Security Copilot is a cloud-based AI platform offering a user-friendly natural language Copilot interface. It aids security professionals across various scenarios such as incident response, threat hunting, and intelligence gathering. For a detailed overview of its capabilities, visit the “What is Microsoft Security Copilot?” page.
Integrating seamlessly with your Microsoft Intune data, Security Copilot enhances your security insights.
If your organization utilizes Microsoft Intune within the same tenant as Security Copilot, you can leverage Copilot to glean valuable insights from your Intune data.
Security Copilot incorporates Intune functionalities, allowing users to access information using prompts. Some of the features include:
- Details regarding devices, applications, compliance, configuration policies, and policy assignments managed through Intune.
- Attributes and hardware specifics of managed devices.
- Troubleshooting specific device issues and comparing operational versus non-operational devices.
Intune has capabilities that are powered by Copilot. These capabilities access your Intune data, and can help you manage your policies & settings, understand your security posture, and troubleshoot device issues.
This guide outlines the process of accessing your Microsoft Intune data within Security Copilot, along with sample prompts for reference.
Security admin focus
Security Copilot is tailored towards Security Operations Center (SOC) analysts and security administrators. If you hold either of these roles, Security Copilot offers valuable insights into the security status of devices managed by Intune.
For instance, if you encounter a user or device exhibiting suspicious behavior, such as unauthorized enrollment of an unknown device in Intune, it could indicate potential malicious activity involving stolen credentials. In such scenarios, accessing additional information becomes crucial.
Within Security Copilot, leveraging Intune capabilities allows you to:
- Retrieve detailed information about a specific device, including its name, ID, and manufacturer.
- Identify the enrollment time of the device in Intune.
- Determine the primary user associated with a device.
- Classify the device type (e.g., laptop, mobile phone).
- Assess compliance status, particularly identifying noncompliant devices and the reasons behind their noncompliance.
Utilizing this information in conjunction with Microsoft Defender enables informed decision-making regarding subsequent actions. For instance, the nature of the device (e.g., laptop, mobile phone, tablet) may influence the course of action. Additionally, Security Copilot facilitates direct access to the device within Microsoft Defender, enabling execution of necessary Defender actions.
What you need to know
When an admin submits a prompt, Copilot can only access the data that the admin has permissions to, which includes the RBAC roles and Intune scope tags assigned to them.
If you want your admins to access all your Intune data in Security Copilot, then use one of the following roles in Microsoft Entra ID:
- Global Administrator
- Intune Service Administrator (also known as Intune Administrator)
You can access your Intune data in the Security Copilot and Copilot in the Intune admin center.
Setup and enable Copilot for intune.
Go to the Intune admin center and click on Copilot (preview) to check if Copilot is already enabled for your tenant.
You can see that Copilot is no yet enabled on this tenant. Now go to the Security Copilot Portal. Click Get started.
Now wait some time, your tenant will be setup in the backend.
Set up your security capacity on the next screen, choose your Azure subscription, resource group, Capacity name, location capacity region and Security computer units (more info on the Security Computer Units can be found here)
After filling in this information, click continue in the bottom right corner and wait for some time.
When everything is ready scroll down and click on the sources icon.
Now make sure that Intune is checked.
I also recommend to enable the Microsoft Defender stuff, whit these plugins enabled you can do some nice things when it comes to Microsoft Defender. You can just switch it on with the toggle switches. For the Microsoft Defender External Attack Surface Management you will nee to enter some extra detail by clicking the gear icon next to it.
Here you will need to fill in your Resource name, Subscription ID and the resource group name. I used the resource group from my initial setup.
Using Copilot for intune.
Now everything is ready to work with Copilot. Currently, there are two areas to use Copilot in Intune:
- Policy and setting management
- Device details and troubleshooting
Copilot is embedded on policy settings and with your existing policies. When you create an Intune policy, you add settings and configure these settings to meet your organization requirements. When you add a setting, there’s a Copilot tooltip:
This is a result of this (it can take some time to generate the outcome):
On your existing Intune policies, you can use Copilot to summarize the policy. The summary describes what the policy does, the users and groups assigned to the policy, and the settings in the policy. This feature can help you understand the impact of a policy and its settings on your users and devices.
