Security Copilot in Intune reached general availability in July 2025, and since then it’s been one of those features that generates a lot of buzz and not always a lot of clarity about what it actually does in practice. This post is an attempt to cut through that — to explain the three distinct capability layers involved, where each one is genuinely useful, where it isn’t, and what you need in place before any of it lights up in your tenant.
The short version: Explorer is a well-executed query tool that most Intune admins will find immediately useful. The embedded contextual Copilot is more situationally valuable. The agents are the most ambitious piece and the one still maturing. All three are worth understanding separately.
Three distinct capability layers
Microsoft has shipped Security Copilot in Intune as three overlapping but distinct experiences. Understanding which layer you’re in at any given moment matters for both your expectations and your SCU budget.
| Layer | Where it lives | What it does |
|---|---|---|
| Explorer | Intune admin center > Explorer (left nav) | Natural language queries against Intune data; guided query selection; action from results |
| Embedded contextual Copilot | Within device, policy, app, and EPM pages in admin center | Context-aware summaries, setting explanations, KQL generation, EPM elevation risk assessment |
| Agents | Standalone Security Copilot portal + embedded in workflows | Autonomous or semi-autonomous task execution — Vulnerability Remediation Agent, Conditional Access Optimization Agent, others |
Layer 1: Explorer
Explorer is the most immediately accessible piece and the one most Intune admins will find practical on day one. It’s a dedicated page in the Intune admin center — you’ll find it in the left navigation — where you type questions in natural language and get query results back, with a Copilot-generated summary of what was found and suggested next actions.
The experience is backed by pre-built query views that Microsoft has built and tested against the Intune data platform. When you type a question, Explorer matches it to the closest available query view and runs it. This is a deliberate design choice — it’s not free-form prompting against an LLM that might hallucinate a nonsensical query. You’re guided toward queries that are known to work, which keeps results reliable and — importantly — Explorer appears not to consume SCUs in the same way that free-form prompts do.
What you can ask
The query coverage spans the main Intune data domains: devices, users, apps, compliance, security policies, and update status. Some representative examples:
- Show me devices that are not on the latest version of Windows
- Which devices are non-compliant and past the grace period?
- List devices where a specific user is signed in
- Show me all versions of 7-Zip discovered across my Windows devices
- Which Endpoint Privilege Management rules are in conflict?
- Find devices that haven’t been patched in the last 30 days
Queries that return a list of devices or users have an additional capability: you can add the results directly to an Entra group, then target apps or policies to that group — all from within Explorer without leaving the admin center. This closes a loop that previously required exporting data, pivoting to a different tool, and running a separate group update.
What Explorer is not
It’s worth being clear about the scope. Explorer is not a conversational AI that reasons freely about your environment. The intelligent search matches your input to available query templates. If you ask something Explorer doesn’t have a query for, it tells you — or it suggests using the embedded Copilot experience instead. This is appropriate behaviour, not a limitation to complain about: it means the results you do get are reliable.
Windows 365 Cloud PC data is also available in Explorer, giving you a single query surface across both physical and cloud endpoints.
Layer 2: Embedded contextual Copilot
Beyond Explorer, Security Copilot is embedded directly within the Intune admin center’s existing pages — device detail views, policy pages, app configuration, and Endpoint Privilege Management. This is a different mode: it’s context-aware assistance that draws on whatever object you’re currently looking at and applies Copilot reasoning to it.
This layer does consume SCUs in proportion to the prompts you run, so it’s worth being intentional. The embedded experiences that deliver the most signal relative to their cost:
EPM elevation risk assessment
This is the most practically valuable embedded Copilot feature for environments running Endpoint Privilege Management. When a user submits an elevation request for an application or installer that your help desk doesn’t recognise, Copilot can pull in data from Microsoft Defender Threat Intelligence, combine it with the device’s risk score and the user’s risk context, and surface a consolidated risk assessment — app reputation, indicators of compromise, whether similar files have been flagged in other tenants — directly in the EPM approval workflow.
