Intune Stuff | The Community place for Microsoft Intune, Intune Suite, Autopilot, macOS Management, Copilot for Security.

Introducing Security Copilot Agents – Intune Vulnerability Remediation Agent (Preview)

by | Jul 14, 2025 | AI, Blog, Copilot, Device Management, Featured Post, Intune, Manuals, MDM, Most Popular, Security, Security Copilot, Top Stories | 0 comments

Hi Community,

To build further on the previous posts regarding Security Copilot, which you can find below i would like to introduce Security Copilot Agent and specifically the Intune Vulnerability Remediation Agent.

Let’s check out how to enable it and what it can do for you.

 

Security Copilot with Entra and Intune: The Ultimate Trio for Cybersecurity (and Maybe World Domination) - Part 1
Hi Community, This time some stuff on Security Copilot. I thought it was about time to write up something on Security Copilot. World domination is not about to happen i guess but you never know. In this blog i hope to show you how powerfull the product is already, still in preview, and how it can help you save time and yes also costs.   Join me for part 1 of this blog series.   How to setup Security Copilot with the Intune plugin. The setup of security copilot is super easy. In the intune portal if you go to […]

 

Security Copilot with Entra and Intune: The Ultimate Trio for Cybersecurity (and Maybe World Domination) - Part 2
Hi Community, Welcome to part 2 of my blog series on Security Copilot. If you missed part 1 you can find it here.     In part 2 i will go over what Microsoft features are available with Security Copilot, how you can use it in the embedded and stand alone version. I will go over the settings, prompts and promtbooks. Also you will notice that Security Copilot isn’t always bullit proof but hey what Microsoft product or AI tool  in preview (or GA is 😉 )   Where can you use Security Copilot? Security Copilot is embedded in the […]

 

 

This functionality is in public preview, normaly it will come generaly available in June 2025.

 

Security Copilot Agent Intune Vulnerability Remediation Agent (Preview)

Security Copilot Agent License Prerequisites

  • Microsoft Intune Plan 1 subscription – This provides the core Intune capabilities.
  • Microsoft Intune Suite – Intune Plan 2 and standalone add-ons are not sufficient for this prerequisite.
  • Microsoft Security Copilot – Security Copilot must share a Tenant with Intune, and to set up the agent your account must have permission to the workspace for Security Copilot.
  • Microsoft Defender Vulnerability Management- Microsoft Defender for Endpoint P2 OR Defender Vulnerability Management Standalone

 

Security Copilot Agent Some Caveats

  • An admin must start the agent. When the agent is running there is no option to pause or stop it.
  • The agent will run persistenly in the identity of the user that did the setup.
  • The agent can only be launched from the Intune portal.
  • The CVE’s are only for devices with Windows 10 & 11 NO server OS.
  • The exposed device list only includes devices found in Entra ID, NO server OS.
  • No scope tags are support yet for the exposed devices list in this public preview.
  • Automatic remeditation is not available in the public preview, so no actions in regards to creating policies straight from the agent. This will come!
  • No macOS support yet, this will also come.

 

 

Security Copilot Agent Role-based Permissions

To set up, run, and view results from the Vulnerability Remediation Agent, you must use an account that is assigned the following role-based access control (RBAC) permissions:

Intune

  • Device Management Apps (Read)
    • Used to identify/list managed apps in Intune
  • Device Management Configurations (Read) – Link
    • Used to list policies and windows update catalog in Intune

Microsoft Defender for Endpoint:

  • Security Recommendations (Read)
    • Used to list recommendations for apps and OS
  • Threat Hunting (Read)
    • Used to run hunting queries in Apps and OS

Security Copilot:

  • Copilot Owner
    • Required to create (set up) or delete (remove) an agent instance.
  • Copilot Contributor
    • Required to run the agent and view results.

 

 

Enable the Security Copilot Agent Vulnerability Remediation Agent

When you go to https://securitycopilot.microsoft.com/ you will see the banner that the Security Copilot Agents are here. You cannot miss it ;-).

 

Make sure you have at least 1 SCU running.

