Agents in Microsoft Intune | Automate Policy Creation, Troubleshooting & Fix Guidance
Automate device and security policy management by turning written compliance requirements into Intune policies. Use natural language to draft, refine, and deploy configuration profiles, review AI-generated recommendations with confidence scores, and stay in full control before publishing to your environment. Reduce risk and manual effort by automatically evaluating admin change requests and blocking harmful scripts before deployment. Prioritize vulnerabilities from Defender, translate them into actionable Intune remediation steps, and schedule ongoing fixes. Jason Githens, Microsoft Intune Principal GPM, shares how to move from reactive security work to continuous, proactive protection. Note: At the time of publishing this video, the Change Review Agent and Policy Configuration Agent are in public preview and the Vulnerability Remediation Agent is in limited public preview. Use natural language to generate ready-to-review policies. Check out the Policy Configuration Agent in Microsoft Intune. Reduce security risk. Detect destructive or compromised change requests in real time. and get AI-driven approve/reject recommendations. Start using the Change Review Agent in Microsoft Intune. Shift from reactive patching to proactive security. See how to schedule automated vulnerability remediation inside Intune. QUICK LINKS: 00:00 — Automate work with Intune Agents 01:08 — Policy Configuration Agent 01:36 — Policy drafts 02:27 — Create a new knowledge source 03:25 — Create a new policy 04:49 — Change Review Agent 06:19 — Vulnerability Remediation Agent 07:46 — Wrap up Link References To get started, go to https://aka.ms/IntuneAgents Unfamiliar with Microsoft Mechanics? As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft. Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries Talk with other IT Pros, join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog Watch or listen from anywhere, subscribe to our podcast: https://microsoftmechanics.libsyn.com/podcast Keep getting this insider knowledge, join us on social: Follow us on Twitter: https://twitter.com/MSFTMechanics Share knowledge on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/ Enjoy us on Instagram: https://www.instagram.com/msftmechanics/ Loosen up with us on TikTok: https://www.tiktok.com/@msftmechanics Video Transcript: -You can now manage your device and security policies without manual work and automate tasks that previously were not automatable. How? Well, today I’ll demonstrate new agents in Microsoft Intune. As part of Security Copilot, they’re now included and rolling out with Microsoft 365 E5. These are designed to automate the busy work for you while continuously improving the security of your digital estate. This includes the new Policy Configuration Agent, which can reason over your compliance documents, for example, security technical implementation guides, STIGs, and create matching Intune policies automatically. The Change Review Agent, which evaluates admin requests, like scripts, using signals from Microsoft Intune, Entra, and Defender, to recommend change request actions, such as approve or reject, before they’re deployed. -Along with the Vulnerability Remediation Agent that analyzes the signals across Defender and Intune and proactively creates recommendations for medium to high-risk device vulnerabilities so they don’t get missed. They use natural language reasoning to interpret your instructions together with your policy control plane to generate informed and actionable configuration guidance. In fact, let’s take a look at what these agents can do, starting with the Policy Configuration Agent, which converts written requirements into actionable settings. From the Agents page in Intune, you can see all of your available agents. I’ll choose the Policy Configuration Agent, and here you’ll see Agent suggestions and Activity. There are tabs for Knowledge, Suggestions, and Settings. When you use this agent, it will create configuration profiles in Intune that will appear alongside your existing device policies. So these aren’t agent-only policies. -These are policies that you or other admins on your team would have typically set and are based on the instructions you’ve laid out. Let me show you. I’m going to create a new policy. You can create policy drafts by describing the configurations you want in natural language as written instructions and optionally, you can use a knowledge source by uploading a text file, which I’ll demonstrate here. But before I do that, let me show you what I’ll be basing it on. For that I’ll move into a text editor, Notepad in my case. You’ll typically start by having or creating this type of knowledge source. You can see it’s a written text document that gives the agent a natural language description of all the different device configurations that need to be set according to specific internal or regulatory compliance requirements. As you saw, it used descriptive, but not precise, terms to help instruct the agent on the breadth of settings available to them. -Back in Intune in the Knowledge tab, you can see all of our uploaded txt files. I’ll Create New this time a knowledge source. I’ll give it a name, then input a description to explain what it’s for. Below that, I can upload a document, so I’ll navigate to my file to upload, then hit Review to confirm. Depending on your file, this could take a minute or so to process, but in my case, I’m processing around 50 settings that could have taken hours to match manually. You can watch this progress from the Overview tab. Once it’s finished, in this case it actually took around three minutes, it will appear under Agent suggestions on the Overview tab. And