Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Intune Policy Configuration Agent uses the generative AI-powered features in Security Copilot. It helps IT admins translate complex requirements and industry standard documents into actionable Intune settings.
Admins can quickly generate Intune settings catalog policies that align with organizational or regulatory baselines, including any hardening initiatives.
With the agent, you:
Upload a document or industry benchmark, and the agent identifies relevant and matching Intune settings.
You can upload compliance standards and common industry benchmarks, like Security Technical Implementation Guides (STIGs) and National Institute of Standards and Technology (NIST) guidelines.
Can upload internal policy documents and baselines, like your organization's security policies or compliance requirements.
Get relevant configuration settings and actionable suggestions based on your uploaded documents.
Can customize the suggestions to create a baseline that fits your environment. For example, if your organization has an exception to a CIS rule, you can remove that rule from the final policy.
The agent also guides you through creating a policy using the suggestions and helps configure each setting based on your organization's needs. You can review and save these suggestions.
This article:
- Lists the prerequisites to use the agent
- Explains how the agent works
- Shows you how to set up the agent
- Shows you how to renew or remove the agent
To learn how to use the agent, see Use the Policy Configuration Agent.
Prerequisites
Cloud requirements
The agent is supported on the public cloud only. It isn't supported on government clouds.
Licensing requirements
To use Security Copilot agents in Microsoft Intune, the following licenses are required:
- Microsoft Intune Plan 1 subscription
- Microsoft Security Copilot with sufficient security compute units (SCUs)
Plugins requirements
Plugins enable Security Copilot agents to connect with Microsoft services and perform specialized actions. This agent requires the following plugin:
If you use Copilot in Intune, then the Intune plugin is already enabled. Learn more about plugins.
Device platform requirements
This feature supports the following platforms:
- Windows
Roles requirements
To enable and configure the agent, use an account with the following roles:
Security Copilot roles:
To learn about the Security Copilot roles, see Security Copilot roles and permissions.
Intune roles:
- Read only operator or a Custom role with the following permissions:
- Device configurations/Read
To use the agent, generate suggestions, and get policy recommendations, use an account with the following roles:
- Read only operator or a Custom role with the following permissions:
- Device configurations/Read
To use the agent, generate suggestions, get policy recommendations, and create policies, use an account with the following roles:
- Policy and Profile manager or a Custom role with the following permissions:
- Device configurations/Create
- Device configurations/Update
How the agent works
At a high level, the agent does the following steps.
Input ingestion: You give the agent an input that has your policy requirements. It can be a document you upload or direct text input, like
All laptops must have BitLocker enabled with AES-256 encryption.The agent supports custom documents and bulleted lists of requirements.
Natural language processing and parsing: When you run the agent against your input, the agent uses Security Copilot to parse and map the input. It reads through the language and identifies individual settings that the text describes.
For example, if the document says "Disallow use of USB storage devices", then the agent interprets the text as a requirement about external storage policy.
Security Copilot is tuned to recognize common policy statements and technical controls from textual descriptions. It can handle complex wording or varied formats.
Maps rules to Intune settings: For each parsed requirement, the agent attempts to find a corresponding settings catalog setting that achieves that goal. The agent uses built-in knowledge of Intune's capabilities to choose the correct setting and the setting value that meets the requirement.
Generates policy suggestions: The agent compiles the mapping results into a draft Intune configuration profile with the recommended settings.
Admin review and confirmation: Before anything is applied, you review the agent's output. In the admin center, select the agent's suggestion to see the details. You might see a list of recommended settings (supported mappings) and separate lists for unsupported or unmapped items.
At this stage, you should:
- View Details - You can drill into each recommended setting to read the rationale and adjust. For instance, the agent might suggest a password length of 14 characters because the baseline said
at least 12. - Remove or Exclude - If there are certain suggestions you don't want to implement, then you can remove them when you tell the agent to create the device configuration policy.
- Acknowledge Unsupported Items - For any requirements that Intune can't enforce, document how you plan to handle them, or acknowledge them. The agent's role is informational and to make sure you're aware of any gaps.
- View Details - You can drill into each recommended setting to read the rationale and adjust. For instance, the agent might suggest a password length of 14 characters because the baseline said
Policy creation: After you confirm the suggestions, you can choose to create a new configuration profile with all the recommended settings. This settings catalog policy isn't enforced until you assign it, just like any Intune policy you manually create.
At this stage, the policy is a normal Intune policy. You can assign it to the appropriate groups and rename the policy.
Deploy and monitor: Once the policy is assigned, devices start reporting with the new settings. The agent's job is done until you run it again.
Agent identity
The agent runs under the identity and permissions of the account used during this setup. Actions are limited to the permissions of that account, and the identity refreshes with each run. So, any changes to the account's permissions affect the agent's capabilities during its next run.
We recommend you sign in with the Security Copilot Owner role to set up the agent. Some roles might automatically have the required permissions. To learn more, see Security Copilot roles.
Set up the agent
Before you enable the agent:
- An admin must manually start the agent. Once started, there's no option to stop or pause the agent.
- The agent can only be started from the Intune admin center.
- Session details in the Microsoft Security Copilot portal are visible only to the user who set up the agent.
- Only one agent instance is supported per tenant.
Use the following steps to set up the agent:
In the Intune admin center, select Agents > Policy Configuration Agent.
In Overview, select Set up agent.
The Set up Policy Configuration Agent pane lists the required permissions to set up the agent, and provides more information about the setup requirements.
Select Set up agent.
When it completes, the agent is ready to use. To learn more about using the agent, see Use the Policy Configuration Agent.
Renew the agent
If you don't use an agent for 90 days, the agent authorization expires and agent runs fail until reauthentication. You can renew the agent authentication anytime.
As the expiration gets closer, Intune shows a warning on the agent overview page that each Copilot owner and Copilot contributor can see. The warning prompts to renew the agent identity.
To reauthorize the agent identity, select Renew authentication. When you renew the agent authentication, the agent automatically uses the signed-in credentials. If you don't want to use the signed-in credentials, then select the agent > Settings tab > Choose another identity.
After renewal, the warning banner disappears, and a toast notification validates that the renewal is successful.
Remove the agent
When you remove an agent, all associated data generated including suggestions and activities are deleted. Previously applied suggestions remain unchanged.
Steps to remove an agent instance:
- In the Microsoft Intune admin center, select Agents.
- Select the agent instance you want to remove.
- Select Remove agent and confirm the removal.
After removal:
- The agent pane returns to its original state.
- An admin can reinstall the agent later by repeating the setup process.
Help shape the future of Intune agents
Join our Intune Agents Feedback Forum to share insights and influence upcoming capabilities in Microsoft Intune.
Sign up and learn more: https://aka.ms/IntuneAgentsForum