Security Copilot Skilling Series
Starting this October, Security Copilot joins forces with your favorite Microsoft Security products in a skilling series miles above the rest. The Security Copilot Skilling Series is your opportunity to strengthen your security posture through threat detection, incident response, and leveraging AI for security automation. These technical skilling sessions are delivered live by experts from our product engineering teams. Come ready to learn, engage with your peers, ask questions, and provide feedback. Upcoming sessions are noted below and will be available on-demand on the Microsoft Security Community YouTube channel. Coming Up October 30 | What's New in Copilot in Microsoft Intune Speaker: Amit Ghodke, Principal PM Architect, CxE CAT MEM Join us to learn about the latest Security Copilot capabilities in Microsoft Intune. We will discuss what's new and how you can supercharge your endpoint management experience with the new AI capabilities in Intune. Register now. November 13 | Microsoft Entra AI: Unlocking Identity Intelligence with Security Copilot Skills and Agents Speakers: Mamta Kumar, Sr. Product Manager; Rahul Prakash, Principal Product Manager, AI Innovations; Chad Hasbrook, Sr. Product Manager, IDNA This session will demonstrate how Security Copilot in Microsoft Entra transforms identity security by introducing intelligent, autonomous capabilities that streamline operations and elevate protection. Customers will discover how to leverage AI-driven tools to optimize conditional access, automate access reviews, and proactively manage identity and application risks - empowering them into a more secure, and efficient digital future. Register now Please stand by for an updated flight list; many more sessions coming soon. Click "follow" in the upper right of this article to be notified of updates. Now On-Demand October 16 | What’s New in Copilot in Microsoft Purview Speaker: Patrick David, Principal Product Manager, CxE CAT Compliance Join us for an insider’s look at the latest innovations in Microsoft Purview —where alert triage agents for DLP and IRM are transforming how we respond to sensitive data risks and improve investigation depth and speed. We’ll also dive into powerful new capabilities in Data Security Posture Management (DSPM) with Security Copilot, designed to supercharge your security insights and automation. Whether you're driving compliance or defending data, this session will give you the edge. October 9 | When to Use Logic Apps vs. Security Copilot Agents Speaker: Shiv Patel, Sr. Product Manager, Security Copilot Explore how to scale automation in security operations by comparing the use cases and capabilities of Logic Apps and Security Copilot Agents. This webinar highlights when to leverage Logic Apps for orchestrated workflows and when Security Copilot Agents offer more adaptive, AI-driven responses to complex security scenarios. All sessions will be published to the Microsoft Security Community YouTube channel - Security Copilot Skilling Series Playlist __________________________________________________________________________________________________________________________________________________________________ Looking for more? Keep up on the latest information on the Security Copilot Blog. Join the Microsoft Security Community mailing list to stay up to date on the latest product news and events. Engage with your peers one of our Microsoft Security discussion spaces.
Disabling PIN-based login on Entra-joined PCs
Hi guys. Yesterday I took two machines off the domain and Entra joined them. The goal was 1) remove their access to domain resources 2) have tenant users login to the machine and get enriched tokens every time. this works as desired. The problem is every user gets prompted to set a pin. these are both shared secondary/tertiary PC's - there is no point to having a 6 digit PIN on them. I thought the new Authentication Methods tools had controls for this, but apparently not. A script was run to change certain related Reg Keys (by my onsite tech) but this had no change on reboot. textreg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork" /v Enabled /t REG_DWORD /d 0 /freg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork" /v DisablePostLogonProvisioning /t REG_DWORD /d 1 /f HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork Enabled key was set to 0, and DisablePostLogonProvisioning was set to 1. These are from various help threads I found here and other resources. Unfortunately, they do not work. Not sure what to do here. I've read there are InTune controls for this - but I don't really have the time to work out WindowsPC ennrollment profiles for 2 machines. The site has InTune, but only for iOS mobile management. Thoughts?
