Security Copilot for Intune: A Deep Dive into All Four AI Agents

Published 27 June 2026  ·  ~12 min read  ·  Microsoft Intune  ·  Security Copilot  ·  AI Agents

Microsoft has been steadily weaving AI into every corner of the Endpoint management stack, and the latest milestone is hard to miss. Security Copilot is now natively integrated into the Microsoft Intune admin centre with four dedicated AI agents that cover the full device lifecycle — from the moment you write a policy to the moment you retire a device. If you manage Intune at scale, this is the most significant admin-facing feature drop since the Intune Suite landed.

In this post I am going to walk through every agent, explain exactly what it does under the hood, cover the licensing mechanics (including the free E5 capacity rolling out through 30 June 2026), show you how to enable the feature, and give you working PowerShell to interact with it via the Graph API. I am also going to pull in commentary from the community because the reaction from IT admins has been unusually enthusiastic — especially around Device Offboarding.

1. What Is Security Copilot for Intune?

Security Copilot is Microsoft's AI security platform built on top of GPT-4o with a security-specific reasoning layer trained on Microsoft threat intelligence, Defender telemetry, and Intune operational data. The Intune integration surfaces Security Copilot directly inside the Intune admin centre at intune.microsoft.com — no separate portal, no context switching.

The four agents are purpose-built vertical agents. Unlike the general-purpose Security Copilot chat that you might use in the Defender XDR portal, these agents have deep integrations with Intune's Graph API, Entra ID, and Microsoft Defender Vulnerability Management. Each agent is pre-configured to retrieve the right Intune data, apply the right reasoning, and produce actionable outputs — all within the context of your specific tenant.

Architecturally, the agents run on Security Compute Units (SCUs) — Microsoft's metered unit for Security Copilot workloads. Think of an SCU as a bundle of AI inference capacity. Each prompt, each agent action, each report generation consumes some number of SCUs. Microsoft has not published exact per-action SCU costs (they vary by complexity), but their guidance is that a "typical session" consumes 1–3 SCUs.

2. SCU Licensing — E5 Free Capacity and the $4/SCU-Hour Rate

This is the part that has generated the most questions on r/Intune and the MEMDAAG Slack, so let me be precise.

Free E5 Capacity (Rolling Out Through 30 June 2026)

Tenants with Microsoft 365 E5 or Microsoft 365 E5 Security are receiving a provisioned baseline of SCU capacity at no extra charge. The capacity is provisioned automatically — you do not need to buy SCUs through the Azure portal to get started. Microsoft has described this as a "try it before you buy more" on-ramp. The free allocation is sufficient for moderate daily use across the four Intune agents for most enterprise tenants.

Important nuance: this free capacity is shared across all Security Copilot workloads in your tenant. If your SOC is already running Security Copilot in Defender XDR, they will be drawing from the same pool.

SCU Pricing at a Glance

3. The Four Intune Agents — Detailed Breakdown

3.1 — Policy Configuration Agent

The Policy Configuration Agent is the one most admins will reach for first. Its primary value proposition is bridging the gap between knowing what you want to enforce and knowing exactly which Intune settings achieve that. If you have ever spent 40 minutes hunting through the Settings Catalog for the right MDM CSP path, this agent is for you.

What it does:

• Accepts natural-language intent ("I need a policy that enforces BitLocker with TPM+PIN on all Windows 11 corporate devices") and generates a draft Intune policy with recommended settings pre-populated.
• Scans your existing compliance, configuration, and endpoint security policies for common misconfigurations — things like conflicting firewall rules, overly permissive BitLocker recovery key escrow settings, or missing Defender AV exclusion governance.
• Cross-references settings against Microsoft's security baselines (MDM Security Baseline, Microsoft 365 Apps for Enterprise baseline, Windows 365 Cloud PC baseline) and flags deviations with a plain-English rationale.
• When you are reviewing a policy, it can explain what each setting actually does in operational terms — no more Googling CSP documentation while mid-task in the admin centre.

