Welcome to the Microsoft Security Community!
Protect it all with Microsoft Security Eliminate gaps and get the simplified, comprehensive protection, expertise, and AI-powered solutions you need to innovate and grow in a changing world. The Microsoft Security Community is your gateway to connect, learn, and collaborate with peers, experts, and product teams. Gain access to technical discussions, webinars, and help shape Microsoft’s security products. Get there fast To stay up to date on upcoming opportunities and the latest Microsoft Security Community news, make sure to subscribe to our email list. Find the latest skilling content and on-demand videos – subscribe to the Microsoft Security Community YouTube channel. Catch the latest announcements and connect with us on LinkedIn – Microsoft Security Community and Microsoft Entra Community. Index Community Calls: March 2026 Upcoming Community Calls March 2026 Mar. 4 | 8:00am | Microsoft Security Store | A Day in the Life of an Identity Security Manager Powered by Security Agents In this session, you’ll see how security agents from the Microsoft Security Store help security teams amplify capacity, accelerate detection‑to‑remediation, and strengthen identity security posture. Co‑presented with identity security experts from the Microsoft Most Valuable Professionals (MVPs) community, we’ll walk through a day‑in‑the‑life of an identity protection manager—covering scenarios like password spray attacks, privileged account compromise, and dormant account exploitation. You’ll then see how security agents can take on the heavy lifting, while you remain firmly in control. Mar. 5 | 8:00am | Security Copilot Skilling Series | Conditional Access Optimization Agent: What It Is & Why It Matters Get a clear, practical look at the Conditional Access Optimization Agent—how it automates policy upkeep, simplifies operations, and uses new post‑Ignite updates like Agent Identity and dashboards to deliver smarter, standards‑aligned recommendations. Mar. 11 | 8:00am | Microsoft Security Store | A Day in the Life of an Identity Governance Manager Powered by Security Agents In this session, you’ll see how agents from the Microsoft Security Store help governance teams streamline reviews, reduce standing privilege, and close lifecycle gaps. Co‑presented with identity governance experts from the Microsoft MVP community, we’ll walk through a day‑in‑the‑life of an identity governance manager—covering scenarios like excessive access accumulation, offboarding gaps, and privileged role sprawl. You’ll see how agents can automate governance workflows while keeping you in control. Mar. 11 | 8:00am | Microsoft Entra | QR code authentication: Fast, simple sign‑in designed for Frontline Workers Frontline teams often work on shared mobile devices where typing long usernames and passwords slows everyone down. In this session, we’ll introduce the QR code authentication method in Microsoft Entra ID—a streamlined way for workers to sign in by scanning their unique QR code and entering a PIN on shared iOS/iPadOS or Android devices. No personal phones or complex credentials required. We’ll walk through the end‑to‑end experience, from enabling the method in your tenant and issuing codes to workers (via the Entra admin center or My Staff), to the on‑device sign‑in flow that gets your teams productive quickly. We’ll also cover best‑practice controls—like using Conditional Access and Shared device mode—to help you deploy with confidence. Bring your questions—we’ll host Q&A and collect product feedback to help prioritize upcoming investments. Mar. 11 | 5:00pm | Microsoft Entra | Building MCP on Entra: Design Choices for Enterprise Agents Explore approaches for integrating MCP with Microsoft Entra Agent ID. We’ll outline key considerations for identity, consent, and authorization, discuss patterns for scalable and auditable agent architectures, and share insights on interoperability. Expect practical guidance, common pitfalls, and an open forum for questions and feedback. Mar. 12 | 12:00pm (BRT) | Microsoft Intune | Novidades do Microsoft Intune - Últimos lançamentos Junte-se a nós para explorar as novidades do Microsoft Intune, incluindo os lançamentos mais recentes anunciados no Microsoft Ignite e a integração do Microsoft Security Copilot no Intune. A sessão contará com demonstrações ao vivo e um espaço interativo de perguntas e respostas, onde você poderá tirar suas dúvidas com especialistas. Mar. 18 | 1:00pm (AEDT) | Microsoft Entra | From Lockouts to Logins: Modern Account Recovery and Passkeys Lost phone, no backup? In a passwordless world, users can face total lockouts and risky helpdesk recovery. This session shows how Entra ID Account Recovery uses strong identity verification and passkey profiles to help users safely regain access. Mar. 19 | 8:00am | Microsoft Purview | Insider Risk Data Risk Graph We’re excited to share a new capability that brings Microsoft Purview Insider Risk Management (IRM) together with Microsoft Sentinel through the data risk graph (public preview) What it is: The data risk graph gives you an interactive, visual map of user activity, data movement, and risk signals—all in one place. Why it matters: Quickly investigate insider risk alerts with clear context, understand