 

You can also check if the agents are enabled by clicking the sources icon and check if the box Agents is enabled:

 

Security Copilot Agents

 

 

Now click Go to agents in the banner

 

Security Copilot Agents

 

You will be presented by a welcome screen, click next for more info of dismiss.

 

 

Security Copilot Agents

 

Now click View details on the Intune Vulnerability Remediation Agent and review the triggers, permissions, Identity, Plugins and RBAC and click Set up in Intune.

 

Security Copilot Agents

 

You will be redirected to the Intune portal, it can take some time to load. Under Endpoint Security you will see a new section Vulnerability Remediation Agent (Preview). 

 

Security Copilot Agents

 

Now your setup is complete. Let’s walk you throught the settings and more.

 

Settings of the Security Copilot Agent Vulnerability Remediation Agent

Let’s skip the overview pane for now and head into the settings first. When you click on the settings you can see some information on the agent:

  • Permissions
  • Identity
  • Plugins
  • Role with access
  • Workspace

 

 

 

Overview of the Security Copilot Agent Vulnerability Remediation Agent

On the overview page you can see the following:

  • Agent availability
  • About this agent
  • Agent suggestions – the most important one
  • Agent run activity

 

On the top you will have 3 other buttons, Run, Refresh and Remove agent.

 

 

 

If you remove the agent the data generated by the agent including all suggestions and activity is removed. Your sessions will be kept or 90 days. You can see all  your session also in the standalone version (https://securitycopilot.microsoft.com under My Sessions.

 

 

Run the Security Copilot Agent Vulnerability Remediation Agent (Preview)

 

Click the run button to get results in the Agent suggestions. For myself and some other early adopters we had to do several run commands to get some results, so be patient. When your run in finished you can track it in the Activity pane.

 

 

The suggestion matches the vulnerability recommendations from the Microsoft Defender Security portal. As you can see in this example for Adobe Acrobat DC.

 

 

 

Now let’s check out the suggestions. If you click on one, e.g. the Update Adobe Acrobat DC. A new pane will open with information on the CVE. Also this pane will guide you to what actions you should take to resolve this.

 

 

You can download your exposed devices for further troubleshooting, i would have been nice to see an overview of the affected devices here in this pane. Maybe when it’s GA.

 

 

Once you manually remediate the issue you can click Mark as applied, This means that you confirm you are self attesting and that you completed the remediation steps. The agent will NOT perform any actions to your devices or on your environment. Once the mark as applied there will be a timestamp that dates the time the suggestion was last maked as applied.

 

 

You will also see this reflecting in the Agent suggestions page, it will show in the Last applied column.

 

 

Suggestions might update after each agent run. If a suggestion is previously marked as applied you can select Mark UPDATE as applied to manually attest that you have applied updates in the existing suggestion.

 

 

 

 

Error messages

As with all new products or features you can run into some error messages, here are the most frequent ones:

  • Insufficient licenses: Review the prerequisites on licensing
  • Insufficient Workpspace access: This error indicates that your account does not have the correct permissions to view or use the Security Copilot Workspace.
  • Insufficient Permissions: Review the RBAC prerequisites.
  • There was an issue with setting up the vulnerability Agent, please try again, try to log of and on again, this should do the trick.
  • The agent encoutered an error and did not finish the run, try running again, try to log of and on again, this should do the trick.

 

No error message but if you don’t see suggestions please try several runs, in my case i had to do 4 or 5 to get the suggestions in here.

Also check out the Tech Community site for more information.

RSA Conference 2025: Security Copilot Agents now in preview | Microsoft Community Hub
  In a time of escalating cyber threats, security teams face relentless pressure to do more with less – more threats, more data, more tools, fewer…

 

So this concludes the Introduction of the Security Copilot Vulnerability Remediation Agent (Preview). Please do play around with it and give your feedback. Microsoft is eager to get to know your findings good or bad so please do comment or contact me directly.

 

And as always if you feel there is something in error or you want to add some stuff from your own experience don’t hesitate to contact me!

 

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Buy me a Duvel 😉

Discover more from IntuneStuff

Subscribe now to keep reading and get access to the full archive.

Continue reading