Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Vulnerability Remediation Agent uses AI-powered analysis to identify and prioritize vulnerabilities across your managed devices, providing step-by-step remediation guidance through the Intune admin center.
After you set up the agent, you can run vulnerability assessments, review prioritized suggestions, and track your remediation progress over time.
Tip
The Vulnerability Remediation Agent is accessible in the Intune admin center from both the Agents and Endpoint security nodes. Each path provides access to the same agent. In this documentation, references to its location use the Agents node.
This article shows you how to use the Vulnerability Remediation Agent, including:
- Running vulnerability assessments
- Reviewing and managing suggestions
- Understanding remediation guidance
- Tracking applied remediations
To learn about the agent and how to set it up, see Vulnerability Remediation Agent in Microsoft Intune.
Prerequisites
Before you start, review the requirements in the Vulnerability Remediation Agent article.
Explore the Vulnerability Remediation Agent
After configuration, manage the agent from the Vulnerability Remediation Agent pane.
In the Microsoft Intune admin center, select Agents > Vulnerability Remediation Agent (preview). Select the following tabs to learn more:
- Overview - View the agent's current status, the top prioritized vulnerabilities that the agent has identified, and records of recent agent activity.
- Suggestions - Here you'll find the full list of vulnerabilities that the agent has identified.
- Settings - This tab displays the agent's configuration details.
The Overview tab includes:
- Agent status - Various tiles introduce the agent, detail whether the agent is available and its current run status.
- Agent suggestions – This is a short list of the top vulnerabilities that should be addressed.
- Activity – This area tracks the current and past run activity of the agent. When the agent is still actively running, the Status column displays Run in progress. The status column displays Complete for past agent runs.
After the agent completes a run, the Overview tab updates with the top vulnerabilities that should be reviewed and addressed. This tab shows only a few suggestions at a time; the full list is available on the Suggestions tab. Use either tab to drill down and review or manage recommendations.
Run the Vulnerability Remediation Agent
Run the agent to evaluate new data from Defender and refresh Agent suggestions for discovered vulnerabilities. The agent runs until evaluation completes; you can't stop or pause it.
The agent uses the identity and permissions of the assigned Intune admin account. Its operations are limited to the permissions of that account. If the agent doesn't run for 90 consecutive days, its authentication expires and subsequent runs fail until the identity is renewed.
The agent doesn't support scheduled runs and must be started manually each time you want to update its results.
To manually run the Vulnerability Remediation Agent:
In the Microsoft Intune admin center, go to Agents > Vulnerability Remediation Agent (preview).
On the Overview tab, select Start agent. This option isn't available until after the agent is set up and completes its first run.
Manage agent suggestions
Use the Vulnerability Remediation Agent node to review and manage the vulnerability suggestions in the Intune admin center. Agent suggestions are a prioritized list of the top vulnerabilities identified based on data from Microsoft Defender Vulnerability Management.
You can select Agent suggestions from both the Overview and Suggestions tabs.
Understanding agent suggestions
Agent suggestions display the following information:
Suggested next steps: Each suggested next step is a link that opens a Suggested action pane with detailed remediation guidance.
Impact: The potential impact based on the exposure score as identified by Microsoft Defender Vulnerability Management.
Exposed devices: The count of affected devices. CVE counts shown by the agent are only for devices with Windows client operating system editions and don't include server editions.
Status: By default, a reported vulnerability has its status set to Not applied. You can mark suggestions as applied after implementing remediation.
Last applied: The date and time when you marked the remediation guidance as applied.
Working with suggested actions
When you select a suggested next step, the Suggested action pane provides detailed information including:
- Details about the associated vulnerabilities (for Intune managed devices)
- Suggested actions to take to remediate the threat
- A Configurations section with available settings from the Intune settings catalog
- An option to mark the remediation as Applied
Remediation guidance categories
Remediation guidance falls into the following categories:
Apps: To remediate app vulnerabilities, the agent might recommend:
- Deployment of an updated app version
- Deployment of an Intune profile to manage app behavior and reduce security risks
Operating system: To remediate operating system (OS) vulnerabilities, like those for Windows, common recommendations include:
- Deployment of a quality update policy
- Expedited deployment of quality updates using Windows update rings
When a recommendation involves a Windows update, the agent guidance includes details about using update rings to help manage a controlled rollout of the update.
