| title | Vulnerability Remediation Agent Overview and Set Up | |||
|---|---|---|---|---|
| description | Learn about the Vulnerability Remediation Agent in Microsoft Intune, its prerequisites, how it works, and how to set it up. The agent uses AI to identify and prioritize vulnerability remediation based on Microsoft Defender Vulnerability Management data. | |||
| ms.date | 09/17/2025 | |||
| ms.update-cycle | 180-days | |||
| ms.topic | overview | |||
| author | Brenduns | |||
| ms.author | brenduns | |||
| ms.reviewer | juidaewo | |||
| ms.collection |
|
Note
The Vulnerability Remediation Agent is currently in a limited public preview and available to only a select group of customers. If you're interested in gaining access or would like to learn more, please reach out to your sales team for further details and next steps.
The Vulnerability Remediation Agent for Security Copilot in Intune uses data from Microsoft Defender Vulnerability Management to identify Common Vulnerabilities and Exposures (CVEs) on your managed devices. The results are prioritized for remediation and include step-by-step instructions to guide you in using Intune to remediate the threat. This Copilot Agent can help you reduce the time it takes to investigate, identify, and remediate threats, ultimately improving your organization's overall security posture.
When the agent runs, it analyzes data from Microsoft Defender Vulnerability Management and provides a prioritized list of suggestions that appear in the Intune admin center. You can drill-in to each suggestion to view details that include:
- The count of associated vulnerabilities (CVEs)
- A Copilot-assisted summarized impact analysis
- Suggested actions
- Affected systems
- Exposed devices
- Potential impact
- Step-by-step guidance for using Intune to remediate it
Once you remediate an agent suggestion, you can mark it as applied to have the agent retain a record you can use in tracking remediation actions over time.
Because CVE details and recommended remediation guidance can change over time, subsequent runs of the agent might provide new details, device counts, and remediation steps. As you manage subsequent reports of threats, the record of your previously applied solutions can help you track the change to specific risks based on your previous remediations.
Tip
The Vulnerability Remediation Agent is accessible in the Intune admin center from both the Agents and Endpoint security nodes. Each path provides access to the same agent. In this documentation, references to its location use the Agents node.
This article:
- Lists the prerequisites to use the agent
- Explains how the agent works
- Shows you how to set up the agent
- Shows you how to renew or remove the agent
For information about other Security Copilot Agents in Intune and common features, see Security Copilot agents in Microsoft Intune.
:::row::: :::column span="1"::: [!INCLUDE cloud]
:::column-end::: :::column span="3":::
The agent is supported on the public cloud only. It isn't supported on government clouds.
:::column-end::: :::row-end:::
:::row::: :::column span="1"::: [!INCLUDE platform]
:::column-end::: :::column span="3":::
To use Security Copilot agents in Microsoft Intune, the following licenses are required:
- Microsoft Intune Plan 1 subscription
- Microsoft Security Copilot with sufficient security compute units (SCUs)
- Microsoft Defender Vulnerability Management - This capability is provided by Microsoft Defender for Endpoint P2 or Defender Vulnerability Management Standalone.
:::column-end::: :::row-end:::
:::row::: :::column span="1"::: [!INCLUDE platform]
:::column-end::: :::column span="3":::
Plugins enable Security Copilot agents to connect with Microsoft services and perform specialized actions. This agent requires the following plugins:
- [!INCLUDE plugin-intune]
- [!INCLUDE plugin-defender]
If you use Copilot in Intune, then the Intune plugin is already enabled. Learn more about plugins.
:::column-end::: :::row-end:::
:::row::: :::column span="1"::: [!INCLUDE platform]
:::column-end::: :::column span="3":::
The Vulnerability Remediation Agent supports evaluation and recommendations for the following platforms and applications:
- Windows
- Apps in Intune
:::column-end::: :::row-end:::
:::row::: :::column span="1"::: [!INCLUDE rbac]
:::column-end::: :::column span="3":::
To enable and configure the agent, use an account with the following roles:
:::image type="icon" source="../../media/icons/16/intune.svg" border="false"::: Intune roles:
- Read Only Operator or a Custom role with the following permissions:
- Managed apps / read
- Mobile apps / read
- Device configurations / read
:::image type="icon" source="../../media/icons/16/entra.svg" border="false"::: Microsoft Defender roles:
- The account used by the agent for its identity must be assigned permissions that align with Microsoft Defender XDR RBAC configurations:
- Unified RBAC: Security Reader role
- Granular RBAC: Custom RBAC role with permissions equivalent to the Unified RBAC Security Reader role
:::image type="icon" source="../../media/icons/16/copilot.svg" border="false"::: Security Copilot roles:
To use the agent and view results, use an account with the following roles:
:::image type="icon" source="../../media/icons/16/intune.svg" border="false"::: Intune roles:
- Read Only Operator or equivalent permissions
:::image type="icon" source="../../media/icons/16/copilot.svg" border="false"::: Security Copilot roles:
:::column-end::: :::row-end:::
The Vulnerability Remediation Agent performs automated evaluations to identify and prioritize vulnerabilities on your managed devices. Here's how it works:
1. Data collection - The agent collects vulnerability data from Microsoft Defender Vulnerability Management, analyzing Common Vulnerabilities and Exposures (CVEs) across your managed devices.
2. Analysis and prioritization - The agent evaluates vulnerability data and prioritizes threats based on factors like CVSS scores, exposure impact, and device count to focus on the most critical issues first.
3. Remediation guidance - For each identified vulnerability, the agent provides step-by-step remediation instructions tailored to Intune capabilities, including policy recommendations and configuration guidance.
4. Tracking and reporting - The agent maintains records of suggested remediations and allows you to track applied solutions over time, helping measure security improvement efforts.
By default, the Vulnerability Remediation Agent runs under the identity and permissions of the admin account that is used to set up the agent. After setup, this identity can be changed.
-
Changing the identity doesn't affect the agent's run history, which remains available.
-
The Agent behavior is limited to the permissions of the user identity that the agent runs under.
-
The agent persistently runs in the identity and permissions of the Intune admin account that is assigned as the agent's identity.
The agent identity refreshes with each agent run and expires if the agent doesn't run for 90 consecutive days. When the expiration date nears, each Copilot owner and Copilot contributor receives a warning banner about renewal of the agent identity when they view the agent overview page. If the agent authentication expires, subsequent agent runs fail until authentication is renewed. For more information about renewing authentication, see Renew the agent.
Important
When the agent authentication is renewed, the agent begins use of the credentials of the individual who clicks on the Renew authentication button.
Before running the Vulnerability Remediation Agent, keep these points in mind:
- An admin must manually start the agent. Once the agent starts, there are no options to stop or pause it.
- Only start the agent from within the Microsoft Intune admin center.
- Associated CVEs contain the count of CVEs on devices with Windows client operating system editions but excludes devices with Windows Server Editions. CVEs are classified as Low, Medium, High, and Critical according to the CVSS (Common Vulnerability Scoring System) scale.
- Exposed device list includes only devices found in Microsoft Entra, and that aren't Windows Server editions.
- Agent doesn't support scope tags in public preview.
- Only the user who sets up the agent can view session details in the Microsoft Security Copilot portal.
Important
Data that the agent reports is made visible through agent suggestions. This data might be visible to admins with access to view the agent within the Intune admin center, even when that data is outside the admins assigned Intune roles or scope.
The agent runs under the identity and permissions of the account used during setup. Its actions are limited to the permissions of that account, and the identity refreshes with each run.
To set up the Agent:
-
In the Microsoft Intune admin center, go to Agents > Vulnerability Remediation Agent.
-
In Overview, select Set up Agent. This pane displays details about the agent but doesn't require any configuration.
-
Review the details to ensure requirements are in place, and then select Start agent to close the setup pane and start the first run of the agent.
:::image type="content" source="./media/vulnerability-remediation-agent/set-up-and-start-agent.png" alt-text="A screenshot that displays the 'Set up Vulnerability Remediation Agent' page and the Start agent button.":::
When setup is complete, the agent is ready to use. To learn more about using the agent, see Use the Vulnerability Remediation Agent.
[!INCLUDE renew]
By default, the agent runs under the identity of the administrative user who set up the agent in the tenant. After setup, the agent identity can change when a different user renews the agent, and by editing the agent settings to explicitly assign a new agent identity.
A change of the agent identity doesn't affect the agent's run history.
To assign a new identity, in the Intune admin center, go to Agents > Vulnerability Remediation Agent (preview) and select the Settings tab. Under Identity, you can see the current user account that the agent runs under. Select Choose another identity to open an account sign-in prompt. Select and then authenticate a new account to use as the agents identity.
Important
Agent behavior is limited to the level of permissions that are assigned to the identity of the user the agent runs under. When the user whose identity the agent runs under has insufficient permissions, the agent fails to run.
[!INCLUDE remove]
Note
To remove the agent instance, your account must be a Security Copilot Owner.
[!INCLUDE feedback]
[!div class="nextstepaction"] Learn how to use the Vulnerability Remediation Agent