Mike's MDM Blog

Getting started with Intune Copilot

Today I want to show you how to set up Copilot in Intune. Since Copilot for Intune is based on Microsoft Security Copilot, we technically will need to set up Security Copilot, even if we are not using it for that.

Prerequisites

To get started with Copilot, you need to have access to at least one Azure subscription to deploy your SCUs and have at least one Role assigned to you that allows you to access security copilot (e.g. Security Admin)

Security compute units

To get started with Security Copilot, we need to deploy at least one SCU as the backend for Copilot. Microsoft recommends at least 3 SCUs to get started in a productive environment, however if you just want to see it for yourself, you can start with less and even only deploy it for an hour or two to save costs if needed (e.g. in your lab environment) See the official docs, for how your will get charged for your SCUs: https://learn.microsoft.com/copilot/security/get-started-security-copilot?WT.mc_id=MVP_317638#security-compute-units

Security Copilot

To deploy the SCUs, I would recommend to start from the security copilot webpage: https://securitycopilot.microsoft.com/ as it will directly prompt you to deploy the capacity needed:

Select where and how many SCU(s) should be deployed:

It will then automatically deploy everything needed:

You can see in the backend, the SCU got deployed to our subscription:

Next, since I’m located in Europe, it will show me a message to confirm that my data will be stored in Europe:

Next, we can choose how and if we want to improve Copilot:

After a disclaimer on what Copilot does and does not…:

We can choose if we want to integrate it with purview, which I don’t need for Intune, so I left it unchecked:

Next, we can configure who should get access to Copilot in your organization. I will go with the recommended Security roles which include the Intune Admin role, but you can choose whatever fits best in your Role concept:

And we are finally ready:

Security Copilot is now ready:

Intune

If everything worked so far, we should now see that Copilot is also available in Intune:

So, what can we do with it now? Well, a lot of cool things…

Device Overview

In the device overview page, three new buttons will appear, allowing to ask copilot about more information about the device in question:

Here we can select from a few predefined prompts, what we want to know about this device:

If I select “summarize” I will get a nice overview of the device properties:

It will also allow me asking more questions about this device by using the Prompt guide:

Device Configuration

When we are in the process of creating a device configuration profile, we can ask Copilot to explain a setting from withing the page:

For the “Use Security Key for Signin” Setting for example, it will show me what it would do and where it is applicable:

And again, using the Prompt guide, we can asks further questions about this policy setting:

Speaking of policies, we can also ask copilot to summarize a whole policy:

(Multi) Device query

Until now, all these functionalities were based on predefined prompts, however where I found Copilot the most helpful is in use for device queries.
If you saw my last blog post about the new multi device query, you saw that you need to write KQL queries to get information about your devices and I know learning a new language can be hard, but not to worry Copilot is here to help:

Here we again have a few predefined prompts available, but we are also able to write our own prompts and ask whatever we want:

It will suggest me a query and either just copy the query to the editor and let me modify it if needed, or allow me to directly run the query in question:

Regardless which way we go, we will see the query in the editor and the expected result:

This will not only work for multi device query, but also for the “normal” per-device query:

Security Copilot Portal

As you saw, Copilot in Intune already allows for some real cool things, however if you feel limited by the predefined prompts in the device or policy sections, nothing prevents you from directly asking Copilot from the securitycopilot.microsoft.com page:

From this portal, you can also see your last sessions:

And what results you got:

In the owner settings, you can see and modify your settings like how many SCUs you have:

And you can even monitor the usage of your SCUs allowing you to resize accordingly:

Or if you just wanted to evaluate it in your test environment, you can also deprovision the SCUs from here:

After that, we can see our resource group is empty again:

And the next time we go to securitycopilot.microsoft.com, we will get asked to provision a SCU again:

This way we can limit costs for small test environments like my test lab, by only paying for the few hours in a month where I want to evaluate something.

Conclusion

For me Copilot in Intune is a really helpful addition, as it allows people that are not that familiar to Intune like your 1st Level support, to get the most information out of the system, without having to learn how to write KQL queries, just to get a list of running processes on a device.

Posted

in

,

by

mmeierm

Tags:

, ,

Comments

One response to “Getting started with Intune Copilot”

  1. Security Copilot in Intune is now GA and brings an exciting new feature – Mike's MDM Blog

    […] A while ago, I took a look at what Security Copilot could do for you in Intune and how you can set it up, while it still was in public preview: Getting started with Intune Copilot – Mike’s MDM Blog […]

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *