This is the fourth is a series of blog posts about Intune Agents. Intune Agents (also known as Security Copilot agents) are AI-powered assistants, available in the Intune Admin Center, that enhance enterprise security. They automate tasks for endpoint protection, identity management, threat intelligence, and device configuration, and they help IT teams quickly address vulnerabilities, policy gaps, and emerging threats.
The first post in the series introduced Security Copilot and SCUs, and then took a closer look at the Change Review Agent. The second post concentrated on the Device Offboarding Agent. The third post looked at the Policy Configuration Agent, which helps IT admins to translate complex requirements and industry standard documents into actionable Intune settings.
In this post, I'll have a look at the Vulnerability Remediation Agent in Microsoft Intune, also known as IVRA. IVRA uses data from Microsoft Defender Vulnerability Management to identify Common Vulnerabilities and Exposures (CVEs) on your managed devices. The results are prioritized for remediation and include step-by-step instructions to guide you in using Intune to remediate the threat. It can help you reduce the time it takes to investigate, identify, and remediate threats, ultimately improving your organization's overall security posture.
- Intune subscription (check)
- Microsoft Security Copilot with sufficient SCUs (check)
- Microsoft Defender Vulnerability Management - This capability is provided by Microsoft Defender for Endpoint P2 or Defender Vulnerability Management Standalone. (mmm, I don't have this in my test tenant. I'll get back to this shortly)
- Read Only Operator or a Custom role with the following permissions:
- Security Tasks / read
- Mobile apps / read
- Device configurations / read
- Organization / read
- Copilot owner
- Read Only Operator or a Custom role with the following permissions:
- Mobile apps / read
- Device configurations / read
- Granular RBAC: Custom RBAC role with permissions equivalent to the Unified RBAC Security Reader role
Set up the Vulnerability Remediation Agent
OK, so we can navigate to the Intune Admin Center to get started with the Vulnerability Remediation Agent.
Click on Agents > Vulnerability Remediation Agent/ View details.
We are invited to Set up agent.
Here we can see the agent requirements. In particular we are told that the agent will create a new Agentic user to run the agent with and this account must be configured with the correct permissions. We mentioned that before. Let's see what that looks like. Click Set up agent.
The agent has been set up but Run is greyed out. We also see a message that the agent can't complete a run until the required permissions are assigned. What do we need to do here? We can select Go to permissions or navigate to Settings > Permissions.
Ok, now I'll Run readiness check to see where I am.
The Readiness check has failed for Defender and Intune. I can see the Intune Vulnerability Remediation (Security Copilot) identity. This is the Agentic users account which we referred to earlier and it needs to be assigned Intune and Defender permissions. Click on Manage agentic user to take you to the account in Entra ID.
The Intune Read Only Operator role satisfies the requirement so I created a role assignment and assigned to the IVRA Agent group.
In the Defender admin center, navigate to System > Permissions. Under Microsoft Defender XDR, click on Roles.
I kept in simple and chose All read-only permissions. The documentation list the requirement as: "the agentic user must be assigned permissions that align with Microsoft Defender XDR RBAC configurations: Granular RBAC: Custom RBAC role with permissions equivalent to the Unified RBAC Security Reader role", which isn't particularly clear. Click Apply.
After a few hours I ran the readiness check again and all the connection tests were successful. Run was no longer greyed out.
After the agent completes a run, the Overview tab updates with the top vulnerabilities that you should review and address. This tab shows only a few suggestions at a time.



































No comments:
Post a Comment