Monday, 6 July 2026

My first look at Intune Agents (part4) - IVRA

This is the fourth is a series of blog posts about Intune Agents. Intune Agents (also known as Security Copilot agents) are AI-powered assistants, available in the Intune Admin Center, that enhance enterprise security. They automate tasks for endpoint protection, identity management, threat intelligence, and device configuration, and they help IT teams quickly address vulnerabilities, policy gaps, and emerging threats.

The first post in the series introduced Security Copilot and SCUs, and then took a closer look at the Change Review Agent. The second post concentrated on the Device Offboarding Agent. The third post looked at the Policy Configuration Agent, which helps IT admins to translate complex requirements and industry standard documents into actionable Intune settings. 

In this post, I'll have a look at the Vulnerability Remediation Agent in Microsoft Intune, also known as IVRA. IVRA uses data from Microsoft Defender Vulnerability Management to identify Common Vulnerabilities and Exposures (CVEs) on your managed devices. The results are prioritized for remediation and include step-by-step instructions to guide you in using Intune to remediate the threat. It can help you reduce the time it takes to investigate, identify, and remediate threats, ultimately improving your organization's overall security posture.


IVRA recently appeared in my tenant as public preview.

So, how do we get started? There are some prerequisites.


Licensing
  • Intune subscription (check)
  • Microsoft Security Copilot with sufficient SCUs (check)
  • Microsoft Defender Vulnerability Management - This capability is provided by Microsoft Defender for Endpoint P2 or Defender Vulnerability Management Standalone. (mmm, I don't have this in my test tenant. I'll get back to this shortly)

Roles and permissions

To set up and manage the agent, use an account with the following roles:

Intune roles:
  • Read Only Operator or a Custom role with the following permissions:
    • Security Tasks / read
    • Mobile apps / read
    • Device configurations / read
    • Organization / read
Security Copilot roles:
  • Copilot owner
I have all this covered. I'm signed into Intune with an Intune Administrator account which is also a Security Copilot Owner.

To run the agent, the agentic user must be delegated the following permissions. 

Intune roles:
  • Read Only Operator or a Custom role with the following permissions:
    • Mobile apps / read
    • Device configurations / read
Defender roles:

The agentic user must be assigned permissions that align with Microsoft Defender XDR RBAC configurations:
  • Granular RBAC: Custom RBAC role with permissions equivalent to the Unified RBAC Security Reader role
I don't really understand what this means at this stage. What is the agentic user? We'll move on and perhaps this will become clear later on.


Defender Vulnerability Management add-on trial

OK, so back to licensing. I don't have Microsoft Defender Vulnerability Management in my tenant so I can sign up for a trial.


This is very straightforward. Navigate to the Microsoft Defender portal (https://security.microsoft.com) and select Trials. I have M365 E5 licensing in my tenant so I can see the Defender Vulnerability Management add-on. Choose Try now


You'll see further information about the 90 day trial. Click Begin Trial.


The trial is being prepared. Click Done


It can take up to 6 hours for everything to be ready.


However the trial is effective immediately. You can end the trial whenever you like.


The Defender Vulnerability Management add-on is now ready to be assigned to your users.


Set up the Vulnerability Remediation Agent

OK, so we can navigate to the Intune Admin Center to get started with the Vulnerability Remediation Agent. 


Click on AgentsVulnerability Remediation Agent/ View details. 


We are invited to Set up agent.


Here we can see the agent requirements. In particular we are told that the agent will create a new Agentic user to run the agent with and this account must be configured with the correct permissions. We mentioned that before. Let's see what that looks like. Click Set up agent.

The agent has been set up but Run is greyed out. We also see a message that the agent can't complete a run until the required permissions are assigned. What do we need to do here? We can select Go to permissions or navigate to Settings > Permissions.


Ok, now I'll Run readiness check to see where I am.

The Readiness check has failed for Defender and Intune. I can see the Intune Vulnerability Remediation (Security Copilot) identity. This is the Agentic users account which we referred to earlier and it needs to be assigned Intune and Defender permissions. Click on Manage agentic user to take you to the account in Entra ID.


This is the Agentic user account.


Permissions for Agentic user account

I created a static Entra group "IVRA Agent".


I added the Agentic user account to the IVRA Agent group.


The Intune Read Only Operator role satisfies the requirement so I created a role assignment and assigned to the IVRA Agent group.

Next we need to work on the Defender XDR permissions.


In the Defender admin center, navigate to System > Permissions. Under Microsoft Defender XDR, click on Roles.


I clicked to Create custom role.


I named the Role and clicked Next.