Introducing Microsoft Security Store
Security is being reengineered for the AI era—moving beyond static, rulebound controls and after-the-fact response toward platform-led, machine-speed defense. We recognize that defending against modern threats requires the full strength of an ecosystem, combining our unique expertise and shared threat intelligence. But with so many options out there, it’s tough for security professionals to cut through the noise, and even tougher to navigate long procurement cycles and stitch together tools and data before seeing meaningful improvements. That’s why we built Microsoft Security Store - a storefront designed for security professionals to discover, buy, and deploy security SaaS solutions and AI agents from our ecosystem partners such as Darktrace, Illumio, and BlueVoyant. Security SaaS solutions and AI agents on Security Store integrate with Microsoft Security products, including Sentinel platform, to enhance end-to-end protection. These integrated solutions and agents collaborate intelligently, sharing insights and leveraging AI to enhance critical security tasks like triage, threat hunting, and access management. In Security Store, you can: Buy with confidence – Explore solutions and agents that are validated to integrate with Microsoft Security products, so you know they’ll work in your environment. Listings are organized to make it easy for security professionals to find what’s relevant to their needs. For example, you can filter solutions based on how they integrate with your existing Microsoft Security products. You can also browse listings based on their NIST Cybersecurity Framework functions, covering everything from network security to compliance automation — helping you quickly identify which solutions strengthen the areas that matter most to your security posture. Simplify purchasing – Buy solutions and agents with your existing Microsoft billing account without any additional payment setup. For Azure benefit-eligible offers, eligible purchases contribute to your cloud consumption commitments. You can also purchase negotiated deals through private offers. Accelerate time to value – Deploy agents and their dependencies in just a few steps and start getting value from AI in minutes. Partners offer ready-to-use AI agents that can triage alerts at scale, analyze and retrieve investigation insights in real time, and surface posture and detection gaps with actionable recommendations. A rich ecosystem of solutions and AI agents to elevate security posture In Security Store, you’ll find solutions covering every corner of cybersecurity—threat protection, data security and governance, identity and device management, and more. To give you a flavor of what is available, here are some of the exciting solutions on the store: Darktrace’s ActiveAI Security SaaS solution integrates with Microsoft Security to extend self-learning AI across a customer's entire digital estate, helping detect anomalies and stop novel attacks before they spread. The Darktrace Email Analysis Agent helps SOC teams triage and threat hunt suspicious emails by automating detection of risky attachments, links, and user behaviors using Darktrace Self-Learning AI, integrated with Microsoft Defender and Security Copilot. This unified approach highlights anomalous properties and indicators of compromise, enabling proactive threat hunting and faster, more accurate response. Illumio for Microsoft Sentinel combines Illumio Insights with Microsoft Sentinel data lake and Security Copilot to enhance detection and response to cyber threats. It fuses data from Illumio and all the other sources feeding into Sentinel to deliver a unified view of threats across millions of workloads. AI-driven breach containment from Illumio gives SOC analysts, incident responders, and threat hunters unified visibility into lateral traffic threats and attack paths across hybrid and multi-cloud environments, to reduce alert fatigue, prioritize threat investigation, and instantly isolate workloads. Netskope’s Security Service Edge (SSE) platform integrates with Microsoft M365, Defender, Sentinel, Entra and Purview for identity-driven, label-aware protection across cloud, web, and private apps. Netskope's inline controls (SWG, CASB, ZTNA) and advanced DLP, with Entra signals and Conditional Access, provide real-time, context-rich policies based on user, device, and risk. Telemetry and incidents flow into Defender and Sentinel for automated enrichment and response, ensuring unified visibility, faster investigations, and consistent Zero Trust protection for cloud, data, and AI everywhere. PERFORMANTA Email Analysis Agent automates deep investigations into email threats, analyzing metadata (headers, indicators, attachments) against threat intelligence to expose phishing attempts. Complementing this, the IAM Supervisor Agent triages identity risks by scrutinizing user activity for signs of credential theft, privilege misuse, or unusual behavior. These agents deliver unified, evidence-backed reports directly to you, providing instant clarity and slashing incident response time. Tanium Autonomous Endpoint Management (AEM) pairs realtime endpoint visibility with AI-driven automation to keep IT environments healthy and secure at scale. Tanium is integrated with the Microsoft Security suite—including Microsoft Sentinel, Defender for Endpoint, Entra ID, Intune, and Security Copilot. Tanium streams current state telemetry into Microsoft’s security and AI platforms and lets analysts pivot from investigation to remediation without tool switching. Tanium even executes