Triage vulnerabilities with the Vulnerability Remediation Agent, now in public preview
As automation and AI accelerate the pace of vulnerability discovery, the window between disclosure and exploitation continues to shrink. For IT and security teams, the challenge is no longer just finding vulnerabilities - it's prioritizing the ones that matter and acting on them before they can be exploited. To help organizations close that gap, we're pleased to announce that the Vulnerability Remediation Agent for Security Copilot in Microsoft Intune is now in public preview and rolling out to all customers. Following a successful limited preview, the agent is now broadly available. This release brings agentic vulnerability remediation out of an early-access cohort and into the hands of every eligible organization - an important step in our continued investment in helping admins reduce exposure faster and with greater confidence. View eligibility prerequisites here. How the agent helps you identify and triage vulnerabilities The Vulnerability Remediation Agent uses data from Microsoft Defender Vulnerability Management to identify Common Vulnerabilities and Exposures (CVEs) across your Intune-managed Windows devices and apps, then prioritizes them for remediation. Rather than leaving admins to sift through lengthy CVE lists with little context, the agent surfaces a prioritized set of recommendations directly in the Intune admin center - accessible from both the Agents and Endpoint security pages. When the agent runs, it evaluates vulnerability data and ranks threats based on factors such as CVSS scores, exposure impact, and affected device count, so the most critical issues rise to the top. Drilling into any suggestion provides: The count of associated CVEs A Copilot-assisted summarized impact analysis Suggested actions and affected systems Exposed devices and potential impact Step-by-step guidance for remediating the threat using Intune After acting on a recommendation, admins can mark it as applied, allowing the agent to retain a record for tracking remediation actions over time. The result is a meaningful reduction in the time it takes to investigate, prioritize, and remediate - strengthening overall security posture. Introducing agentic identity for the Vulnerability Remediation Agent With this release, the agent now operates under Microsoft Entra agentic identity - a meaningful advancement in how autonomous agents are governed and secured. What it is. Agentic identity is a specialized identity in Microsoft Entra ID that allows the agent to operate securely and independently. During setup, the agent provisions a dedicated agentic identity and a corresponding agentic user in your tenant's Microsoft Entra directory. The agent then runs under the permissions delegated to that agentic user rather than under a human user account. Why it matters. Agentic identity decouples the agent from any one person, ensuring its behavior is strictly bound to the permissions and scope you delegate to it. This delivers clearer accountability, a cleaner audit trail, and enterprise-grade governance for autonomous operations. How it helps. Admins remain firmly in control. After setup, delegate the required read permissions to the agentic user in the Microsoft Intune and Microsoft Defender admin centers, then use the built-in Readiness Check to confirm everything is configured correctly before the agent runs. Learn more in Agent identity. Getting started: Connect → Enable → Run → Remediate → Track One of the design goals behind the Vulnerability Remediation Agent is to make agentic security approachable, not complex. Rather than stitching together signals across multiple tools and admin centers, the agent guides admins through a clear, repeatable flow - from connecting your data to tracking measurable improvement over time. Connect — bring Defender and Intune data together. The agent draws on Microsoft Defender Vulnerability Management for CVE intelligence and Microsoft Intune for device and configuration context. With the required Microsoft Defender and Microsoft Intune plugins in place, your vulnerability and management signals work as one. Learn more on what is needed to connect the experience. Enable — turn on the agent. From the Agents node in the Microsoft Intune admin center, set up the agent in a few guided steps. During setup, the agent provisions its Microsoft Entra agentic identity and surfaces the permissions and plugins it needs, so you know exactly what to delegate before the first run. Run — let automated prioritization do the heavy lifting. Once permissions are delegated and the Run Readiness Check passes, you can configure the agent to run on demand or schedule it to run automatically in the background on a cadence you define; scheduling is a unique capability that helps teams stay ahead of emerging risks without requiring constant manual intervention. Each run analyzes your environment and produces a prioritized list of recommendations ranked by CVSS score, exposure impact, and affected device count so