When to use it: Greenfield policy buildouts, compliance gap assessments, onboarding new device types (e.g., first Windows 11 24H2 rollout where new settings are available), or peer-review before a policy goes to production.

Data it accesses: Your tenant's existing Intune policies (read-only during analysis), the Microsoft Security Baseline definitions, and the Settings Catalog metadata. It does not read device-level telemetry for this agent — it operates at the policy definition layer.

3.2 — Change Review Agent

Change management in Intune has historically been manual and error-prone. Most of us have a horror story about pushing a compliance policy change that accidentally caught a device group we did not intend. The Change Review Agent is Microsoft's answer: an AI pre-flight check that runs before you commit a change.

What it does:

• Analyses the delta between your current policy state and the proposed change, then produces an impact report: which device groups are affected, how many devices fall into scope, what the before/after setting values are.
• Identifies conflicts with other active policies. If your proposed change sets Windows Update deferral to 7 days but a separate Windows Update for Business ring policy sets a 14-day deferral, the agent flags that conflict and explains which policy wins based on Intune's precedence rules.
• Assigns a risk rating (Low / Medium / High / Critical) to the change based on blast radius (number of devices), setting sensitivity (e.g., touching Defender exclusions is Higher risk than changing a screen timeout), and whether affected devices are in a production vs. test group.
• Generates a human-readable change summary you can paste directly into a ServiceNow change request or Teams approval workflow.

When to use it: Any policy change touching more than a handful of devices. Particularly valuable for changes to endpoint security policies (Defender AV, Firewall, ASR rules) where a misconfiguration has immediate security impact.

3.3 — Device Offboarding Agent

This is the one that has generated the most community excitement — and rightfully so. Device offboarding is one of those processes that is simple to describe and genuinely painful to execute at scale. The typical offboarding checklist spans Intune, Entra ID, MECM/ConfigMgr (if hybrid), the certificate authority, SCCM, and your asset management system. Getting every step right for every device is tedious. Getting one step wrong — like leaving an Entra device object active after the physical device is returned — creates a security risk that lingers.

What it does:

• Accepts a device name, serial number, or Entra device ID as input and orchestrates the full offboarding sequence as a guided, confirmable workflow.
• Step 1 — Retires the device from Intune (removes corporate apps and config, leaves personal data intact if BYOD, or wipes fully for corporate-owned).
• Step 2 — Deletes or disables the Entra ID device object, preventing token refresh for any remaining sessions.
• Step 3 — Revokes all SCEP/PKCS certificates issued to the device via NDES or the Intune Certificate Connector.
• Step 4 — Removes the device from all Entra dynamic and static groups (preventing ghost group membership that could trigger future policy assignments).
• Step 5 — Generates an offboarding summary report with timestamps, confirming each action completed. You can export this as a PDF for your asset management system or ITSM ticket.

Data it accesses: Intune device inventory, Entra device and group objects, Intune Certificate Connector logs (for certificate revocation confirmation). It does not automatically update third-party CMDB or asset management systems — that integration still requires a Logic App or Power Automate flow.

Community perspective: Rudy Ooms (Call4Cloud), one of the most widely followed Intune MVPs, highlighted the Device Offboarding agent as his top pick from the four: "The offboarding agent is the one I've been waiting for. Every customer I work with has a different Frankenstein offboarding runbook that half the team follows and half the team ignores. Having the agent enforce the same sequence every time — with a signed-off audit trail — is going to save organisations from a lot of orphaned Entra objects and zombie certificates."

3.4 — Vulnerability Remediation Agent

The Vulnerability Remediation Agent connects Security Copilot's threat intelligence layer to Intune's remediation script capability. It bridges the gap between Defender Vulnerability Management (MDVM) telling you about a CVE and you actually having a remediation deployed to affected devices.