remediation actions from the Sentinel console. The Tanium Security Triage Agent accelerates alert triage, enabling security teams to make swift, informed decisions using Tanium Threat Response alerts and real-time endpoint data. Walkthrough of Microsoft Security Store Now that you’ve seen the types of solutions available in Security Store, let’s walk through how to find the right one for your organization. You can get started by going to the Microsoft Security Store portal. From there, you can search and browse solutions that integrate with Microsoft Security products, including a dedicated section for AI agents—all in one place. If you are using Microsoft Security Copilot, you can also open the store from within Security Copilot to find AI agents - read more here. Solutions are grouped by how they align with industry frameworks like NIST CSF 2.0, making it easier to see which areas of security each one supports. You can also filter by integration type—e.g., Defender, Sentinel, Entra, or Purview—and by compliance certifications to narrow results to what fits your environment. To explore a solution, click into its detail page to view descriptions, screenshots, integration details, and pricing. For AI agents, you’ll also see the tasks they perform, the inputs they require, and the outputs they produce —so you know what to expect before you deploy. Every listing goes through a review process that includes partner verification, security scans on code packages stored in a secure registry to protect against malware, and validation that integrations with Microsoft Security products work as intended. Customers with the right permissions can purchase agents and SaaS solutions directly through Security Store. The process is simple: choose a partner solution or AI agent and complete the purchase in just a few clicks using your existing Microsoft billing account—no new payment setup required. Qualifying SaaS purchases also count toward your Microsoft Azure Consumption Commitment (MACC), helping accelerate budget approvals while adding the security capabilities your organization needs. Security and IT admins can deploy solutions directly from Security Store in just a few steps through a guided experience. The deployment process automatically provisions the resources each solution needs—such as Security Copilot agents and Microsoft Sentinel data lake notebook jobs—so you don’t have to do so manually. Agents are deployed into Security Copilot, which is built with security in mind, providing controls like granular agent permissions and audit trails, giving admins visibility and governance. Once deployment is complete, your agent is ready to configure and use so you can start applying AI to expand detection coverage, respond faster, and improve operational efficiency. Security and IT admins can view and manage all purchased solutions from the “My Solutions” page and easily navigate to Microsoft Cost Management tools to track spending and manage subscriptions. Partners: grow your business with Microsoft For security partners, Security Store opens a powerful new channel to reach customers, monetize differentiated solutions, and grow with Microsoft. We will showcase select solutions across relevant Microsoft Security experiences, starting with Security Copilot, so your offerings appear in the right context for the right audience. You can monetize both SaaS solutions and AI agents through built-in commerce capabilities, while tapping into Microsoft’s go-to-market incentives. For agent builders, it’s even simpler—we handle the entire commerce lifecycle, including billing and entitlement, so you don’t have to build any infrastructure. You focus on embedding your security expertise into the agent, and we take care of the rest to deliver a seamless purchase experience for customers. Security Store is built on top of Microsoft Marketplace, which means partners publish their solution or agent through the Microsoft Partner Center - the central hub for managing all marketplace offers. From there, create or update your offer with details about how your solution integrates with Microsoft Security so customers can easily discover it in Security Store. Next, upload your deployable package to the Security Store registry, which is encrypted for protection. Then define your license model, terms, and pricing so customers know exactly what to expect. Before your offer goes live, it goes through certification checks that include malware and virus scans, schema validation, and solution validation. These steps help give customers confidence that your solutions meet Microsoft’s integration standards. Get started today By creating a storefront optimized for security professionals, we are making it simple to find, buy, and deploy solutions and AI agents that work together. Microsoft Security Store helps you put the right AI‑powered tools in place so your team can focus on what matters most—defending against attackers with speed and confidence. Get started today by visiting Microsoft Security Store. If you’re a partner looking to grow your business with Microsoft, start by visiting Microsoft Security Store - Partner with Microsoft to become a partner. Partners can list their solution or agent if their solution has a qualifying integration with Microsoft Security products, such as a Sentinel connector or Security Copilot agent, or another qualifying MISA solution integration. You can learn more about qualifying integrations and the listing process in our documentation here.Join Merill Fernando and other guests for our Identity and Network Practitioner Webinar Series!