the most critical risks rise to the top automatically. Remediate — act with guided, Intune-ready actions. Each recommendation includes a Copilot-assisted impact summary, exposed devices, and step-by-step guidance for remediating the threat using Intune. Admins move directly from insight to action, without leaving the admin center. Track — measure improvement over time. Recommendations can be marked as applied, and the agent retains a record of your remediation actions. The outcome is a streamlined operating model: connect once, enable with confidence, and let the agent drive a continuous cycle of prioritization, remediation, and view progress. For full prerequisites, licensing, plugin, and role requirements, see Vulnerability Remediation Agent overview and set up. The Vulnerability Remediation Agent represents a meaningful step toward a more proactive, AI-assisted security posture, one where admins spend less time sifting through CVE lists and more time acting on what matters most. We invite you to try the public preview today, connect your Defender and Intune data, and experience how agentic remediation can help your team stay ahead of emerging threats. As always, we'd love to hear your feedback as we continue investing in making security in Intune faster, smarter, and more accessible. Share your tips and lessons learned in the comments below or reach out to us on X @IntuneSuppTeam. Join our community! Discuss real-world scenarios, get expert guidance, connect with peers, and influence the future of Microsoft Security products. Learn more at aka.ms/JoinIntuneCommunity.Support tip: Resolve device noncompliance with Mobile Threat Defense partner apps
Using a Mobile Threat Defense (MTD) solution, such as Microsoft Defender for Endpoint, with Microsoft Intune helps keep your organization’s resources protected and allows you to block devices that aren’t compliant with your organization’s policies. When an MTD detects a threat or determines that a device is noncompliant the device user will see one of two types of messages indicating: Install and activate partner app: The device needs the [MTD app] installed and activated to restore access to work or school resources. This message indicates that Intune hasn't received a signal from the [MTD app] the device, or the connection was lost. Resolve detected threats: The [MTD app] app identified one or more threats on the device. Open the [MTD app] and follow the guidance to resolve the threats before accessing work or school resources. In this blog, we’ll focus on troubleshooting and resolving the first scenario, where users will need to install and activate the MTD app. Note: For help resolving threats detected by the MTD app, open the partner app directly on the device for remediation guidance. Prerequisites Before you begin troubleshooting, confirm that: The user device is enrolled in Intune through the Company Portal app. The user has access to their work or school account credentials. The device has an active internet connection. Restore device compliance Have the user follow these steps to resolve the noncompliance issue and restore access to work or school resources. Step 1: Install and activate the partner app If the [MTD app] isn’t installed on the device: Open the Intune Company Portal app on the device. Go to Devices and select the device. Install the required [MTD app] shown in the noncompliance message. Open the [MTD app] and sign in with your work or school account. Complete any required setup or activation steps in the app. Wait up to 30 minutes for the device compliance status to update. If your device remains noncompliant after 30 minutes, continue to the next step. Step 2: Refresh the connection If the [MTD app] is already installed and the user is signed in, the connection between the app and Intune services may need to be refreshed: Open the [MTD app] on the device. Sign out of the work or school account. Sign back in with the same work or school account. Wait up to 30 minutes for the device compliance status to update. If the device remains noncompliant after 30 minutes, continue to the next step. Step 3: Reinstall the MTD app If refreshing the connection doesn't resolve the issue, reinstalling the app can restore the signal between services: Uninstall the [MTD app] from the device. Restart the device. Open the Company Portal app on the device. Reinstall the [MTD app]. Open the app and sign in with the work or school account. Complete any required setup or activation steps. Wait up to 30 minutes for the device compliance status to update. Check device compliance status Users can verify their device's compliance status at any time: Open the Company Portal app. Go to Devices. Select the device to view its current status. If the device shows as compliant, they can access work or school resources. If it shows as noncompliant and they’ve taken steps to resolve, wait a few more minutes and check again, as compliance status updates can take up to 30 minutes to appear in the Company Portal app. iOS/iPadOS: Enable simplified remediation