Vulnerability Remediation Agent in Microsoft Intune

The Vulnerability Remediation Agent for Security Copilot in Intune uses data from Microsoft Defender Vulnerability Management to identify Common Vulnerabilities and Exposures (CVEs) on your managed devices. The results are prioritized for remediation and include step-by-step instructions to guide you in using Intune to remediate the threat. This Copilot Agent can help you reduce the time it takes to investigate, identify, and remediate threats, ultimately improving your organization's overall security posture.

When the agent runs, it analyzes data from Microsoft Defender Vulnerability Management and provides a prioritized list of suggestions that appear in the Intune admin center. You can drill-in to each suggestion to view details that include:

• The count of associated vulnerabilities (CVEs)
• A Copilot-assisted summarized impact analysis
• Suggested actions
• Affected systems
• Exposed devices
• Potential impact
• Step-by-step guidance for using Intune to remediate it

Once you remediate an agent suggestion, you can mark it as applied to have the agent retain a record you can use in tracking remediation actions over time.

Because CVE details and recommended remediation guidance can change over time, subsequent runs of the agent might provide new details, device counts, and remediation steps. As you manage subsequent reports of threats, the record of your previously applied solutions can help you track the change to specific risks based on your previous remediations.

This article:

• Lists the prerequisites to use the agent
• Explains how the agent works
• Shows you how to set up the agent
• Shows you how to renew or remove the agent

For information about other Security Copilot Agents in Intune and common features, see Security Copilot agents in Microsoft Intune.

Prerequisites

How the agent works

The Vulnerability Remediation Agent performs automated evaluations to identify and prioritize vulnerabilities on your managed devices. Here's how it works:

1. Data collection - The agent collects vulnerability data from Microsoft Defender Vulnerability Management, analyzing Common Vulnerabilities and Exposures (CVEs) across your managed devices.

2. Analysis and prioritization - The agent evaluates vulnerability data and prioritizes threats based on factors like CVSS scores, exposure impact, and device count to focus on the most critical issues first.

3. Remediation guidance - For each identified vulnerability, the agent provides step-by-step remediation instructions tailored to Intune capabilities, including policy recommendations and configuration guidance.

4. Tracking and reporting - The agent maintains records of suggested remediations and allows you to track applied solutions over time, helping measure security improvement efforts.

Agent identity

By default, the Vulnerability Remediation Agent runs under the identity and permissions of the admin account that is used to set up the agent. After setup, this identity can be changed.

• Changing the identity doesn't affect the agent's run history, which remains available.

• The Agent behavior is limited to the permissions of the user identity that the agent runs under.

• The agent persistently runs in the identity and permissions of the Intune admin account that is assigned as the agent's identity.

The agent identity refreshes with each agent run and expires if the agent doesn't run for 90 consecutive days. When the expiration date nears, each Copilot owner and Copilot contributor receives a warning banner about renewal of the agent identity when they view the agent overview page. If the agent authentication expires, subsequent agent runs fail until authentication is renewed. For more information about renewing authentication, see Renew the agent.

Operational considerations

Before running the Vulnerability Remediation Agent, keep these points in mind:

• An admin must manually start the agent. Once the agent starts, there are no options to stop or pause it.
• Only start the agent from within the Microsoft Intune admin center.
• Associated CVEs contain the count of CVEs on devices with Windows client operating system editions but excludes devices with Windows Server Editions. CVEs are classified as Low, Medium, High, and Critical according to the CVSS (Common Vulnerability Scoring System) scale.
• Exposed device list includes only devices found in Microsoft Entra, and that aren't Windows Server editions.
• Agent doesn't support scope tags in public preview.
• Only the user who sets up the agent can view session details in the Microsoft Security Copilot portal.

Set up the agent

The agent runs under the identity and permissions of the account used during setup. Its actions are limited to the permissions of that account, and the identity refreshes with each run.

To set up the Agent:

1. In the Microsoft Intune admin center, go to Agents > Vulnerability Remediation Agent.

2. In Overview, select Set up Agent. This pane displays details about the agent but doesn't require any configuration.

3. Review the details to ensure requirements are in place, and then select Start agent to close the setup pane and start the first run of the agent.

   

When setup is complete, the agent is ready to use. To learn more about using the agent, see Use the Vulnerability Remediation Agent.

Renew the agent

If you don't use an agent for 90 days, the agent authorization expires and agent runs fail until reauthentication. You can renew the agent authentication anytime.

As the expiration gets closer, Intune shows a warning on the agent overview page that each Copilot owner and Copilot contributor can see. The warning prompts to renew the agent identity.

To reauthorize the agent identity, select Renew authentication. When you renew the agent authentication, the agent automatically uses the signed-in credentials. If you don't want to use the signed-in credentials, then select the agent > Settings tab > Choose another identity.

After renewal, the warning banner disappears, and a toast notification validates that the renewal is successful.

Change the agent identity

By default, the agent runs under the identity of the administrative user who set up the agent in the tenant. After setup, the agent identity can change when a different user renews the agent, and by editing the agent settings to explicitly assign a new agent identity.

A change of the agent identity doesn't affect the agent's run history.

To assign a new identity, in the Intune admin center, go to Agents > Vulnerability Remediation Agent (preview) and select the Settings tab. Under Identity, you can see the current user account that the agent runs under. Select Choose another identity to open an account sign-in prompt. Select and then authenticate a new account to use as the agents identity.

Remove the agent

When you remove an agent, all associated data generated including suggestions and activities are deleted. Previously applied suggestions remain unchanged.

Steps to remove an agent instance:

1. In the Microsoft Intune admin center, select Agents.
2. Select the agent instance you want to remove.
3. Select Remove agent and confirm the removal.

After removal:

• The agent pane returns to its original state.
• An admin can reinstall the agent later by repeating the setup process.

Help shape the future of Intune agents

Join our Intune Agents Feedback Forum to share insights and influence upcoming capabilities in Microsoft Intune.

Sign up and learn more: https://aka.ms/IntuneAgentsForum

Next steps

Related content

• Use the Vulnerability Remediation Agent
• Security Copilot agents in Microsoft Intune
• Microsoft Security Copilot
• Microsoft Defender Vulnerability Management