This October, we’re hosting a three-part webinar series led by expert Merill Fernando for Identity and Network Access practitioners. Join us as we journey from high-level strategy to hands-on implementation, unifying identity and network access every step of the way. Each session builds on the last, helping you move from understanding why a unified approach matters to what are the foundations to get started, and finally to how to configure in practice. The goal is to equip you with actionable skills, expert insights, and resources to secure your organization in a unified, Zero Trust way. Register below: Identity and Network Security Practitioner Webinar Series | Microsoft Community HubIntune AI Agent: Instant Threat Defense, Invisible Protection
From Microsoft Learn - Vulnerability Remediation Agent In today’s threat landscape, security teams require more than traditional tools—they need automation that can adapt in real time. Microsoft Intune’s integration with Security Copilot agents addresses this need. This blog introduces the Vulnerability Remediation Agent, an AI-based solution for managing endpoint security. By leveraging Microsoft’s threat intelligence alongside large language models (LLMs), these agents provide insights, automate policy enforcement, and simplify remediation workflows. Whether responding to compromised devices, updating compliance policies, or applying Zero Trust principles, Intune’s Security Copilot agents offer a centralized approach to endpoint protection. This article outlines the functionality of these agents, their features, and implementation strategies, enabling organizations to address threats and enhance their overall security posture. Why Intune Needs AI Agents Vulnerability Remediation Agent in Microsoft Intune are AI-driven tools developed to support security teams in endpoint management and protection. These agents utilize large language models (LLMs) and Microsoft's threat intelligence to deliver insights, automate tasks, and assist with decision-making. With factors such as hybrid work, Bring Your Own Device (BYOD), and changing threat vectors, managing endpoint security has become more complex. Security Copilot agents in Intune address these challenges by: Automating threat detection and response Offering contextual device risk insights Recommending and applying policy modifications Reducing remediation time for compromised devices These agents function within the Security Copilot framework, using Microsoft’s threat intelligence and AI models to provide real-time guidance. From Microsoft Learn - Vulnerability Remediation Agent Key Capabilities of Vulnerability Remediation Agent in Microsoft Intune Microsoft Intune’s Vulnerability Remediation Agent uses AI to scan devices for vulnerabilities, assess their risk, and provide clear remediation steps. It automates or recommends policy changes to guide IT teams from detection through resolution, focusing on the most critical issues. The Compromise Recovery Agent automatically identifies compromised devices using Defender and other signals, then runs recovery actions like isolation, password resets, and policy enforcement to streamline response. Device Compliance Optimization Agent reviews compliance policies and telemetry, highlights gaps, and suggests improvements. It enables gradual policy rollout via report-only mode for safer deployments. Security Posture Insights present dashboards with device risks, policy effectiveness, and remediation history, helping security teams prioritize responses. Security Copilot agents integrate into the Intune admin center, letting administrators use natural language queries to receive recommendations and make changes directly in one platform. Copilot-Driven Recommendations deliver bespoke guidance for strengthening endpoint security, complete with projected impact analyses prior to execution. Collectively, these agents offer several core capabilities: Real-time threat detection and response Automated policy recommendations Endpoint configuration optimization Integration with Microsoft Defender and other security solutions Context-aware insights informed by organizational data Step-by-step vulnerability remediation guidance leveraging Intune’s native tools From Microsoft Learn - Agent suggestions How It Works Vulnerability Remediation Agent in Microsoft Intune operates through an ongoing improvement process: Scan & Evaluate: Review device telemetry and policy coverage. Recommend: Suggest policy adjustments or remediation actions. Remediate: Implement fixes in report-only mode or enforce immediately. Observe & Iterate: Track outcomes and adjust policies accordingly. Utilizing AI Agent in endpoint management allows security teams to: Shorten response time to threats Enhance policy compliance Reduce manual configuration errors Increase visibility into endpoint status and security Learn More Microsoft Vulnerability Remediation Agent in Microsoft Intune From Microsoft Learn - Vulnerability Remediation Agent Setup Use Cases Rapid Response to Compromised