
Microsoft has rolled out the Vulnerability Remediation Agent for Intune to all customers in public preview this month. The agent analyses CVE data from Defender Vulnerability Management, prioritises vulnerabilities per device, and surfaces remediation recommendations directly in the Intune admin centre. How does the new Entra agentic identity work, which licences are required, and what can you configure this week?
IT administrators who manage endpoints via Microsoft Intune know the problem: the list of open CVEs on managed Windows devices never empties. Every Patch Tuesday brings new vulnerabilities, Defender Vulnerability Management signals dozens more per week, but manually triaging which ones are critical for your specific fleet takes time most teams simply do not have. Microsoft has now made an agent available for exactly this: the Vulnerability Remediation Agent for Intune. The agent analyses vulnerability data, prioritises CVEs, and surfaces remediation recommendations directly in the Intune admin centre. This month the agent entered public preview and is rolling out to all customers.
The Vulnerability Remediation Agent is part of a broader shift toward agentic AI in Microsoft's product portfolio. Where Copilot integrations to date have been reactive — you ask a question, the AI answers — an agent is proactive: it continuously assesses data, prioritises independently, and proposes actions without requiring repeated prompting. That represents a fundamental difference in operational value for IT teams managing large device fleets.
The Vulnerability Remediation Agent connects to Defender Vulnerability Management as its data source. Defender continuously inventories which software versions are running on your Intune-managed Windows devices and maps them against the common CVE register and the CISA Known Exploited Vulnerabilities catalogue. The agent takes that data and calculates a priority score per CVE based on three factors: the CVSS severity score of the vulnerability itself, the number of devices in your fleet that are exposed, and the potential impact if exploited.
CVEs that are actively exploited in the wild and affect hundreds of devices in your organisation reach the top of the list. CVEs with a high CVSS score but only a single affected device move lower. The result is a prioritised list of recommendations surfaced in the Intune admin centre under the Agents menu. Each recommendation includes the associated CVE, the number of affected devices, the recommended remediation action — usually a specific Windows Update or application update — and an indication of risk reduction. Administrators no longer need to switch between the Defender portal and Intune; the consolidated triage view is in one place.
One of the most significant technical characteristics of the Vulnerability Remediation Agent is its use of an Entra agentic identity. Older Copilot integrations operated under the identity of the signed-in administrator: all actions were performed using the rights and the account of a human user. The Vulnerability Remediation Agent works differently. When you set up the agent, the system automatically creates a standalone identity in your Entra directory — the so-called agentic user.
That agentic user receives only the minimum necessary read permissions in Intune and Defender. The agent acts under that identity, not under your administrator account. This provides three governance advantages. First, there is a clear audit trail: all agent activity is attributed to the agentic identity, fully separated from human administrator actions. Second, it limits the blast radius if the agent behaves unexpectedly, since it holds no write permissions unless you explicitly grant them. Third, it makes security review straightforward: the agentic user is visible as a regular object in Entra ID and can be disabled or deleted the moment you want to stop the agent.
The Vulnerability Remediation Agent has three requirements. First, an active Intune licence for the administrator who sets up and manages the agent. Second, Security Copilot capacity: the agent runs on Security Compute Units (SCUs). As standalone capacity, the cost is four dollars per SCU per hour. Organisations with a Microsoft 365 E5 licence receive 400 SCUs per month per 1,000 E5 users as part of their bundle, making the agent available to E5 environments at no additional cost. Third, a connection to Defender Vulnerability Management through the correct Unified RBAC permission: Security posture / Posture management / Vulnerability management (read).
For the administrator, two Security Copilot roles are relevant. The Copilot owner role grants permission to set up and remove the agent. The Copilot contributor role is sufficient to view the agent's recommendations and approve remediation actions. A sensible division for larger IT teams: the lead administrator holds the owner role, team members receive contributor rights.
Configuration follows a limited number of steps. Open the Intune admin centre and navigate to Agents in the left menu. Select Vulnerability Remediation Agent and open the Overview tab. Click Set up Agent. The system then offers the option Create new identity, which causes Intune to automatically provision the agentic user in your Entra tenant. After provisioning, delegate the required read permissions to that agentic user in the Entra admin centre and the Defender admin centre. Finally, run the built-in Readiness Check, which verifies that all required permissions are correctly configured. Only once the Readiness Check passes does the agent begin collecting and analysing vulnerability data.
One note for the current public preview: the agent works exclusively on Intune-managed Windows devices. iOS, Android, and macOS devices fall outside the current scope. And the recommendations the agent generates are recommendations: the agent does not execute remediation actions automatically without administrator confirmation. You retain full control over what is actually deployed.
In practice, IT teams performing manual CVE triage encounter three bottlenecks: the volume of data is too large to process weekly, prioritisation is inconsistent across different administrators, and linking Defender signals to Intune deployment actions requires multiple screens and manual steps. The Vulnerability Remediation Agent addresses all three. The agent runs continuously in the background, applies consistent prioritisation criteria, and presents results in the same place where the remediation action is initiated.
That is also why the combination with the Enterprise Application Management auto-updates feature — which reached general availability earlier this year — is compelling. EAM auto-updates keeps applications on the latest incremental release without manual packaging. The Vulnerability Remediation Agent signals which CVEs deserve the highest priority. Together, they shorten the time between a vulnerability being disclosed and affected devices in your fleet being patched.
Three steps for IT teams that want to activate the agent. First, verify that your environment meets the licence requirements. Do you have Microsoft 365 E5 or a separate Security Copilot capacity allocation? E5 organisations can begin immediately. Second, map your current vulnerability process. How do you triage CVEs today — via manual reports from Defender, weekly exports to spreadsheets, or dependency on external tooling? The Vulnerability Remediation Agent replaces or simplifies that process for the Windows endpoint layer. Third, assign the correct RBAC roles in Intune and the Copilot owner role in Security Copilot to the administrator who will configure the agent, so setup can proceed without permission errors.
Organisations that make the move to AI-driven vulnerability management now are laying a foundation on which future agents — for automated patch approval, application update management, and proactive compliance — can build. Want help setting up the Vulnerability Remediation Agent, assigning the right roles, or assessing your Security Copilot capacity? Contact Zarioh for a no-obligation conversation.