To use this feature in Intune, select an existing policy and then select Summarize with Copilot:
A result will be something like this:
You can use Copilot to get device-specific information, like the installed apps, group membership, and more.
To use this feature in Intune, select a device, and then select Summarize with Copilot:
You will get the following options:
You can also use your own prompts to gather info straight from the portal.
Using Copilot for Defender Incidents.
I have simulated some alerts by trying to download some EICAR test files (https://www.eicar.org/download-anti-malware-testfile/#top) These will generate alerts, from those alerts you can create incidents. Click on the alert and select Link alert to another incident. From here you can create a new incident of link it to an existing one.
Now if you go to the incidents page you will see your created incident, note down the incident ID to use in Copilot
Now go to the Copilot page:Â https://securitycopilot.microsoft.com/Â and select the Microsoft 365 Defender incident investigation
Enter your incident ID and click submit
Now Copilot will gather all information it can find regarding that incident, this can take some time.
Copilot will summarize the incident
Copilot will tell you the information about the entities associated with this incident
Copilot will show you the info regarding reputation scores
Because i do not have this plugin enabled we don’t get info regarding the IP address.
Copilot will show the authentication methods setup for each user involved in that incident. Especially indicate whether they have MFA enabled.
It will gather info from the user and the device
At the last step i got the error message that due to your organization’s high usage Copilot no longer can accept requests, this is because i have only 1 SCU active and did not allow it to span over regions, due to the high cost.
But you will get the general idea regarding this topic
I waited for some time and i ran a new summary for another even, that was successful until the end.
You can also let Copilot analyze things straight from the defender portal. Go to https://security.microsoft.com/, select an alert,, i used the test the defender onboarding script here, and click the analyze button.
After a few seconds you will the the results.
Using Copilot for EPM (Endpoint Privilege Management) in Intune.
Personally I think this feature is one of the best that’s included with Security Copilot in Intune, if you have EPM enabled in your tenant and a user submits a request to install an application you can have Security Copilot analyze this application before you approve it for the user. For this example i have an infected exe file and a good msi file.
Now when we click on one of the files to approve or deny we can see the Analyze with Copilot button.
Let’s see this in action.
This MSI file is safe to approve. However let’s take our infected test file and Analyze it with Copilot.
We will get a different result here.
It clearly states that there is an issue with his file so you will not approve this for installation.
Troubleshooting Copilot for intune.
By now it is time for an update on this article, because of the significant costs of this feature i deleted all my Copilot resources from Azure. As time went by and i received some Azure Sponsorship credits i decided to set it up again, this time one my own live tenant.
During the setup i ran into 1 error. I will explain this error and what you can do about them.
Can’t get account information.
Now for the other error, also during setup, We get a nice black screen with an error that states: Can’t get account information
By now i thought that i could outsmart them and go directly to the setup URL: https://securitycopilot.microsoft.com/tour/welcome, but i was not smart enough 😉 The same error message was displayed. So what is wrong? I didn’t bother to sent another support request to Microsoft.
I left everything as it was for the time being and started again the next day, sometimes i do have other stuff to do 😉
The solution for the issue.
The next day i tried again and again by coincidence i logged in to my tenant with another Global Admin account and guess what, i ran thru the complete setup without any errors. As for why my normal global admin account was triggering this errors, …. Totally no idea, i asked Microsoft why i’m seeing this behavior but until this point in time no answer.
So if you run into this issue, try another Global Admin account or create a new one to setup Security Copilot.
Happy Copiloting 😉 And as always if you feel there is something in error or you want to add some stuff from your own experience don’t hesitate to contact me!
Hi Great Guide, is this covered with Intune P1 or need a special license?
Hi, no special license required. Just intune is ok. Do watch out for the pricing of co-pilot, it is expensive!