations have been completed.

Further information can be found in ticket 102738.