Without this, the approver has to context-switch: look up the executable hash in Defender or VirusTotal, check the file’s publisher, assess the user’s history, and make a judgment call. Copilot consolidates that research into the approval page. The approver still makes the decision — Security Copilot does not act autonomously on elevation requests — but they make it with more signal and less friction.
Practical note: EPM with Copilot risk assessment requires an Intune Suite license or Microsoft 365 E5. The EPM Copilot integration specifically is what makes the ‘support approved’ workflow compelling at scale; without it, reviewing unknown executables manually is the bottleneck that causes admins to over-approve.
KQL assistance for Advanced Analytics
If you’re using Intune Advanced Analytics and device query, Copilot can generate KQL queries from natural language descriptions. You describe what you want to find — “show me Windows 11 devices with TPM 2.0 that haven’t sync’d in 14 days” — and Copilot writes the KQL, shows you the generated query, and explains how it constructed it. You can run the suggested query or modify it before executing.
This is genuinely useful for Intune admins who are comfortable with what device query can do but are not fluent KQL writers. It’s also useful for building a library of queries: generate them via Copilot, validate the results, then save them for future use without the AI overhead.
Policy and setting summaries
On configuration profile and settings catalog pages, Copilot can summarise what a policy does, explain what a specific setting controls and what its implications are, and check whether a setting is already configured in other profiles targeting the same devices. That last capability — conflict detection across profiles — is the one that saves real time. Tracking down which of your 40 configuration profiles is responsible for a specific setting conflict has historically meant manual cross-referencing. Copilot surfaces this in context.
Layer 3: Agents
At Ignite 2025 Microsoft announced a new wave of Security Copilot agents, including several relevant to Intune and endpoint management. Agents are different in character from the Explorer and embedded experiences — they are designed to operate autonomously on specific, defined tasks, rather than responding to ad-hoc prompts. All actions still require admin approval; agents do not make changes unilaterally.
The agents most relevant to Intune administrators:
| Agent | What it does |
|---|---|
| Vulnerability Remediation Agent | Identifies breach or disruption risks from vulnerability data, prioritises which patches to address first, and surfaces recommended Intune configurations to remediate exposed settings. Works alongside EPM and Defender data. |
| Conditional Access Optimization Agent | Scans your Entra CA policies for gaps, overlaps, and outdated assignments. Generates one-click remediation recommendations with plain-language explanations. Supports custom business rules via natural language. Lives in Entra but is directly relevant to Intune compliance policy integration. |
| Phishing Triage Agent | Automates triage of reported phishing emails. Less directly Intune-specific but relevant for E5 environments where Intune device compliance feeds into Conditional Access and email security policy. |
The Vulnerability Remediation Agent is the most directly Intune-relevant. It bridges the gap between knowing a CVE exists and knowing what Intune configuration changes would reduce exposure — a gap that currently requires someone to translate CVSS scores and exploit details into actionable policy changes. The agent does that translation and presents it as a set of recommended Intune configurations ready for review and approval.
Agents are still maturing: Microsoft has been deliberate about framing most Intune-specific Copilot capabilities as ‘assistants’ rather than fully autonomous agents, specifically because admins are not comfortable with AI making unrestricted configuration changes at scale. All agent-suggested actions require explicit admin approval before execution. Treat agents as high-quality research and recommendation tooling, not automation that runs unattended.
What you need before any of this works
There are several layers of prerequisites, and missing any one of them blocks the corresponding capability.
Licensing
Security Copilot is a separate service from Intune itself, and its availability in your tenant depends on how you’re licensed:
- Microsoft 365 E5 (from November 2025 rollout): Security Copilot is included at no additional cost. You receive 400 SCUs per month for every 1,000 E5 user licenses, up to 10,000 SCUs/month. Rollout is phased with 30-day advance notice to your tenant.
- Standalone SCU purchase: If you’re not on E5, you can purchase Security Compute Units directly via the Azure portal. Provisioned SCUs cost $4/hour (billed monthly); overage SCUs cost $6/hour. Minimum is 1 provisioned SCU.