for users Admins can configure a simplified remediation experience on iOS and iPadOS to help end‑users return to a compliant state more easily. This experience streamlines how users address Mobile Threat Defense (MTD)–related noncompliance and reduces the number of steps required to restore access. To enable this experience: Follow the guidance in Simplifying compliance remediation with Microsoft Intune and Defender on iOS/iPadOS to configure the updated remediation workflow for your organization. Once enabled, end‑users will see clearer guidance within the Microsoft Defender app when their device is marked noncompliant. The Defender app will direct users through the necessary remediation steps automatically - such as re‑authentication, resolving threat signals, or re‑establishing the MTD connection. After the guided process is complete, Defender will send updated device status to Intune so the device can return to a compliant state. This simplified flow reduces support overhead and increases user success resolving MTD‑related compliance issues on iOS/iPadOS. Android: Refresh the MTD connection when sign‑out is blocked If the user is on an Android device, first have them try signing out of the Mobile Threat Defense (MTD) app and signing back in. This often re‑establishes the connection and allows Intune to receive updated device status. If the option to sign out of the MTD app is blocked by IT policy, follow these steps to reset the app’s data instead: Long‑press the Defender app in the work profile. Tap ⓘ App info. Go to Storage & cache → Clear data (do not select Clear cache). Relaunch the Defender app - it will open to the welcome screen. Sign back in with the work or school account. Once signed back in, Defender will update Intune with the latest device data, and the device should return to a compliant state after Intune receives the refreshed signals. Windows: Verify that Microsoft Defender for Endpoint is onboarded For Windows devices, noncompliance with Defender for Endpoint is commonly caused by devices that are no longer properly onboarded or connected to the service. When a device is not onboarded, it can’t report risk signals, which may result in the device being marked as noncompliant in Intune. Recommended action: If you identify Windows devices showing as noncompliant due to missing or stale Defender for Endpoint signals: Verify that the device is onboarded to Microsoft Defender for Endpoint Review your existing onboarding policies in Intune Onboard affected devices using Intune if needed Once properly onboarded, the device can participate in compliance evaluation. If devices continue to appear noncompliant after verifying onboarding and policy assignment, we recommend opening a support case for further investigation. To learn more about onboarding devices refer to the documentation: Onboarding using Microsoft Intune Onboard Windows devices to Defender for Endpoint using Intune Configure Microsoft Defender for Endpoint with Intune and onboard devices Related articles Mobile Threat Defense integration with Intune Using the Intune Company Portal website If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam! Post updates: 02/05/26: Added two new sections covering simplified user remediation on iOS/iPadOS and refreshing the MTD connection on Android when sign-out is blocked. 05/06/26: Added a new section covering Windows devices that may be noncompliant due to not being properly onboarded to Microsoft Defender for Endpoint.Simplifying compliance remediation with Microsoft Intune and Defender on iOS/iPadOS
By: Harish S | Sr. Product Manager - Microsoft Defender & Rishita Sarin | Product Manager 2 - Microsoft Intune One tap to compliance: Introducing the Resolve workflow for Compliance Remediation in Microsoft Intune and Microsoft Defender on iOS. We’re thrilled to announce a major step forward in simplifying the compliance remediation experience for users and IT admins alike. As part of a collaboration between Microsoft Intune and Microsoft Defender, we’re introducing a new compliance remediation workflow, which uses a Resolve button to make it easier than ever for users to bring their mobile device back into compliance. Why this matters Traditionally, when a user’s device was marked noncompliant due to missing security apps like Microsoft Defender, they had to navigate through multiple apps, follow multi-step instructions, and often re-authenticate – often to resolve a single issue. This created friction, confusion, and delays in regaining access to corporate resources. With the new end-to-end remediation workflow triggered by the Resolve button, we’re eliminating those extra steps. What’s news Starting with the latest releases in Intune and Defender, users on iOS and iPadOS will have a Resolve button directly within Microsoft 365 productivity apps (such as Microsoft Outlook or Teams) when their device is non-compliant due to Defender-related requirements. This button: Detects the non-compliance reason. Launches or installs Microsoft Defender if it’s missing. Automatically