policy-configuration-agent.md

title	Learn about Policy Configuration Agent and set it up
description	Learn about the Policy Configuration Agent in Microsoft Intune, its prerequisites, how it works, and how to set it up. The agent is a generative AI feature that helps create Intune policies based on uploaded documents or benchmarks. The Policy Configuration Agent is a feature of Security Copilot in Intune.
ms.date	11/18/2025
ms.topic	overview
author	mandiohlinger
ms.author	mandia
ms.reviewer	aanavath, jubaptis

Policy Configuration Agent in Microsoft Intune

The Intune Policy Configuration Agent uses the generative AI-powered features in Security Copilot. It helps IT admins translate complex requirements and industry standard documents into actionable Intune settings.

Admins can quickly generate Intune settings catalog policies that align with organizational or regulatory baselines, including any hardening initiatives.

With the agent, you:

• Upload a document or industry benchmark, and the agent identifies relevant and matching Intune settings.

  You can upload compliance standards and common industry benchmarks, like Security Technical Implementation Guides (STIGs) and National Institute of Standards and Technology (NIST) guidelines.

• Can upload internal policy documents and baselines, like your organization's security policies or compliance requirements.

• Get relevant configuration settings and actionable suggestions based on your uploaded documents.

• Can customize the suggestions to create a baseline that fits your environment. For example, if your organization has an exception to a CIS rule, you can remove that rule from the final policy.

The agent also guides you through creating a policy using the suggestions and helps configure each setting based on your organization's needs. You can review and save these suggestions.

This article:

• Lists the prerequisites to use the agent
• Explains how the agent works
• Shows you how to set up the agent
• Shows you how to renew or remove the agent

To learn how to use the agent, see Use the Policy Configuration Agent.

Prerequisites

:::row::: :::column span="1"::: [!INCLUDE cloud]

:::column-end::: :::column span="3":::

The agent is supported on the public cloud only. It isn't supported on government clouds.

:::column-end::: :::row-end:::

:::row::: :::column span="1"::: [!INCLUDE platform]

:::column-end::: :::column span="3":::

To use Security Copilot agents in Microsoft Intune, the following licenses are required:

• Microsoft Intune Plan 1 subscription
• Microsoft Security Copilot with sufficient security compute units (SCUs) :::column-end::: :::row-end:::

:::row::: :::column span="1"::: [!INCLUDE platform]

:::column-end::: :::column span="3":::

Plugins enable Security Copilot agents to connect with Microsoft services and perform specialized actions. This agent requires the following plugin:

• [!INCLUDE plugin-intune]

If you use Copilot in Intune, then the Intune plugin is already enabled. Learn more about plugins.

:::column-end::: :::row-end:::

:::row::: :::column span="1"::: [!INCLUDE platform]

:::column-end::: :::column span="3":::

This feature supports the following platforms:

• Windows :::column-end::: :::row-end:::

:::row::: :::column span="1"::: [!INCLUDE rbac]

:::column-end::: :::column span="3":::

To enable and configure the agent, use an account with the following roles:

:::image type="icon" source="../../media/icons/16/copilot.svg" border="false"::: Security Copilot roles:

• Copilot owner

  To learn about the Security Copilot roles, see Security Copilot roles and permissions.

:::image type="icon" source="../../media/icons/16/intune.svg" border="false"::: Intune roles:

• Read only operator or a Custom role with the following permissions:
  • Device configurations/Read

---

To use the agent, generate suggestions, and get policy recommendations, use an account with the following roles:

:::image type="icon" source="../../media/icons/16/copilot.svg" border="false"::: Security Copilot roles:

• Copilot Contributor

:::image type="icon" source="../../media/icons/16/intune.svg" border="false"::: Intune roles:

• Read only operator or a Custom role with the following permissions:
  • Device configurations/Read

---

To use the agent, generate suggestions, get policy recommendations, and create policies, use an account with the following roles:

:::image type="icon" source="../../media/icons/16/copilot.svg" border="false"::: Security Copilot roles:

• Copilot Contributor

:::image type="icon" source="../../media/icons/16/intune.svg" border="false"::: Intune roles:

• Policy and Profile manager or a Custom role with the following permissions:
  • Device configurations/Create
  • Device configurations/Update

:::column-end::: :::row-end:::

How the agent works

:::image type="content" source="./media/policy-configuration-agent/policy-agent-workflow-svg.png" alt-text="Diagram that shows different steps and stages of the policy configuration agent workflow in Microsoft Intune." lightbox="./media/policy-configuration-agent/policy-agent-workflow-svg.png":::

At a high level, the agent does the following steps.