the impact of risky activities on sensitive data, accelerate response with intuitive, graph-based insights Getting started: Requires onboarding to the Sentinel data lake & graph. Needs appropriate admin/security roles and at least one IRM policy configured This session will provide practical guidance on onboarding, setup requirements, and best practices for data risk graph. Mar. 24 | 8:00am | Microsoft Purview | eDiscovery recent updates to the modern UX Join us to learn all about the recent updates to the modern UX, from new features and managing generative AI content. Mar. 24 | 9:00am | Microsoft Intune | Accelerate your Mac Management POC in Intune with Intune my Macs Intune my Macs enables you to stand up a complete Microsoft Intune macOS proof‑of‑concept in minutes. Using a single script, it deploys policies, compliance settings, scripts, PKG apps, and optionally Microsoft Defender for Endpoint (MDE). In this session, you’ll learn how to use the solution and see exactly what it delivers. Mar. 26 | 8:00am | Azure Network Security | What's New in Azure Web Application Firewall Azure Web Application Firewall (WAF) continues to evolve to help you protect your web applications against ever-changing threats. In this session, we’ll explore the latest enhancements across Azure WAF, including improvements in ruleset accuracy, threat detection, and configuration flexibility. Whether you use Application Gateway WAF or Azure Front Door WAF, this session will help you understand what’s new, what’s improved, and how to get the most from your WAF deployments. Mar. 31 | 8:00am | Microsoft Entra | Developer Tools for Agent ID: SDKs, CLIs & Samples Accelerate agent identity projects with Microsoft Entra’s developer toolchain. Explore SDKs, sample repos, and utilities for token acquisition, consent flows, and downstream API calls. Learn techniques for debugging local environments, validating authentication flows, and automating checks in CI/CD pipelines. Share ready-to-run samples, resources, and guidance for filing new tooling requests—helping you build faster and smarter. Looking for more? Join the Security Advisors! As a Security Advisor, you’ll gain early visibility into product roadmaps, participate in focus groups, and access private preview features before public release. You’ll have a direct channel to share feedback with engineering teams, influencing the direction of Microsoft Security products. The program also offers opportunities to collaborate and network with fellow end users and Microsoft product teams. Join the Security Advisors program that best fits your interests: www.aka.ms/joincommunity. Additional resources Microsoft Security Hub on Tech Community Virtual Ninja Training Courses Microsoft Security Documentation Azure Network Security GitHub Microsoft Defender for Cloud GitHub Microsoft Sentinel GitHub Microsoft Defender XDR GitHub Microsoft Defender for Cloud Apps GitHub Microsoft Defender for Identity GitHub Microsoft Purview GitHubAgents in Microsoft Intune | Automate Policy Creation, Troubleshooting & Fix Guidance
Automate device and security policy management by turning written compliance requirements into Intune policies. Use natural language to draft, refine, and deploy configuration profiles, review AI-generated recommendations with confidence scores, and stay in full control before publishing to your environment. Reduce risk and manual effort by automatically evaluating admin change requests and blocking harmful scripts before deployment. Prioritize vulnerabilities from Defender, translate them into actionable Intune remediation steps, and schedule ongoing fixes. Jason Githens, Microsoft Intune Principal GPM, shares how to move from reactive security work to continuous, proactive protection. Note: At the time of publishing this video, the Change Review Agent and Policy Configuration Agent are in public preview and the Vulnerability Remediation Agent is in limited public preview. Use natural language to generate ready-to-review policies. Check out the Policy Configuration Agent in Microsoft Intune. Reduce security risk. Detect destructive or compromised change requests in real time. and get AI-driven approve/reject recommendations. Start using the Change Review Agent in Microsoft Intune. Shift from reactive patching to proactive security. See how to schedule automated vulnerability remediation inside Intune. QUICK LINKS: 00:00 — Automate work with Intune Agents 01:08 — Policy Configuration Agent 01:36 — Policy drafts 02:27 — Create a new knowledge source 03:25 — Create a new policy 04:49 — Change Review Agent 06:19 — Vulnerability Remediation Agent 07:46 — Wrap up Link References To get started, go to https://aka.ms/IntuneAgents Unfamiliar with Microsoft Mechanics? As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft. Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries Talk with other IT Pros, join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog Watch or listen from anywhere, subscribe to our podcast: https://microsoftmechanics.libsyn.com/podcast Keep getting this insider knowledge, join us on social: Follow us on Twitter: https://twitter.com/MSFTMechanics Share knowledge on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/ Enjoy us on Instagram: https://www.instagram.com/msftmechanics/ Loosen up with us on TikTok: https://www.tiktok.com/@msftmechanics Video Transcript: -You can now manage your device and security policies without manual work and automate tasks that previously were not automatable. How? Well, today I’ll demonstrate new agents in Microsoft Intune. As part of Security Copilot, they’re now included and rolling out with Microsoft 365 E5. These are designed to automate the busy work for you while continuously improving the security of your digital estate. This includes the new Policy Configuration Agent, which can reason over your compliance documents, for example, security technical implementation guides, STIGs, and create matching Intune policies automatically. The Change Review Agent, which evaluates admin requests, like scripts, using signals from Microsoft Intune, Entra, and Defender, to recommend change request actions, such as approve or reject, before they’re deployed. -Along with the Vulnerability Remediation Agent that analyzes the signals across Defender and Intune and proactively creates recommendations for medium to high-risk device vulnerabilities so they don’t get missed. They use natural language reasoning to interpret your instructions together with your policy control plane to generate informed and actionable configuration guidance. In fact, let’s take a look at what these agents can do, starting with the Policy Configuration Agent, which converts written requirements into actionable settings. From the Agents page in Intune, you can see all of your available agents. I’ll choose the Policy Configuration Agent, and here you’ll see Agent suggestions and Activity. There are tabs for Knowledge, Suggestions, and Settings. When you use this agent, it will create configuration profiles in Intune that will appear alongside your existing device policies. So these aren’t agent-only policies. -These are policies that you or other admins on your team would have typically set and are based on the instructions you’ve laid out. Let me show you. I’m going to create a new policy. You can create policy drafts by describing the configurations you want in natural language as written instructions and optionally, you can use a knowledge source by uploading a text file, which I’ll demonstrate here. But before I do that, let me show you what I’ll be basing it on. For that I’ll move into a text editor, Notepad in my case. You’ll typically start by having or creating this type of knowledge source. You can see it’s a written text document that gives the agent a natural language description of all the different device configurations that need to be set according to specific internal or regulatory compliance requirements. As you saw, it used descriptive, but not precise, terms to help instruct the agent on the breadth of settings available to them. -Back in Intune in the Knowledge tab, you can see all of our uploaded txt files. I’ll Create New this time a knowledge source. I’ll give it a name, then input a description to explain what it’s for. Below that, I can upload a document, so I’ll navigate to my file to upload, then hit Review to confirm. Depending on your file, this could take a minute or so to process, but in my case, I’m processing around 50 settings that could have taken hours to match manually. You can watch this progress from the Overview tab. Once it’s finished, in this case it actually took around three minutes, it will appear under Agent suggestions on the Overview tab. And if I click into the file I just uploaded, you can see the agent has successfully mapped several different settings from the baseline directly to an enforceable Intune policy. -Additionally, the agent has provided a percentage confidence rating for each setting. These scores help you understand how accurately it was able to translate your regulatory or configuration document into actual Intune policy settings. Now that the knowledge source has been mapped with the settings, we’re ready to build a new policy from it. This time, I’ll Create a New policy draft. I’ll give the policy a name and then I’ll add a short description. Now from the optional Knowledge source dropdown, I’ll select the baseline that we just uploaded and processed. You can also create policy drafts without using a defined knowledge source. I need to instruct it to create a policy, or optionally, I can prompt it to remove or refine a setting described in the file. This makes sense, for example, in cases where we know it’s already part of another all devices policy. -Here, you can also add a document that will be appended as text to your instructions. From there, I just need to hit Create. That process will take a few minutes to run, so we’ll skip ahead in time to show the results. In Agent suggestions, I can see my policy draft on top. When I click in, I can see all of the policy details and settings. Everything looks good to me. In my case, it was able to match all the settings. So I’ll create the configuration policy from this draft using the standard policy deployment flow. Importantly, you can review all its configurations and make changes here if you want, just like you normally would before enabling it. Add scope tags and you can assign it to groups or devices. I’ll assign devices later. Then I can review