I kept in simple and chose All read-only permissions. The documentation list the requirement as: "the agentic user must be assigned permissions that align with Microsoft Defender XDR RBAC configurations: Granular RBAC: Custom RBAC role with permissions equivalent to the Unified RBAC Security Reader role", which isn't particularly clear. Click Apply.


I selected each permission group in turn and chose All read-only permissions. Click Next.


Click Create assignment.


I named the assignment and selected the IVRA agent group. I also kept the default setting of selecting all data sources. Click Add.


Now that the role assignment has been done click Next.


Review the configuration and click
Submit.


The role and assignment have been created. Click
Done.


At this point I ran the readiness check again but it still failed for Intune. Intune role assignments can take some time to take effect.


After a few hours I ran the readiness check again and all the connection tests were successful. Run was no longer greyed out.


Using the Vulnerability Remediation Agent

After you set up the agent, you can run vulnerability assessments, review prioritized suggestions, and track your remediation progress over time.


Click Run.


You can see that the agent is running.


After the agent completes a run, the Overview tab updates with the top vulnerabilities that you should review and address. This tab shows only a few suggestions at a time.


You can view the full list on the Suggestions tab. Use either tab to drill down and review or manage recommendations.


Suggestion 1: update Edge Chromium-based to version 149.0.4022.80 with instructions to remediate.


Suggestion 2: update Google Chrome to version 149.0.7827.155 with instructions to remediate.


Suggestion 3: update Windows 11 (OS and built-in applications), with instructions to remediate.

I hope this helps. Until next time.........




Monday, 8 June 2026

You have Intune Remote Help already, you might as well use it

You may remember the surprise announcement late last year when Microsoft announced that they would unify the key capabilities of endpoint management by adding the components of the Intune Suite to Microsoft 365 E3 and Microsoft 365 E5 SKUs. These advanced Intune capabilities include Remote Help, which will be included in Microsoft Enterprise Mobility and Security E3 (EMS E3) and therefore Microsoft 365 E3. We believe that this change will be rolled out starting in July 2026.

I have already implemented Remote Help for a number of enterprise and SMB customers and I’m confident that this licensing change will prompt many other customers to move from third party solutions with a view to reducing costs.

What does Remote Help give to your organization?

  • Deliver simple, cloud-connected, and secure assistance to workers anywhere, anytime. 
  • Secure screen sharing and full control of Windows, macOS and Android (Zebra and Samsung) so that helpers (administrators) can support sharers (end users).
  • Role Based Access Control (RBAC); helpers do not need to have excessive permissions on Intune or the devices.
  • Ability to monitor Remote Help sessions; every session is logged with details like helper name, sharer name, device name and length of session.
  • Allows helpers to enter UAC credentials when prompted on the sharer's device for elevated permissions.
  • Enhanced chat in multiple languages.

What are the advantages of Remote Help over other third-party tools?

  • Remote sessions can be launched natively from the Intune admin center by selecting a device.
  • Intune can be integrated with ServiceNow to show a real time list of ServiceNow incidents for a user from the Troubleshooting pane. Remote sessions can be launched from there. 
  • Zero Trust enforcement; uses Microsoft Entra authentication and can be protected with Conditional access. For example, you can require multifactor authentication (MFA) for helpers or restrict access to specific locations or compliant devices.
  • Compliance checks and warnings; helpers can see a noncompliance warning before connecting to a non-compliant device.
  • You can choose to limit remote sessions to Intune enrolled devices only (although you can allow unenrolled devices also).
  • Remote sessions are restricted to your tenant only. This is useful for privacy reasons, especially in Europe, where there are GDPR restrictions. 
  • The data from Remote Help sessions can be combined with Endpoint Analytics to identify common issues.

It won’t hurt to try it out in advance of the licensing changes.

From the Microsoft Intune admin center, navigate to Tenant administration > Intune add-ons. Click View details for Remote Help and this will connect you to the Microsoft 365 admin center where you can request a trial.

Click Start free trial for 250 Remote Help licenses to be added to your tenant for 90 days. You can then assign the licenses to users. Remember that both the helper and sharer need a Remote Help license.


Enable Remote Help

This operation is carried out at the tenant level. In the Microsoft Intune admin center, navigate to Tenant administration > Remote Help. On the Settings tab, click Configure.

  • Set Enable Remote Help to Enabled to allow the use of Remote Help. By default, this setting is disabled.
  • Set Allow Remote Help to unenrolled devices to Enabled if you want to allow this option. By default, this setting is disabled.
  • Set Disable chat to Yes to remove the chat functionality in the Remote Help app. By default, chat is enabled and this setting is set to No.