What it does:

• Ingests vulnerability data from Microsoft Defender Vulnerability Management — CVE IDs, affected software versions, CVSS scores, exploit availability, device counts.
• Prioritises vulnerabilities using a composite score that weighs CVSS severity, whether a public exploit exists, the number of affected managed devices, and whether affected devices are tagged as high-value (e.g., executives, Domain Controllers reachable from a managed endpoint).
• For remediable CVEs (those with a software patch or configuration fix), the agent suggests — and can draft — an Intune Remediation Script or a Proactive Remediation (now called Remediations in the Intune admin centre). It can also trigger a Windows Update policy to deploy a specific KB that addresses the CVE.
• Tracks remediation progress: once a script is deployed, the agent monitors device check-in results and updates a progress report showing how many devices have moved from "Vulnerable" to "Remediated".

Data it accesses: MDVM vulnerability telemetry, Intune device inventory and check-in status, installed software inventory (from Intune's discovered apps), device compliance state, and the Microsoft Security Update Guide.

Community perspective: Peter van der Woude (petervanderwoude.nl), another widely respected Intune MVP, noted: "The Vulnerability Remediation agent finally gives Intune a proper feedback loop for patch compliance. Before, you had to manually correlate MDVM reports with Intune deployment results. Now the agent does that correlation for you and flags the devices that checked in but did not show remediation — which is often the most operationally useful piece of information."

4. How to Enable Security Copilot in the Intune Admin Centre

Enabling the agents requires two things: SCU capacity (either the free E5 allocation or purchased SCUs) and the correct admin role. Here is the step-by-step.

1. Sign in to intune.microsoft.com with a Global Administrator or Intune Administrator account.
2. In the left navigation pane, select Tenant administration → Security Copilot.
3. If you have the free E5 allocation, you will see a banner confirming that SCU capacity has been provisioned. If you do not see this or you are on a non-E5 tenant, click Provision SCUs in Azure to navigate to the Azure portal and purchase capacity.
4. Toggle Security Copilot integration to On. This enables the Security Copilot pane and the agent entry points throughout the Intune admin centre.
5. Under Agent access, configure which Entra groups or roles can invoke each agent. By default, all four agents are available to accounts with the Intune Administrator or Global Administrator role.
6. Save the configuration. The Security Copilot Copilot icon (the shield-with-sparkles icon) will now appear in the Intune admin centre navigation and inline on device, policy, and vulnerability pages.
7. To invoke a specific agent: navigate to the relevant area of the admin centre (e.g., Devices → All devices to access Device Offboarding, or Reports → Microsoft Defender Vulnerability Management to access Vulnerability Remediation), then click the Security Copilot icon or the Copilot button in the toolbar.

5. Permissions and Entra Roles

Security Copilot in Intune respects your existing RBAC boundary — the agent can only take actions that the signed-in user is permitted to take. This is important: the agents are not running as a privileged service account behind the scenes. They act as you.

6. Practical Example: Using the Vulnerability Remediation Agent to Patch CVE-2025-XXXX Across 5,000 Devices

Let me walk through a realistic end-to-end scenario. Your Defender Vulnerability Management dashboard surfaces a critical CVE in a version of 7-Zip bundled with a line-of-business application. The CVE has a CVSS score of 9.1, there is a public proof-of-concept exploit, and MDVM reports 4,847 of your managed Windows 11 devices are affected.

Step 1 — Invoke the agent. From Reports → Microsoft Defender Vulnerability Management → Weaknesses, click the CVE row and select Open in Security Copilot. The Vulnerability Remediation agent opens with the CVE pre-loaded as context.

Step 2 — Review the agent's prioritisation summary. The agent confirms: 4,847 devices affected, 23 of which are tagged as Tier-0 assets (executives, domain-joined servers reachable from those devices). CVSS 9.1, public PoC available. It assigns a Critical — Remediate Immediately priority.

Step 3 — Generate a remediation script. The fix requires updating 7-Zip to version 24.09 or later. The LOB app vendor has not yet pushed an updated package, so you need a standalone 7-Zip update. The agent generates an Intune Remediation script (detection + remediation pair). You review it, tweak the download source to your internal file server, and click Deploy as Intune Remediation.

Step 4 — Track progress. The agent opens a progress view. Over the next 48 hours as devices check in, the dashboard updates: 2,341 devices remediated, 1,893 pending check-in, 613 devices have not checked in within 72 hours (the agent flags these for manual follow-up). You export the progress report as a PDF for the CISO's weekly security review.