if I click into the file I just uploaded, you can see the agent has successfully mapped several different settings from the baseline directly to an enforceable Intune policy. -Additionally, the agent has provided a percentage confidence rating for each setting. These scores help you understand how accurately it was able to translate your regulatory or configuration document into actual Intune policy settings. Now that the knowledge source has been mapped with the settings, we’re ready to build a new policy from it. This time, I’ll Create a New policy draft. I’ll give the policy a name and then I’ll add a short description. Now from the optional Knowledge source dropdown, I’ll select the baseline that we just uploaded and processed. You can also create policy drafts without using a defined knowledge source. I need to instruct it to create a policy, or optionally, I can prompt it to remove or refine a setting described in the file. This makes sense, for example, in cases where we know it’s already part of another all devices policy. -Here, you can also add a document that will be appended as text to your instructions. From there, I just need to hit Create. That process will take a few minutes to run, so we’ll skip ahead in time to show the results. In Agent suggestions, I can see my policy draft on top. When I click in, I can see all of the policy details and settings. Everything looks good to me. In my case, it was able to match all the settings. So I’ll create the configuration policy from this draft using the standard policy deployment flow. Importantly, you can review all its configurations and make changes here if you want, just like you normally would before enabling it. Add scope tags and you can assign it to groups or devices. I’ll assign devices later. Then I can review and deploy it using the normal process. Once it’s published, if I move over to my configuration policies, I can see the new one right here with the rest of our policies. -Next, let’s move on to the Change Review Agent. Think of this like an expert script author and troubleshooter to help you evaluate admin change requests. I’m in the Change Review Agent, and to show you what’s behind this, I’ll move right into the Settings tab, and the first thing you might notice is that the agent is operating with a lot of rich information as context from Intune, Entra, Defender, including Threat Intelligence. It pulls signals from all of these sources to fully understand the impact of any proposed change. Moving back to the Overview tab, you can see that the agent has reviewed multiple admin approval requests with a recommendation to approve or reject appended as a prefix to each script name. -Let’s look at this script submission as an example. As soon as the script is loaded, the agent analyzes it, providing deeper context and a summary of what the script does. It has identified that this is a highly destructive script designed to wipe managed devices using Graph API calls. The change requester had no previous risk identified, and the business justification was determined to be vague, so it’s likely this person’s account was compromised. You can view the request to look at what the script is doing exactly, and there’s our device wipe. All of these signals are processed in real time to help determine whether the change should be approved or rejected. In this case, the agent concludes that the script is clearly harmful if executed with its current all managed devices scope, so it recommends rejecting the request. The agent is able to rapidly decipher between legitimate and adversarial intent or policy conflicts from change requests that would introduce risk into your environment. -Finally, the Vulnerability Remediation Agent assesses critical vulnerabilities from Microsoft Defender. It does this in a prioritized manner and maps them to at-risk devices managed in Intune to help you automate fixes. I’ll start in the Microsoft Defender portal under vulnerability management to first set some context. -Here, you’ll see a clear view of the top risk in your environment, including impact scores, exposed devices, severity, owners, and the associated CVEs. Here’s an example where the dashboard flags an application vulnerability that requires updating Relecloud Sync app. You can drill into the details, understand the exposure, and prioritize remediation, but typically this is where the workflow stops. Defender identifies the issue, and remediation has to be coordinated manually. -That’s where the Vulnerability Remediation Agent comes in. It takes prioritized vulnerability data from Defender and brings it into Intune. The result is that you can automate remediation in place from where you manage your device endpoints without switching context or accessing Defender. In our example, Defender indicates Relecloud needs to be updated to version 14.0.7. The agent translates that guidance into actionable steps. On the other hand, if I open the suggestion to update Microsoft Windows 11, OS and built-in applications, you’ll see that not only is the update recommended, but also, best-practice security configuration changes are all listed right here. -And if I move into the agent settings, you’ll see that this agent also lets you automate runs based on a schedule. So that’s how Intune agents help you move from manual effort to intelligent automated guidance while keeping you in control of implementing agent recommendations. And in the future, we’ll start to integrate AI actions into common Intune workflows that you perform every day. -To get started, log into Intune and try out the new agent capabilities. In fact, if you’re already logged in, just go to aka.ms/IntuneAgents and keep watching Microsoft Mechanics for the latest updates. Thanks for watching.