and deploy it using the normal process. Once it’s published, if I move over to my configuration policies, I can see the new one right here with the rest of our policies. -Next, let’s move on to the Change Review Agent. Think of this like an expert script author and troubleshooter to help you evaluate admin change requests. I’m in the Change Review Agent, and to show you what’s behind this, I’ll move right into the Settings tab, and the first thing you might notice is that the agent is operating with a lot of rich information as context from Intune, Entra, Defender, including Threat Intelligence. It pulls signals from all of these sources to fully understand the impact of any proposed change. Moving back to the Overview tab, you can see that the agent has reviewed multiple admin approval requests with a recommendation to approve or reject appended as a prefix to each script name. -Let’s look at this script submission as an example. As soon as the script is loaded, the agent analyzes it, providing deeper context and a summary of what the script does. It has identified that this is a highly destructive script designed to wipe managed devices using Graph API calls. The change requester had no previous risk identified, and the business justification was determined to be vague, so it’s likely this person’s account was compromised. You can view the request to look at what the script is doing exactly, and there’s our device wipe. All of these signals are processed in real time to help determine whether the change should be approved or rejected. In this case, the agent concludes that the script is clearly harmful if executed with its current all managed devices scope, so it recommends rejecting the request. The agent is able to rapidly decipher between legitimate and adversarial intent or policy conflicts from change requests that would introduce risk into your environment. -Finally, the Vulnerability Remediation Agent assesses critical vulnerabilities from Microsoft Defender. It does this in a prioritized manner and maps them to at-risk devices managed in Intune to help you automate fixes. I’ll start in the Microsoft Defender portal under vulnerability management to first set some context. -Here, you’ll see a clear view of the top risk in your environment, including impact scores, exposed devices, severity, owners, and the associated CVEs. Here’s an example where the dashboard flags an application vulnerability that requires updating Relecloud Sync app. You can drill into the details, understand the exposure, and prioritize remediation, but typically this is where the workflow stops. Defender identifies the issue, and remediation has to be coordinated manually. -That’s where the Vulnerability Remediation Agent comes in. It takes prioritized vulnerability data from Defender and brings it into Intune. The result is that you can automate remediation in place from where you manage your device endpoints without switching context or accessing Defender. In our example, Defender indicates Relecloud needs to be updated to version 14.0.7. The agent translates that guidance into actionable steps. On the other hand, if I open the suggestion to update Microsoft Windows 11, OS and built-in applications, you’ll see that not only is the update recommended, but also, best-practice security configuration changes are all listed right here. -And if I move into the agent settings, you’ll see that this agent also lets you automate runs based on a schedule. So that’s how Intune agents help you move from manual effort to intelligent automated guidance while keeping you in control of implementing agent recommendations. And in the future, we’ll start to integrate AI actions into common Intune workflows that you perform every day. -To get started, log into Intune and try out the new agent capabilities. In fact, if you’re already logged in, just go to aka.ms/IntuneAgents and keep watching Microsoft Mechanics for the latest updates. Thanks for watching.
Disabling PIN-based login on Entra-joined PCs
Hi guys. Yesterday I took two machines off the domain and Entra joined them. The goal was 1) remove their access to domain resources 2) have tenant users login to the machine and get enriched tokens every time. this works as desired. The problem is every user gets prompted to set a pin. these are both shared secondary/tertiary PC's - there is no point to having a 6 digit PIN on them. I thought the new Authentication Methods tools had controls for this, but apparently not. A script was run to change certain related Reg Keys (by my onsite tech) but this had no change on reboot. textreg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork" /v Enabled /t REG_DWORD /d 0 /freg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork" /v DisablePostLogonProvisioning /t REG_DWORD /d 1 /f HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork Enabled key was set to 0, and DisablePostLogonProvisioning was set to 1. These are from various help threads I found here and other resources. Unfortunately, they do not work. Not sure what to do here. I've read there are InTune controls for this - but I don't really have the time to work out WindowsPC ennrollment profiles for 2 machines. The site has InTune, but only for iOS mobile management. Thoughts?