Important
Some suggested Windows update recommendations begin with Expedite. The agent uses this format when the CVE's Common Vulnerability Scoring System (CVSS) score reaches a risk value of 9.0 or greater. For this level of risk, the agent recommends expediting these updates to your devices immediately. The guidance includes how to use Expedited installation of quality updates to more rapidly deploy the recommended update.
Configuration recommendations
Note
There is an active but temporary issue affecting the Vulnerability Remediation agent. Until it’s resolved, the agent is unable to provide recommended Configurations for settings to use for this threat. The agent still identifies threats, explains their background, and offers step-by-step actions.
Configuration recommendations will resume automatically once the issue is resolved.
In the Configurations section, the agent provides details for creating a device configuration policy using available settings from the settings catalog. This guidance helps you reduce your attack surface against vulnerabilities and includes:
- A list of relevant settings you can configure through an Intune settings catalog policy
- Each setting is presented with the recommended configuration
- Selecting the citation icon next to a setting displays that setting's description and might include links to the underlying Configuration Service Provider (CSP) documentation
If there are no recommended device configuration settings to deploy, the Configurations section indicates that no recommended settings catalog policy configurations are available.
Track applied remediations
After you review agent suggestions and apply recommended remediations, you can self-attest to applying those remediations by selecting Mark as applied. This action:
- Confirms that the remediation steps are complete
- Doesn't trigger any device changes by the agent
- Adds a timestamp called Last marked as applied to track when the remediation was implemented
With subsequent runs of the agent, suggestions might be updated. If a previous suggestion was marked as applied, you can self-attest to applying the more recent suggestions by selecting Mark update as applied. This updates the Last marked as applied timestamp to the current time.
While optional, marking a suggested action as applied helps track when suggested remediations were implemented. Recommendations marked as applied persist in the agent suggestions list, serving as a baseline for future runs and allowing you to compare new results and changes for the same vulnerability over time.
View agent activity
The Activity section tracks the current and past run activity of the agent:
- When the agent is actively running, the Status column displays Run in progress
- The status column displays Complete for past agent runs
This section provides visibility into:
- When the agent last ran
- How long each run took to complete
- Success or failure status of each run
Agent logs
All agent management actions (create, delete, run) and any permission failures are available in Security Copilot logs. Logging of discovered vulnerabilities or when remediations were applied aren't available. Instead, use the options to mark remediated vulnerabilities as Applied.
Common errors
While the agent run might fail due to insufficient SCUs, there are other possible errors that can occur. This section lists some common error messages you might encounter while using the agent, along with explanations and suggested actions.
The agent doesn't provide accurate suggestions
In this case, the agent may not have enough data to generate accurate suggestions, or its settings might not fully align with your organization's environment.
To help improve future suggestions, use the like/dislike buttons 
available on each suggestion to share your feedback.
You don't have access to this agent - Licenses
Details: You don't have the licenses needed to access this agent.
Check the licensing and plugins requirements for this agent, and make sure the necessary licenses and configurations are assigned in your tenant.
You don't have access to this agent - Workspace
Details: You aren't part of the workspace needed to access this agent.
This message indicates that your account doesn't have permission to view or use the Security Copilot workspace, which is configured at the time Security Copilot is added to your Tenant. Contact the administrator who installed or manages your Security Copilot subscription for assistance in gaining access, and see Understand authentication in Microsoft Security Copilot.
You don't have access to this agent - Permissions
Details: You don't have the permissions needed to access this agent.
Review the roles requirements to use the agent. Work with an Intune Administrator to assign your account the required permissions.
The agent encountered an error and didn't finish the run. Try running the agent again.
Details: The agent instance failed to start or successfully complete its run. Details of the failure can't be identified. Despite failing to run or complete, admins can continue to view and manage the agent suggestions from past runs.
If the agent continues to fail, it's possible that its lost authorization for its identity account and can't run until it's reauthorized. Possible reasons for a loss of authorization include but aren't limited to:
- The agent's authorization period of 90 days was reached.
- The user account that the agent was installed with is subject to a policy that requires periodic reauthentication.
- An access token has been revoked.
Agent reauthorization requires that the agent is removed and then set up again.
Warning
When an agent is removed, all existing agent suggestions are deleted. This includes details about suggestions that were marked as Applied.