re-evaluates compliance requirements once Defender is running. Returns the user to their app – no switching, no guesswork. This is powered by just-in-time (JIT) registration and compliance remediation which embeds the compliance flow directly into the app experience. Microsoft Defender experience: Guided, automated, and frictionless return to compliance The Resolve button is more than just a shortcut, it’s the entry point to a guided remediation workflow powered by Defender. Once launched: Defender auto-triggers a guided workflow that remediates issues with minimal or no user interaction. A checklist guides the user through necessary steps to return to compliance, ensuring clarity and confidence on common scenarios such as authentication issues, missing permissions, device registration issues, remediate active threats, and more. Upon completion, Defender updates the compliance state of the device. The user is automatically redirected back to the productivity app they started from with no manual navigation required. This seamless handoff between Intune and Defender ensures that users stay focused on their work, not on troubleshooting. Conclusion Effortless for users, efficient for admins. If you already use JIT registration and compliance remediation in Intune for enrolled iOS devices, the Resolve button is automatically enabled for supported scenarios. If not, consider setting up JIT now to experience the new compliance remediation experience, it’s simple to configure and significantly improves user experience and support efficiency. Refer to the following documentation for more information: Set up just-in-time registration Use JIT registration and JIT compliance remediation for all your iOS/iPadOS enrollments If you have any questions, leave a comment on this post or reach out on X @IntuneSuppTeam.Blocking and removing apps on Intune managed devices (Windows, iOS/iPadOS, Android and macOS)
By: Michael Dineen - Sr. Product Manager | Microsoft Intune This blog was written to provide guidance to Microsoft Intune admins that need to block or remove apps on their managed endpoints. This includes blocking the DeepSeek – AI Assistant app in accordance with government and company guidelines across the world (e.g. the Australian Government’s Department of Home Affairs Protective Policy Framework (PSPF) Direction 001-2025, Italy, South Korea). Guidance provided in this blog uses the DeepSeek – AI Assistant and associated website as an example, but you can use the provided guidance for other apps and websites as well. The information provided in this guidance is supplemental to previously provided guidance which is more exhaustive in the steps administrators need to take to identify, report on, and block prohibited apps across their managed and unmanaged mobile devices: Support tip: Removing and preventing the use of applications on iOS/iPadOS and Android devices. iOS/iPadOS devices For ease of reference, the below information is required to block the DeepSeek – AI Assistant app: App name: DeepSeek – AI Assistant Bundle ID: com.deepseek.chat Link to Apple app store page: DeepSeek – AI Assistant Publisher: 杭州深度求索人工智能基础技术研究有限公司 Corporate devices (Supervised) Hide and prevent the launch of the DeepSeek – AI Assistant app The most effective way to block an app on supervised iOS/iPadOS devices is to block the app from being shown or being launchable. Create a new device configuration profile and select Settings Catalog for the profile type. (Devices > iOS/iPadOS > Configuration profiles). On the Configuration settings tab, select Add settings and search for Blocked App Bundle IDs. Select the Restrictionscategory and then select the checkbox next to the Blocked App Bundle IDs setting. > Devices > Configuration profile settings picker = 'Blocked App Bundle IDs' Enter the Bundle ID: com.deepseek.chat Assign the policy to either a device or user group. Note: The ability to hide and prevent the launch of specific apps is only available on supervised iOS/iPadOS devices. Unsupervised devices, including personal devices, can’t use this option. Uninstall the DeepSeek – AI Assistant app If a user has already installed the app via the Apple App Store, even though they will be unable to launch it when the previously described policy is configured, it’ll persist on the device. Use the steps below to automatically uninstall the app on devices that have it installed. This policy will also uninstall the app if it somehow gets installed at any point in the future, while the policy remains assigned. Navigate to Apps > iOS/iPadOS apps. Select + Add and choose iOS store app from the list. Search for DeepSeek – AI Assistant and Select. > Apps > iOS/iPadOS > Add App searching for 'DeepSeek - AI Assistant' app Accept the default settings, then Next. Modify the Scope tags as required. On the Assignments tab, under the Uninstall section, select + Add group or select + Add all users or + Add all devices, depending on your organization’s needs. Click the Create button on the Review + create tab to complete the setup. Monitor the