Monday, 6 July 2026

My first look at Intune Agents (part4) - IVRA

This is the fourth is a series of blog posts about Intune Agents. Intune Agents (also known as Security Copilot agents) are AI-powered assistants, available in the Intune Admin Center, that enhance enterprise security. They automate tasks for endpoint protection, identity management, threat intelligence, and device configuration, and they help IT teams quickly address vulnerabilities, policy gaps, and emerging threats.

The first post in the series introduced Security Copilot and SCUs, and then took a closer look at the Change Review Agent. The second post concentrated on the Device Offboarding Agent. The third post looked at the Policy Configuration Agent, which helps IT admins to translate complex requirements and industry standard documents into actionable Intune settings. 

In this post, I'll have a look at the Vulnerability Remediation Agent in Microsoft Intune, also known as IVRA. IVRA uses data from Microsoft Defender Vulnerability Management to identify Common Vulnerabilities and Exposures (CVEs) on your managed devices. The results are prioritized for remediation and include step-by-step instructions to guide you in using Intune to remediate the threat. It can help you reduce the time it takes to investigate, identify, and remediate threats, ultimately improving your organization's overall security posture.


IVRA recently appeared in my tenant as public preview.

So, how do we get started? There are some prerequisites.


Licensing
  • Intune subscription (check)
  • Microsoft Security Copilot with sufficient SCUs (check)
  • Microsoft Defender Vulnerability Management - This capability is provided by Microsoft Defender for Endpoint P2 or Defender Vulnerability Management Standalone. (mmm, I don't have this in my test tenant. I'll get back to this shortly)

Roles and permissions

To set up and manage the agent, use an account with the following roles:

Intune roles:
  • Read Only Operator or a Custom role with the following permissions:
    • Security Tasks / read
    • Mobile apps / read
    • Device configurations / read
    • Organization / read
Security Copilot roles:
  • Copilot owner
I have all this covered. I'm signed into Intune with an Intune Administrator account which is also a Security Copilot Owner.

To run the agent, the agentic user must be delegated the following permissions. 

Intune roles:
  • Read Only Operator or a Custom role with the following permissions:
    • Mobile apps / read
    • Device configurations / read
Defender roles:

The agentic user must be assigned permissions that align with Microsoft Defender XDR RBAC configurations:
  • Granular RBAC: Custom RBAC role with permissions equivalent to the Unified RBAC Security Reader role
I don't really understand what this means at this stage. What is the agentic user? We'll move on and perhaps this will become clear later on.


Defender Vulnerability Management add-on trial

OK, so back to licensing. I don't have Microsoft Defender Vulnerability Management in my tenant so I can sign up for a trial.


This is very straightforward. Navigate to the Microsoft Defender portal (https://security.microsoft.com) and select Trials. I have M365 E5 licensing in my tenant so I can see the Defender Vulnerability Management add-on. Choose Try now


You'll see further information about the 90 day trial. Click Begin Trial.


The trial is being prepared. Click Done


It can take up to 6 hours for everything to be ready.


However the trial is effective immediately. You can end the trial whenever you like.


The Defender Vulnerability Management add-on is now ready to be assigned to your users.


Set up the Vulnerability Remediation Agent

OK, so we can navigate to the Intune Admin Center to get started with the Vulnerability Remediation Agent. 


Click on AgentsVulnerability Remediation Agent/ View details. 


We are invited to Set up agent.


Here we can see the agent requirements. In particular we are told that the agent will create a new Agentic user to run the agent with and this account must be configured with the correct permissions. We mentioned that before. Let's see what that looks like. Click Set up agent.

The agent has been set up but Run is greyed out. We also see a message that the agent can't complete a run until the required permissions are assigned. What do we need to do here? We can select Go to permissions or navigate to Settings > Permissions.


Ok, now I'll Run readiness check to see where I am.

The Readiness check has failed for Defender and Intune. I can see the Intune Vulnerability Remediation (Security Copilot) identity. This is the Agentic users account which we referred to earlier and it needs to be assigned Intune and Defender permissions. Click on Manage agentic user to take you to the account in Entra ID.


This is the Agentic user account.


Permissions for Agentic user account

I created a static Entra group "IVRA Agent".


I added the Agentic user account to the IVRA Agent group.


The Intune Read Only Operator role satisfies the requirement so I created a role assignment and assigned to the IVRA Agent group.

Next we need to work on the Defender XDR permissions.


In the Defender admin center, navigate to System > Permissions. Under Microsoft Defender XDR, click on Roles.


I clicked to Create custom role.


I named the Role and clicked Next.


I kept in simple and chose All read-only permissions. The documentation list the requirement as: "the agentic user must be assigned permissions that align with Microsoft Defender XDR RBAC configurations: Granular RBAC: Custom RBAC role with permissions equivalent to the Unified RBAC Security Reader role", which isn't particularly clear. Click Apply.


I selected each permission group in turn and chose All read-only permissions. Click Next.


Click Create assignment.


I named the assignment and selected the IVRA agent group. I also kept the default setting of selecting all data sources. Click Add.


Now that the role assignment has been done click Next.


Review the configuration and click
Submit.


The role and assignment have been created. Click
Done.


At this point I ran the readiness check again but it still failed for Intune. Intune role assignments can take some time to take effect.


After a few hours I ran the readiness check again and all the connection tests were successful. Run was no longer greyed out.


Using the Vulnerability Remediation Agent

After you set up the agent, you can run vulnerability assessments, review prioritized suggestions, and track your remediation progress over time.


Click Run.


You can see that the agent is running.


After the agent completes a run, the Overview tab updates with the top vulnerabilities that you should review and address. This tab shows only a few suggestions at a time.


You can view the full list on the Suggestions tab. Use either tab to drill down and review or manage recommendations.


Suggestion 1: update Edge Chromium-based to version 149.0.4022.80 with instructions to remediate.


Suggestion 2: update Google Chrome to version 149.0.7827.155 with instructions to remediate.


Suggestion 3: update Windows 11 (OS and built-in applications), with instructions to remediate.

I hope this helps. Until next time.........




No comments:

Post a Comment