Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Security Copilot agents are available in Microsoft Intune.
Available agents
Vulnerability Remediation Agent in Microsoft Intune
The Vulnerability Remediation Agent in Intune uses data from Microsoft Defender Vulnerability Management to identify the individual Common Vulnerabilities and Exposures (CVEs) and Windows vulnerabilities on your managed devices. The results are prioritized for remediation and include step-by-step instructions to guide you in using Intune to remediate the threat. Use of this Copilot Agent by your security team can help you reduce the time it takes to investigate, identify, and remediate threats from hours to only a few minutes.
Use of this Copilot Agent by your security team can reduce the time it takes to investigate, identify, and remediate threats from hours to only a few minutes.
Trigger
The Vulnerability Remediation Agent runs manually, on demand.
Permissions
The Vulnerability Remediation Agent runs using the identity and permissions of the user who installed the agent in Intune.
Identity
The agent persistently runs in the identity of the user who initially set up the agent. This identity refreshes with each agent run and expires if the agent has not been run for 90 consecutive days. There is no notification regarding the end of the authorized period. To change this identity or reauthorize the agent, the agent must be removed and then set up again.
Products
The agent requires the following products:
- Microsoft Intune Plan 1 subscription This subscription provides the core Intune capabilities.
- Microsoft Intune Suite - Intune Suite standalone solution add-on licenses including Intune Endpoint Privilege Management, Enterprise Application Management, and Intune Plan 2 do not meet this prerequisite.
- Microsoft Security Copilot - Security Copilot must share a Tenant with Intune, and you must have sufficient SCUs to power Security Copilot workloads, including agents.
- Microsoft Defender Vulnerability Management This capability is provided by Microsoft Defender for Endpoint P2 or Defender Vulnerability Management Standalone.
Plugins
- Microsoft Intune
- Microsoft Defender Vulnerability Management
Role-based access
For an Intune administrator (admin) to successfully manage or use the Vulnerability Remediation Agent, they must be assigned the role-based access controls (RBAC) for Intune, Microsoft Defender, and Security Copilot as described in the following sections.
When assigning RBAC roles and permissions to admins to manage and use the agent, assign the least privileged built-in RBAC role or a custom role that includes the minimum permissions required to complete their administrative tasks.
| Action | Microsoft Intune | Microsoft Defender | Security Copilot |
|---|---|---|---|
| Set Up and Removal | Admin must be assigned an Intune license. Permissions (built-in or custom role) must include: - Managed apps/read - Mobile apps/read - Device configurations/read Least privileged Intune built-in role: Read Only Operator. |
The admin must have permissions equal to the Microsoft Entra Security reader role. | The admin must be a Copilot owner. |
| Work with Installed Agent | Admin must be assigned an Intune license. Permissions (built-in or custom role) must include: - Managed apps/read - Mobile apps/read - Device configurations/read Least privileged Intune built-in role: Read Only Operator. |
The admin must have permissions equal to the Microsoft Entra Security reader role. | The admin must be a Copilot contributor. |
Important
The Vulnerability Remediation Agent runs under the identity of the admin who set up the agent. During public preview, the identity can't be edited. To change this identity, the agent must be removed and set up again.
Data that is reported by the agent and visible through agent suggestions might be visible to admins with access to view the agent within the Intune admin center, even when that data is outside the admins assigned Intune roles or scope.