status of the uninstall by navigating to Apps > iOS/iPadOS, selecting the app, and then selecting Device install status or User install status. The status will change to Not installed. Personal Devices – Bring your own device (BYOD) Admins have fewer options to manage settings and apps on personal devices. Apple provides no facility on unsupervised (including personal) iOS/iPadOS devices to hide or block access to specified apps. Instead, admins have the following options: Use an Intune compliance policy to prevent access to corporate data via Microsoft Entra Conditional Access (simplest and quickest to implement). Use a report to identify personal devices with specific apps installed. Takeover the app with the user’s consent. Uninstall the app. This guide will focus on option 1. For further guidance on the other options refer to: Support tip: Removing and preventing the use of applications on iOS/iPadOS and Android devices. Identify personal devices that have DeepSeek – AI Assistant installed and prevent access to corporate resources You can use compliance policies in Intune to mark a device as either “compliant” or “not compliant” based on several properties, such as whether a specific app is installed. Combined with Conditional Access, you can now prevent the user from accessing protected company resources when using a non-compliant device. Create an iOS/iPadOS compliance policy, by navigating to Devices > iOS/iPadOS > Compliance policies > Create policy. On the Compliance settings tab, under System Security > Restricted apps, enter the name and app Bundle ID and select Next. Name: DeepSeek – AI Assistant Bundle ID: com.deepseek.chat Under Actions for noncompliance, leave the default action Mark device noncompliant configured to Immediately and then select Next. Assign any Scope tags as required and select Next. Assign the policy to a user or device group and select Next. Review the policy and select Create. Devices that have the DeepSeek – AI Assistant app installed are shown in the Monitor section of the compliance policy. Navigate to the compliance policy and select Device status, under Monitor > View report. Devices that have the restricted app installed are shown in the report and marked as “Not compliant”. When combined with the Require device to be marked as compliant grant control, Conditional Access blocks access to protected corporate resources on devices that have the specified app installed. Android devices Android Enterprise corporate owned, fully managed devices Admins can optionally choose to allow only designated apps to be installed on corporate owned fully managed devices by configuring Allow access to all apps in Google Play store in a device restrictions policy. If this setting has been configured as Block or Not configured (the default), no additional configuration is required as users are only able to install apps allowed by the administrator. Uninstall DeepSeek To uninstall the app, and prevent it from being installed via the Google Play Store perform the following steps: Add a Managed Google Play app in the Microsoft Intune admin center by navigating to Apps > Android > Add, then select Managed Google Play app from the drop-down menu. r DeepSeek – AI Assistant in the Search bar, select the app in the results and click Select and then Sync. Navigate to Apps > Android and select DeepSeek – AI Assistant > Properties > Edit next to Assignments. Under the Uninstall section, add a user or device group and select Review + save and then Save. After the next sync, Google Play will uninstall the app, and the user will receive a notification on their managed device that the app was “deleted by your admin”: The Google Play Store will no longer display the app. If the user attempts to install or access the app directly via a link, the example error below is displayed on the user’s managed device: Android Enterprise personally owned devices with work profile For Android Enterprise personally owned devices with a work profile, use the same settings as described in the Android Enterprise corporate owned, fully managed devices section to uninstall and prevent the installation of restricted apps in the work profile. Note: Apps installed outside of the work profile can’t be managed by design. Windows devices You can block users from accessing the DeepSeek website on Windows devices that are enrolled into Microsoft Defender for Endpoint. Blocking users’ access to the website will also prevent them from adding DeepSeek as a progressive web app (PWA). This guidance assumes that devices are already enrolled into Microsoft Defender for Endpoint. Using Microsoft Defender for Endpoint to block access to websites in Microsoft Edge First, Custom Network Indicators needs to be enabled. Note: After configuring this setting, it may take up to 48 hours after a policy is created for a URL or IP Address to be blocked on a device. Access the Microsoft Defender admin center and navigate to Settings > Endpoints > Advanced features and enable Custom Network Indicators by selecting the corresponding