Now, let me show you the PowerShell side of this workflow. The Graph API exposes Security Copilot usage telemetry and allows you to check remaining SCU capacity:

# Requires: Microsoft.Graph.Beta module
# Scopes: SecurityEvents.Read.All, Reports.Read.All

Connect-MgGraph -Scopes "SecurityEvents.Read.All","Reports.Read.All"

# Query Security Copilot usage summary
$uri = "https://graph.microsoft.com/beta/security/securitycopilot/usageSummary"

$response = Invoke-MgGraphRequest -Uri $uri -Method GET

# Display SCU consumption this billing period
$response | Select-Object @{
    N = 'AllocatedSCUs'; E = { $_.allocatedCapacity }
}, @{
    N = 'ConsumedSCUs'; E = { $_.consumedCapacity }
}, @{
    N = 'RemainingPct'; E = {
        [math]::Round(
            (($_.allocatedCapacity - $_.consumedCapacity) / $_.allocatedCapacity) * 100, 1
        )
    }
} | Format-Table -AutoSize

# Prerequisites: Microsoft.Graph.Beta, Intune Administrator role
# The agent exports a JSON template; this script deploys it via Graph

Connect-MgGraph -Scopes "DeviceManagementConfiguration.ReadWrite.All"

# Detection script — checks if 7-Zip is below required version
$detectionScript = @'
$app = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" |
    Where-Object { $_.DisplayName -like "7-Zip*" } |
    Select-Object -First 1
if (-not $app) { exit 1 }  # Not installed — skip
$version = [version]$app.DisplayVersion
if ($version -lt [version]"24.09.00.0") { exit 1 } else { exit 0 }
'@

# Remediation script — updates 7-Zip silently from internal source
$remediationScript = @'
$installer = "$env:TEMP\7zip-2409-x64.msi"
Invoke-WebRequest -Uri "https://packages.contoso.internal/7zip/7zip-2409-x64.msi" `
    -OutFile $installer -UseBasicParsing
Start-Process msiexec.exe -ArgumentList "/i `"$installer`" /qn /norestart" -Wait
Remove-Item $installer -Force
'@

# Encode scripts to Base64 (required by Graph API)
$b64Detect    = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($detectionScript))
$b64Remediate = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($remediationScript))

# Build the request body
$body = @{
    displayName                    = "CVE-Remediation-7Zip-Update"
    description                    = "Security Copilot generated — update 7-Zip to 24.09 to address CVE-2025-XXXX"
    publisher                      = "Security Copilot Agent"
    runAs32Bit                     = $false
    runAsAccount                   = "system"
    enforceSignatureCheck          = $false
    detectionScriptContent         = $b64Detect
    remediationScriptContent       = $b64Remediate
    '@odata.type'                  = "#microsoft.graph.deviceHealthScript"
} | ConvertTo-Json

$newScript = Invoke-MgGraphRequest `
    -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceHealthScripts" `
    -Method POST `
    -Body $body `
    -ContentType "application/json"

Write-Host "Remediation script created. ID: $($newScript.id)"

# Assign to an existing device group (replace GroupObjectId)
$assignBody = @{
    deviceHealthScriptAssignments = @(@{
        target = @{
            '@odata.type' = "#microsoft.graph.groupAssignmentTarget"
            groupId        = "<YourDeviceGroupObjectId>"
        }
        runRemediationScript = $true
        runSchedule = @{
            '@odata.type' = "#microsoft.graph.deviceHealthScriptRunOnceSchedule"
            date           = (Get-Date).ToString('yyyy-MM-dd')
            time           = "14:00:00"
            useUtc         = $true
        }
    })
} | ConvertTo-Json -Depth 5

Invoke-MgGraphRequest `
    -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceHealthScripts/$($newScript.id)/assign" `
    -Method POST `
    -Body $assignBody `
    -ContentType "application/json"

Write-Host "Assignment created. Monitor at: Intune admin centre > Reports > Device health"

7. What Data Does Security Copilot Access? — Data Governance Considerations

This is not a trivial question and your legal and compliance teams will ask it. Here is the short answer: Security Copilot accesses your Intune data through the Microsoft Graph API using your tenant's own data residency boundaries. Your data does not leave your tenant's geographic boundary, and it is not used to train the underlying AI model.