- E3 customers: Security Copilot is not included in Microsoft 365 E3. Standalone SCU purchase is the path.
SCU consumption note: Explorer queries appear not to consume SCUs in meaningful amounts based on community testing — they are matched to pre-built views rather than running free-form prompts. Embedded Copilot experiences (EPM risk assessment, KQL generation, policy summaries) do consume SCUs proportional to the prompts involved. Agents consume SCUs for each task they execute. Monitor your SCU consumption in the Security Copilot admin portal, especially while you’re evaluating.
Roles and permissions
Intune-specific roles do not grant Copilot access automatically. The following assignments are required:
- Security Copilot access: The account must have the Copilot Owner or Copilot Contributor role in Security Copilot.
- Intune Administrator (Entra ID role): This role gets Copilot access in Intune by default once Security Copilot is configured.
- First-run setup: Security Copilot must be configured and the first-run tour completed in the Microsoft Security Copilot portal before the embedded experiences appear in Intune. You can check the status at Tenant administration > Copilot in the Intune admin center.
Feature-specific prerequisites
| Feature | Additional requirements |
|---|---|
| Explorer | Security Copilot enabled in tenant; Copilot Owner or Contributor role |
| EPM elevation risk assessment | Endpoint Privilege Management enabled (Intune Suite or M365 E5) |
| KQL assistance for device query | Intune Advanced Analytics license (Intune Suite or M365 E5) |
| Multi-device query with KQL | Intune Advanced Analytics license |
| Vulnerability Remediation Agent | Security Copilot provisioned; relevant Defender for Endpoint data in tenant |
| Surface Management Portal Copilot | Surface devices enrolled in Intune; Surface Management Portal enabled |
An honest assessment
Security Copilot in Intune is further along than most “AI in the admin center” features that have shipped over the last two years. Explorer in particular is a clean implementation that solves a real problem — surfacing Intune data without requiring KQL fluency or custom Power BI reports — and does it in a way that’s reliable rather than impressive-looking-but-unreliable.
The embedded contextual experiences are more variable. The EPM risk assessment integration is excellent and directly addresses the “unknown executable” problem that every EPM deployment hits. The KQL generation is genuinely useful for admins who know what they want but don’t write KQL regularly. The policy and setting explanations are helpful but not transformative — you can get the same information from the docs, it’s just slower.
The agents are the most ambitious piece and still the most nascent. The Vulnerability Remediation Agent’s ability to translate CVE data into recommended Intune configurations is the kind of workflow acceleration that could meaningfully change how security teams interact with endpoint management. But the agent ecosystem is still growing, the boundaries of what agents will and won’t do autonomously are still being defined, and the SCU cost of running agents at scale in large environments needs careful monitoring.
The practical advice: if you’re on E5 and Security Copilot activates in your tenant, start with Explorer. It costs almost nothing in SCU terms and has an immediate payoff. Then evaluate the embedded EPM integration if you’re running EPM — that’s where you’ll see the clearest return. Agents are worth understanding and piloting, but treat them as an evolving capability rather than production tooling you can set and forget.
Quick-start checklist
| ☐ | Step |
|---|---|
| ☐ | Confirm licensing: M365 E5 (wait for activation notice) or provision standalone SCUs in Azure portal |
| ☐ | Complete Security Copilot first-run setup at securitycopilot.microsoft.com |
| ☐ | Assign Copilot Owner or Contributor roles to your admin accounts |
| ☐ | Verify Copilot status in Intune: Tenant administration > Copilot |
| ☐ | Open Explorer and run a pilot query — start with a compliance or patch status question |
| ☐ | If running EPM: open a pending elevation request and review the Copilot risk assessment panel |
| ☐ | If using Advanced Analytics: try generating a KQL query via Copilot on the device query page |
| ☐ | Set an SCU consumption alert in the Security Copilot admin portal to avoid billing surprises |
Hope this helps!
É