RBAC and permissions

It is recommended to enforce least privilege and grant the minimum Remote Help permissions for each support role. The Help Desk Operator role already contains the necessary permissions to use Remote Help. However, consider using a custom role to be more granular with the permissions. In the Microsoft Intune admin center, navigate to Tenant administration > Roles. Click Create and choose Intune role.

Select the permissions for the Remote Help app only.

  • View screen allows the helper to view the sharer’s device when Remote Help is enabled.
  • For Android devices, Unattended control will start Remote Help as soon as the helper selects a new session, without a sharer having to grant access. At the time of writing, Unattended control is not yet supported for Windows, this would be useful for managing kiosks. 
  • Take full control allows the helper to control the sharer’s device when Remote Help is enabled.
  • Elevation allows the helper to enter UAC credentials when prompted on the sharer’s Windows device.

The custom role can be assigned to Admin Groups (Entra groups containing the helpers) and targeted at Scope Groups (Entra groups containing the sharers; this can also be All Users or All devices).


Remote Help app

Windows

Download the Remote Help app for Windows. At under 8MB, it’s very lightweight. It must be installed on the helpers device and any device where support is to be offered. There are a few ways to deploy this app.

  • Install manually; requires local administrator permissions and is not sustainable.
  • Add Remote Help to Intune as an Enterprise App Catalog app and assign to your users or devices. There is a cost associated with this method.
  • Deploy Remote Help as a Win32 app. The following parameters can be used.
    • Install command line, specify remotehelpinstaller.exe /quiet acceptTerms=1
    • Uninstall command line, specify remotehelpinstaller.exe /uninstall /quiet acceptTerms=1
    • Detection Path, specify C:\Program Files\Remote Help
    • Detection File or folder, specify RemoteHelp.exe

macOS

Download the Remote Help app for macOS. It can be automatically deployed to your estate of Intune enrolled macOS device. 

Web App

In situations where the sharer needs assistance but is unable to install the full client application for Windows or macOS, the sharer can use the Web App to share their screen to a helper. This web app provides view only capabilities to the helper.

Android

Remote Help app for Android is available on the Google Play store for installation on Zebra and Samsung devices.


The Remote Help experience on Windows

I have two users in my lab. Fred is the helper and Joe is the sharer. Both have Windows 11 devices with the Remote Help app installed.


Fred’s device is on the left in the screenshot. He navigates to Joe’s device in the Intune admin center and chooses New remote assistance session.

The New remote assistance session blade opens, and Fred selects Remote Help > Continue.

Joe receives a Remote Help notification that Fred is available to help him. He is invited to Open Remote Help

Fred is also invited to Open Remote Help.

The Remote Help app launches on Fred’s device, and he can see that Joe is ready for support. Fred can choose to Take full control or View screen. For now, he chooses View Screen.

Joe gets a notification to Allow the remote help session.

The remote help session is established and Fred can see Joe’s screen.


 
Fred and Joe can chat during the session.

Fred can Request control. Joe gets a notification to Allow.

Now Fred can control Joe’s device. Joe can Cancel control at any time.

Fred can elevate his permissions on Joe’s device by entering administrator credentials at the UAC prompt.

Note that I had to create and deploy an Intune configuration policy so that Fred could see the UAC prompt on Joe’s device.

Settings catalog > Local Policies Security Options > User Account Control Allow UI Access Applications To Prompt For Elevation > enabled (allow UIAccess applications to prompt for elevation without using the secure desktop).


The Remote Help experience on macOS

Fred is still the helper and Joe is the sharer. Fred is using his Windows 11 device and Joe wants to share his MacBook with Fred for assistance, although the MacBook is not enrolled in Intune. This time we will use the web app, which supports screen sharing but not full control. If full control is needed, then you have to use the full macOS client application.


 
Fred browses to https://aka.ms/rhh and signs in. Note that rhh = Remote Help helper. 

The long format is https://remotehelp.microsoft.com/helper

A Security code is generated which Fred shares with Joe. 

On the MacBook, Joe browses to https://aka.ms/rh and signs in. Note that this time rh = Remote Help

The long format is https://remotehelp.microsoft.com/sharer

Joe must accept the privacy terms by clicking OK.

Joe enters the security code and selects Share screen.


 
Fred is notified that Joe is ready and clicks Screen sharing to start the session.

Joe sees Fred’s session request and clicks Allow to continue.

Fred gets a compliance warning to say that the MacBook is not enrolled in Intune. He can Leave or choose to continue by clicking OK.


Finally, Joe can choose which screen to share. He clicks Share screen.


Joe has shared his MacBook screen with Fred for assistance. 

I hope that this blog post has been useful to explore the functionality and configuration of Intune Remote Help.

Until next time……