1. Input ingestion: You give the agent an input that has your policy requirements. It can be a document you upload or direct text input, like All laptops must have BitLocker enabled with AES-256 encryption.

   The agent supports custom documents and bulleted lists of requirements.

2. Natural language processing and parsing: When you run the agent against your input, the agent uses Security Copilot to parse and map the input. It reads through the language and identifies individual settings that the text describes.

   For example, if the document says "Disallow use of USB storage devices", then the agent interprets the text as a requirement about external storage policy.

   Security Copilot is tuned to recognize common policy statements and technical controls from textual descriptions. It can handle complex wording or varied formats.

3. Maps rules to Intune settings: For each parsed requirement, the agent attempts to find a corresponding settings catalog setting that achieves that goal. The agent uses built-in knowledge of Intune's capabilities to choose the correct setting and the setting value that meets the requirement.

4. Generates policy suggestions: The agent compiles the mapping results into a draft Intune configuration profile with the recommended settings.

5. Admin review and confirmation: Before anything is applied, you review the agent's output. In the admin center, select the agent's suggestion to see the details. You might see a list of recommended settings (supported mappings) and separate lists for unsupported or unmapped items.

   At this stage, you should:

   • View Details - You can drill into each recommended setting to read the rationale and adjust. For instance, the agent might suggest a password length of 14 characters because the baseline said at least 12.
   • Remove or Exclude - If there are certain suggestions you don't want to implement, then you can remove them when you tell the agent to create the device configuration policy.
   • Acknowledge Unsupported Items - For any requirements that Intune can't enforce, document how you plan to handle them, or acknowledge them. The agent's role is informational and to make sure you're aware of any gaps.

6. Policy creation: After you confirm the suggestions, you can choose to create a new configuration profile with all the recommended settings. This settings catalog policy isn't enforced until you assign it, just like any Intune policy you manually create.

   At this stage, the policy is a normal Intune policy. You can assign it to the appropriate groups and rename the policy.

7. Deploy and monitor: Once the policy is assigned, devices start reporting with the new settings. The agent's job is done until you run it again.

Agent identity

The agent runs under the identity and permissions of the account used during this setup. Actions are limited to the permissions of that account, and the identity refreshes with each run. So, any changes to the account's permissions affect the agent's capabilities during its next run.

We recommend you sign in with the Security Copilot Owner role to set up the agent. Some roles might automatically have the required permissions. To learn more, see Security Copilot roles.

Set up the agent

Before you enable the agent:

• An admin must manually start the agent. Once started, there's no option to stop or pause the agent.
• The agent can only be started from the Intune admin center.
• Session details in the Microsoft Security Copilot portal are visible only to the user who set up the agent.
• Only one agent instance is supported per tenant.

Use the following steps to set up the agent:

1. In the Intune admin center, select Agents > Policy Configuration Agent.

2. In Overview, select Set up agent.

   The Set up Policy Configuration Agent pane lists the required permissions to set up the agent, and provides more information about the setup requirements.

3. Select Set up agent.

When it completes, the agent is ready to use. To learn more about using the agent, see Use the Policy Configuration Agent.

[!INCLUDE renew]

:::image type="content" source="./media/policy-configuration-agent/change-identity.png" alt-text="Screenshot of the Policy Configuration Agent change identity screen in Microsoft Intune." lightbox="./media/policy-configuration-agent/change-identity.png":::

[!INCLUDE remove]

[!INCLUDE feedback]

Related content

• Use the Policy Configuration Agent
• Security Copilot agents in Intune - An overview
• Security Copilot in Intune - An overview