Device Migration from On-prem AD to Azure AD
Hello All, We want to migrate our On-Prem AD devices to Azure AD and enroll into intune. We have Azure AD sync and all but needs to convert machine to Azure AD join only not Hybrid AD. So we would like to create new user profile on machine. We have used two methods so far. 1) Reset the machine and use join to Azure AD from OOBE. ( Issue - This will make user a Administrator for that machine and we dont want that ) 2) Unbind from on-prem AD, join to Azure AD manually but the same issue like number 1. 3) Using Hardware Hash, register devices to Autopilot and then reset all the machines. ( Issue - This will take too long to migrate 250 machines and helping remote workers are quite difficult ) Has anyone tried any different method or is there any expert suggestion ? Thanks!Accelerate Your Security Copilot Readiness with Our Global Technical Workshop Series
The Security Copilot team is delivering virtual hands-on technical workshops designed for technical practitioners who want to deepen their AI for Security expertise with Microsoft Entra, Intune, Microsoft Purview, and Microsoft Threat Protection. These workshops will help you onboard and configure Security Copilot and deepen your knowledge on agents. These free workshops are delivered year-round and available in multiple time zones. What You’ll Learn Our workshop series combines scenario-based instruction, live demos, hands-on exercises, and expert Q&A to help you operationalize Security Copilot across your security stack. These sessions are all moderated by experts from Microsoft’s engineering teams and are aligned with the latest Security Copilot capabilities. Every session delivers 100% technical content, designed to accelerate real-world Security Copilot adoption. Who Should Attend These workshops are ideal for: Security Architects & Engineers SOC Analysts Identity & Access Management Engineers Endpoint & Device Admins Compliance & Risk Practitioners Partner Technical Consultants Customer technical teams adopting AI powered defense Register now for these upcoming Security Copilot Virtual Workshops Start building Security Copilot skills—choose the product area and time zone that works best for you. Please take note of pre-requisites for each workshop in the registration page Security Copilot Virtual Workshop: Copilot in Defender March 4, 2026 at 8:00-9:00 AM (PST) - register here Asia Pacific optimized delivery schedules Time conversion: 4:00-5:30 PM NZDT; 11:00-12:30 AM GMT +8; 8:30-10:00 AM IST; 7:00-8:30 PM PST March 5, 2026 at 2:00-3:30 PM (AEDT) - register here Security Copilot Virtual Workshop: Copilot in Entra February 25, 2026 at 8:00 - 9:30 AM (PST) - register here Asia Pacific optimized delivery schedules Time conversion: 4:00-5:30 PM NZDT; 11:00-12:30 AM GMT +8; 8:30-10:00 AM IST; 7:00-8:30 PM PST February 26, 2026 at 2:00-3:30 PM (AEDT) - register here March 26, 2026 at 2:00-3:30 PM (AEDT) - register here Security Copilot Virtual Workshop: Copilot in Intune March 11, 2026 at 8:00-9:30 AM (PST) - register here Asia Pacific optimized delivery schedules Time conversion: 4:00-5:30 PM NZDT; 11:00-12:30 AM GMT +8; 8:30-10:00 AM IST; 7:00-8:30 PM PST March 12, 2026 at 2:00-3:30 PM (AEDT) - register here April 9, 2026 at 2:00 - 3:30 PM AEDT Security Copilot Virtual Workshop: Copilot in Purview March 18, 2026 8:00 - 9:30 AM (PST) - register here Asia Pacific optimized delivery schedules Time conversion: 4:00-5:30 PM NZDT; 11:00-12:30 AM GMT +8; 8:30-10:00 AM IST; 7:00-8:30 PM PST March 19, 2026 2:00-3:30 PM (AEDT)- register here Learn and Engage with the Microsoft Security Community Log in and follow this Microsoft Security Community Blog and post/ interact in the Microsoft Security Community discussion spaces. Follow = Click the heart in the upper right when you're logged in 🤍 Join the Microsoft Security Community and be notified of upcoming events, product feedback surveys, and more. Get early access to Microsoft Security products and provide feedback to engineers by joining the Microsoft Security Advisors.. Learn about the Microsoft MVP Program. Join the Microsoft Security Community LinkedIn and the Microsoft Entra Community LinkedInMonitor logical disk space through Intune
Hi All, We have a requirement to monitor low disk space, particularly on devices with less than 1GB of available space. We were considering creating a custom compliance policy, but this would lead to blocking access to company resources as soon as the device becomes non-compliant. Therefore, we were wondering if there are any other automated methods we could use to monitor the logical disk space (primarily the C drive) using Intune or Microsoft Graph. Thanks in advance, Dilan
