Microsoft previews Intune vulnerability remediation agent for Security Copilot

Microsoft opened public preview for the Vulnerability Remediation Agent for Security Copilot in Microsoft Intune on June 16, 2026, giving endpoint administrators a guided path from CVE triage to Intune remediation.

Microsoft expanded the agent beyond a limited test group and put Microsoft Entra agentic identity at the center of governance. Admins can use it in the Intune admin center to rank exposure, review Copilot-assisted impact text and move into remediation work without leaving the endpoint management console.

Microsoft change

Microsoft built the agent around Microsoft Defender Vulnerability Management data and Microsoft Intune device context. The agent identifies Common Vulnerabilities and Exposures across Intune-managed Windows devices and apps, then presents recommendations in the Agents node and Endpoint security pages.

Admins see the CVE count and affected systems. They get exposed-device detail and Intune remediation steps, with Microsoft Security Copilot impact text beside each recommendation.

Microsoft ranks issues by Common Vulnerability Scoring System scores and exposure impact. Device count helps admins judge blast radius. After admins act, they can mark a recommendation as applied, and Intune keeps a record for later review.

Microsoft added Entra agentic identity to govern the agent. During setup, Intune provisions a dedicated agentic identity and agentic user in the tenant. Admins delegate read permissions to that agentic user in Intune and Defender, then run the Readiness Check before the agent runs.

Security leaders get a cleaner audit trail because the agent does not borrow a human admin account. They can review which identity ran the workflow, which permissions supported it and which admin marked the work as applied.

Provider comparison

Microsoft gains advantage in endpoint management depth. If your team manages Windows endpoints through Intune, Microsoft can connect vulnerability intelligence from Defender to app and device management in the same admin surface. Security Copilot adds impact summaries and step guidance, but admins still approve the work and verify change windows.

AWS gives cloud teams Amazon Inspector for vulnerability findings across supported workloads and AWS Systems Manager Patch Manager for patch operations. You can build a strong remediation loop through AWS services and automation documents. Governance choices sit with your platform team.

AWS suits teams that patch Amazon EC2 fleets, container images and cloud workloads through infrastructure pipelines. Microsoft suits teams that treat the Windows endpoint as the main exposure surface and want remediation guidance inside endpoint management.

Google Cloud customers can combine Security Command Center with VM Manager OS patch management. Google gives Google Compute Engine teams a path for posture findings and VM patch operations. Microsoft reaches deeper into Windows endpoint administration through Intune.

You should start provider selection with your system of record. If Intune owns endpoint configuration, the Microsoft agent can reduce handoffs. If AWS Systems Manager owns EC2 patching, Inspector plus Patch Manager may fit your operating model. If Security Command Center drives cloud risk governance, Google can keep VM patching inside a cloud posture program.

Pricing and migration

You need a pricing workstream before pilots. Microsoft customers must account for Intune and Defender Vulnerability Management eligibility. Security Copilot capacity and plugin access can change pilot economics.

AWS buyers should model Inspector assessment charges and Systems Manager usage. Google buyers should model Security Command Center tiering and Compute Engine operational costs. Compare the hours your team saves and the days your team removes from remediation before you rank license cost.

You should pilot the Microsoft agent against one endpoint ring. Start with a Windows device group that has known software exposure and a clear maintenance window. Require the agent to produce recommendations, then have admins apply one Intune action during that window.

Track false positives and high-exposure devices the agent misses. Measure the gap between recommendation creation and admin action. Your security team should compare that cycle time with its current CVE queue process.

Security leaders should define who can delegate agent permissions, who can schedule runs and who can mark recommendations as applied. An agentic identity improves audit quality when your team treats it as a service principal with a named owner. Your IAM owner should review permissions on a schedule and remove access that the agent no longer needs.

Business impact

Security teams can move vulnerability management from scanner queues to governed action loops. For years, teams accepted CVE volume as a sorting problem. Microsoft wants admins to work from a recommended action instead of a CVE record.

Executives can measure a clearer operating metric: time from exposure discovery to approved remediation. Administrators get a task they can complete in Intune. Auditors get a record that links the recommendation, the identity and the applied action.

Leaders should manage trust with care. AI summaries can help triage, but admins need source CVE links and device scope. Change owners need rollback plans. Microsoft’s Readiness Check and applied-state tracking help, but buyers should ask how exported evidence will satisfy auditors and incident reviewers.

Vulnerability remediation crosses ownership lines. Your endpoint team may own Intune, while your security operations center owns Defender. Your platform group may own patch rings. You should name the owner for recommendation review, define the approval path and set a service-level target for critical exposure.

For Microsoft-centric enterprises, the public preview deserves a controlled pilot. Teams with mixed clouds should compare the Microsoft agent against AWS and Google workflows by measuring two outcomes: how fast admins can choose the right fix and how clean the audit record looks after they apply it.