radio button. Select Save preferences. Next, create a Custom Network Indicator. Navigate to Settings > Endpoints > Indicators and select URLs/Domains and click Add Item. Enter the following, and then click Next: URL/Domain: https://deepseek.com Title: DeepSeek Description: Block network access to DeepSeek Expires on (UTC): Never You can optionally generate an alert when a website is blocked by network protection by configuring the following and click Next: Generate alert: Ticked Severity: Informational Category: Unwanted software Note: Change the above settings according to your organization’s requirements. Select Block execution as the Action and click Next, review the Organizational scope and click Next. Review the summary and click Submit. Note: After configuring the Custom Network Indicator, it can take up to 48 hours for the URL to be blocked on a device. Once the Custom Network Indicator becomes active, the user will experience the following when attempting to access the DeepSeek website via Microsoft Edge: Using Defender for Endpoint to block websites in other browsers After configuring the above steps to block access to DeepSeek in Microsoft Edge, admins can leverage Network Protection to block access to DeepSeek in other browsers. Create a new Settings Catalog policy by navigating to Devices > Windows > Configuration > + Create > New Policy and selecting the following then click Create: Platform: Windows 10 and later Profile type: Settings Catalog Enter a name and description and click Next. Click + Add settings and in the search field, type Network Protection and click Search. Select the Defender category and select the checkbox next to Enable Network Protection. Close the settings picker and change the drop-down selection to Enabled (block mode) and click Next. Assign Scope Tags as required and click Next. Assign the policy to a user or device group and click Next. Review the policy and click Create. When users attempt to access the website in other browsers, they will experience an error that the content is blocked by their admin. macOS macOS devices that are onboarded to Defender for Endpoint and have Network Protection enabled are also unable to access the DeepSeek website in any browser as the same Custom Network Indicator works across both Windows and macOS. Ensure that you have configured the Custom Network Indicator as described earlier in the guidance. Enable Network Protection Enable Network Protection on macOS devices by performing the following in the Microsoft Intune admin center: Create a new configuration profile by navigating to Devices > macOS > Configuration > + Create > New Policy > Settings Catalog and select Create. Enter an appropriate name and description and select Next. Click + Add settings and in the search bar, enter Network Protection and select Search. Select the Microsoft Defender Network protection category and select the checkbox next to Enforcement Level and close the Settings Picker window. In the dropdown menu next to Enforcement Level, select Block and select Next. Add Scope Tags as required and select Next. Assign the policy to a user or devices group and select Next. Review the policy and select Create. The user when attempting to access the website will experience the following: http://www.deepseek.com showing error: This site can't be reached Conclusion This blog serves as a quick guide for admins needing to block and remove specific applications on their Intune managed endpoints in regulated organizations. Additional guidance for other mobile device enrollment methods can be found here: Support tip: Removing and preventing the use of applications on iOS/iPadOS and Android devices. Additional resources For further control and management of user access to unapproved DeepSeek services, consider utilizing the following resources. This article provides insights into monitoring and gaining visibility into DeepSeek usage within your organization using Microsoft Defender XDR. Additionally, our Microsoft Purview guide offers valuable information on managing AI services and ensuring compliance with organizational policies. These resources can help enhance your security posture and ensure that only approved applications are accessible to users. Let us know if you have any questions by leaving a comment on this post or reaching out on X @IntuneSuppTeam.[On demand] Unified security: Intune + Microsoft Defender for Endpoint
Comprehensive protection, real-time threat intelligence, and streamlined management across devices? Explore the seamless integration of Microsoft Intune with Microsoft Defender for Endpoint. Watch Unified security: Intune + Microsoft Defender for Endpoint – now on demand – and join the conversation at https://aka.ms/IntunePlusMDE. To help you learn more, here are the links referenced in the session: Defender for Endpoint can be configured to yield to Configuration manager For more free technical skilling on the latest in Windows, Windows in the cloud, and Microsoft Intune, view the full Microsoft Technical Takeoff session list.