Devices: Endpoints identified as infected are automatically isolated and remediated. Policy Optimization: Overlapping compliance policies are consolidated to minimize complexity. Zero Trust Enforcement: Only devices that meet compliance and security standards are permitted access to corporate resources. Operational Efficiency: Manual troubleshooting is reduced, and visibility into operations is improved. Requirements This list outlines the requirements, licensing conditions, user roles, permissions, and a comparison of advantages and disadvantages for deploying Vulnerability Remediation Agent in Microsoft Intune. Licensing: Microsoft Intune and Microsoft Security Copilot Secure Compute Units (SCU) may apply). Roles: Intune Admin, Security Admin, or Global Admin. Permissions: Role-based access controls ensure secure execution. Pros and Cons Pros Cons Notes Automated threat detection and remediation Requires SCUs and proper licensing Plan SCU usage Simplifies compliance policy management Limited customization of agent suggestions Use report-only mode for testing Improves visibility into device risk Initial setup may require training Leverage dashboards and logs Supports Zero Trust principles Preview features may evolve Monitor Microsoft Learn for updates Getting Started with Intune’s AI-Powered Security Agents Step 1: Access the Intune Admin Center Go to the https://intune.microsoft.com. Navigate to Endpoint Security > Security Copilot Agents. Step 2: Enable the Vulnerability Remediation Agent Locate the Vulnerability Remediation Agent tile on the home page. Click Start Agent to begin setup. Follow the guided steps to configure scanning, policy recommendations, and remediation workflows. Step 3: Review Licensing and Permissions Ensure your organization has the required Microsoft Intune licensing and Security Copilot Secure Compute Units (SCUs). Assign appropriate role-based access controls (e.g., Intune Admin, Security Admin, Global Admin) to manage agent capabilities securely. Step 4: Configure Agent Settings Define scanning intervals and telemetry sources. Enable report-only mode for safe testing of policy changes before enforcement. Set up dashboards and logs to monitor agent activity and remediation outcomes. Step 5: Integrate with Microsoft Defender Link Intune with Microsoft Defender for Endpoint to enhance threat detection and response. Use Defender signals to support Compromise Recovery Agent actions like isolation and password resets. Step 6: Use Natural Language Queries In the Intune Admin Center, use Security Copilot to ask questions like: o “Which devices are at risk?” o “What policy changes are recommended?” o “Show remediation history for compromised endpoints.” Step 7: Monitor and Optimize Track device compliance and risk posture using Security Posture Insights. Use the Device Compliance Optimization Agent to identify gaps and suggest improvements. Adjust policies based on observed outcomes and agent recommendations. About the Author Hi! Jacques “Jack” here, Lead Technical Trainer. I help learners and customers adopt Microsoft Intune, Defender, and Security Copilot. This blog post reflects the practical guidance I share in workshops to accelerate secure endpoint management. From my perspective as a trainer, what truly sets Intune apart is how seamlessly it leverages AI-driven agents to automate responses, detect advanced threats, and provide actionable insights in real time. This empowers organizations to proactively defend their environments, reduce manual workloads, and build a culture of security resilience through intelligent automation. With these capabilities, Intune and Security Copilot together not only elevate protection but also simplify the learning curve for IT professionals managing complex digital landscapes. #MicrosoftLearn #SkilledByMTTMicrosoft Entra Internet Access for iOS in Public Preview!
With the latest update to Microsoft Defender for Endpoint on iOS, Organisations licensed for Microsoft Entra Suite or Microsoft Entra Internet Access will have access to Microsoft's Secure Web Gateway (SWG) and traffic forwarding for HTTP/HTTPS traffic, with support for Web-Content Filtering. This has been a huge win for iOS Mobile Security. Previously, Defender for Endpoint on iOS has supported Phishing Protection, M365 Traffic, and Entra Private Access Traffic. Combined with Global Secure Access Threat Intelligence, which consumes indicators from Microsoft Intelligent Security Graph (ISG), Organisations can implement granular internet access controls on iOS devices with integrated, context aware protection against malicious threats. Excited to hear what you think! Release notes are available hereLearn more about Microsoft Security Communities.
In the last five years, Microsoft has increased the emphasis on community programs – specifically within the security, compliance, and management space. These communities fall into two categories: Public and Private (or NDA only). In this blog, we will share a breakdown of each community and how to join.