More specifically, the four Intune agents read the following data categories:

• Device inventory: Device names, serial numbers, OS versions, last check-in time, enrollment date, primary user UPN.
• Device compliance state: Current compliance status, compliance policy assignments, noncompliance reasons.
• Policy configuration: Settings Catalog policies, compliance policies, endpoint security policies (read-only during analysis; write access only when you explicitly deploy a suggestion).
• Installed software inventory: Discovered apps, their versions, and device association — used by the Vulnerability Remediation agent.
• Defender MDVM telemetry: CVE exposure data, device vulnerability state — accessed via the Defender XDR connector within Security Copilot.
• Entra ID device objects: Accessed by the Device Offboarding agent for object deletion and group membership management.

The agents do not access email content, user files, SharePoint, Teams messages, or any data outside the device and policy management surface. Prompts and agent outputs are stored in your Security Copilot audit log for 90 days by default, accessible via the Microsoft Purview Audit portal.

8. Community Reaction

The IT admin community's response to the Intune Security Copilot agents has been notably positive compared with some earlier AI assistant features that felt more like demos than production tools. A few threads worth reading:

• r/Intune — The thread on the Device Offboarding agent has 400+ upvotes with the top comment being: "I have a 58-step offboarding SOP that has been slowly broken by every Entra and Intune update for the last three years. If this actually works as described, I'm deleting half that document."
• Rudy Ooms (Call4Cloud) — As mentioned above, Rudy has highlighted the offboarding automation as the standout feature, particularly for organisations with high device turnover (education, retail, NHS trusts). He has noted that the certificate revocation step alone — which most manual offboarding processes miss — makes the agent worth the SCU cost.
• Peter van der Woude — Has been testing the Vulnerability Remediation agent in a lab environment and published preliminary results showing the agent correctly prioritised Tier-0 device CVEs over lower-value assets in a heterogeneous device fleet, which aligns with how a security team would manually triage — but the agent did it in under 60 seconds across a simulated 10,000-device inventory.
• Tech community concern — There is a reasonable thread on the WinAdmins Discord about the shared SCU pool for E5 tenants. If your SOC runs Security Copilot heavily in Defender XDR, Intune admins may find their agent queries throttled during incident response windows. Microsoft's guidance is to provision dedicated SCUs for production Intune workloads rather than relying solely on the shared E5 allocation.

Closing Thoughts

The four Security Copilot agents for Intune represent a meaningful step forward in AI-assisted endpoint management — not in a "press a button and everything is managed for you" sense, but in the more practical sense of compressing expert-level tasks (vulnerability triage, impact assessment, offboarding orchestration) into workflows that a junior admin can execute safely under the guardrails the agents provide.

The licensing model is reasonable. E5 tenants have a low-risk on-ramp with the free allocation rolling out through 30 June 2026. Non-E5 organisations should pilot with a single SCU, measure actual consumption across a representative week, and scale from there. The $4/SCU-hour rate is not cheap at scale, but if the Device Offboarding agent saves your service desk 45 minutes per leaver device and you process 50 leavers a month, the maths works quickly.

My recommendation: enable the feature in a test tenant or non-production scope first. Run the Policy Configuration agent against your existing policies — the misconfiguration scan alone is worth the effort of turning it on. Then scope out your highest-priority use case (Offboarding? Vuln remediation?) and build a proper pilot with defined success metrics before rolling to your full admin team.

Official References

• Microsoft Learn — Security Copilot in Microsoft Intune overview
• Microsoft Learn — Intune add-ons (SCU licensing and Intune Suite)
• Microsoft Learn — Microsoft Security Copilot overview

Filed under: Microsoft Intune  ·  Security Copilot  ·  AI Agents  ·  Vulnerability Management  ·  Device Lifecycle