After much anticipation, Endpoint Privilege Management has arrived! This post offers my initial impressions of this feature, not delving too deep. For further details on EPM, refer to the official documentation ‘Learn about using Endpoint Privilege Management with Microsoft Intune‘ on Microsoft Learn.
My curiosity led me to explore how to configure Intune settings and observe its functionality on user devices. But first, what exactly is Endpoint Privilege Management, or EPM?
Granting admin rights poses security risks, yet many organizations still do so due to reasons like developers needing multiple installations or older applications demanding elevated admin rights. It’s a dilemma we often face.
For ages, we’ve yearned for a ‘Just in Time’ method, allowing standard users to execute approved applications with elevated access without providing full admin privileges. Finally, this dream has materialized in Endpoint Privilege Management (EPM)!
In this blog, I tested running powershell.exe as an administrator, triggering the expected UAC prompt for my standard user account. Then, attempting to run powershell.exe with EPM elevated access, I successfully executed it with elevated privileges. This isn’t to advocate for standard users running PowerShell as admin but merely an intriguing test example showcasing the functionality.
Microsoft Intune’s Endpoint Privilege Management (EPM) empowers your organization’s users to operate as standard users, sans administrator rights, while fulfilling tasks demanding elevated privileges.
Typical tasks requiring administrative privileges encompass application installations (such as Microsoft 365 Applications), updating device drivers, and executing specific Windows diagnostics.
Endpoint Privilege Management aligns with your Zero Trust strategy by enabling a widespread user base to function with minimal privileges, permitting authorized tasks that contribute to organizational productivity. For deeper insights, refer to Microsoft Intune’s Zero Trust guidelines.
This article’s subsequent sections outline the prerequisites for EPM usage, offer an operational overview of its functionalities, and introduce crucial concepts pivotal to EPM.
Applicable to:
- Windows 10
- Windows 11
Prerequisites
Endpoint Privilege Management requires an additional license beyond the Microsoft Intune Plan 1 license. You can choose between an stand-alone license that adds only EPM, or license EPM as part of the Microsoft Intune Suite.
- Microsoft Entra joined or Microsoft Entra hybrid joined
- Microsoft Intune Enrollment or Microsoft Configuration Manager co-managed devices (no workload requirements)
- Supported Operating System
- Clear line of sight (without SSL-Inspection) to the required endpoints
Endpoint Privilege Management supports the following operating systems:
- Windows 11, version 22H2 (22621.1344 or later) with KB5022913
- Windows 11, version 21H2 (22000.1761 or later) with KB5023774
- Windows 10, version 22H2 (19045.2788 or later) with KB5023773
- Windows 10, version 21H2 (19044.2788 or later) with KB5023773
- Windows 10, version 20H2 (19042.2788 or later) with KB5023773
Getting Started
Endpoint Privilege Management (EPM) is integrated into Microsoft Intune, streamlining all configurations within the Microsoft Intune Admin Center. Organizations embarking on EPM adoption follow a structured process detailed below:
- License Endpoint Privilege Management: To utilize Endpoint Privilege Management policies, acquiring a license for EPM within your tenant as an Intune add-on is imperative. For licensing details, refer to the ‘Use Intune Suite add-on capabilities’ documentation.
- Deploy an Elevation Settings Policy: Initiating EPM on the client device is facilitated through an elevation settings policy. This policy not only activates EPM but also allows configuration of device-specific settings, unrelated to the elevation of individual applications or tasks.
- Deploy Elevation Rule Policies: Linking applications or tasks to elevation actions is achieved through elevation rule policies. This policy grants the ability to configure the elevation behavior for permitted applications within your organization when they run on the device.
At this moment, there are three tabs in the EPM blade:
- Report – There are 4 built-in reports. Elevation report, Managed elevation report, Elevation report by applications and Elevation report by Publisher.
- Policies – There are two policies. Elevation settings policy and Elevation rules policy. (Reports will update every 24hrs)
- Reusable settings – This allows you to import the application’s certificate, and reuse the certificate in elevation rule policies.
The Configuration
Elevation settings policy
In my initial phase, I began with the elevation settings policy, which encompasses three key configurations:
- Enable Endpoint Privilege Management: This setting is crucial for activating EPM; it needs to be set to ‘Enable’ to ensure EPM functionality.
- Default Elevation Response: Applicable to all applications (EXE files), this setting determines the default response when users right-click on an EXE file and select ‘Run with elevated access.’ It offers three options:
– Deny All Requests: Automatically denies all requests for elevated access.
– Require User Confirmation: Provides validation methods such as ‘Business Justification’ and/or ‘Windows Authentication.’
– ‘Business Justification’ allows users to specify why they need to run the app.
– ‘Windows Authentication’ necessitates users to input their password after using Ctrl+Alt+Del for authentication. - Data Sharing with Microsoft: This setting allows users to choose if they want to share diagnostic data and/or elevation data with Microsoft. Diagnostic data is sent to Microsoft, while elevation data is retained within your Intune tenant for reporting purposes.
Once my test devices implemented the Elevation settings policy, I waited approximately half an hour and noticed the installation of the EPM Agent. Two specific folders caught my attention:
- The EpmTools folder intrigued me as it contains instructions on utilizing PowerShell commands to gather further details about the EPM client on the device.
- The Logs folder captured my interest due to the multitude of logs present. However, I haven’t had the chance to delve into them yet.
Elevation rules policy
You can bypass using the elevation rule policy if you don’t require distinct rules for individual applications. However, in scenarios where the Elevation settings policy denies all elevation responses but specific applications need clearance on certain devices, creating an Elevation rules policy becomes necessary.
The Elevation rule policy comprises two critical elements:
- Elevation Conditions: This enables configuration of elevation types, automatic approval of users’ requests, or the requirement for user confirmation, utilizing “Business Justification” and/or “Windows Authentication.”
- File Information: Here, individual EXE file details can be configured using file hash or certificate information, which is essential for configuration.
To get the file hash, this powershell command is being used:
Get-FileHash "your exe file path here" | select-object Hash
To export the certificate, use this command:
Get-AuthenticodeSignature "your exe file path here" | Select-Object -ExpandProperty SignerCertificate | Export-Certificate -Type CERT -FilePath "c:\temp\YourExeFileCert.cer"
Configure reusable settings (preview)
True to its name, the setting is reusable. Within this feature, you can import the certificate of an EXE file, making it available for reuse in the Elevation rule policy. For instance, I’ve exported the certificate of powershell.exe and included it within the Reusable settings.
After you upload the certificate you can configure the policy to use the certificate.
User Experience
As demonstrated in my example, I’ve set up a rule for PowerShell. Below are screenshots illustrating the configuration.
UPDATE
Now you it is also possible for a user to request elevated access to a file. Follow these steps to configure this. Create a new settings policy like this:
Assign this policy to a user or device group.
 User and Admin experience
When a user downloads a file from the internet, let’s say VSCode and he wants to install this on his machine he can now initiate a request to the admins to approve this file for installation. Let’s see how this works.
Right click the downloaded file and choose Run with elevated access. Fill in the business justification and click send.
After verifying your identity by either password or WHfB you will get the message that your request has been send.
On the admin side of things you have an extra tab on the Endpoint Privilege Management section: Elevation Requests.
Click on the Elevation Requests tab to see the requests that have been made. You will see the request i have just made stated as pending.
Click on the file name to view the details of the request and approve or deny accordingly.
In this case we will approve the request by clicking approve and we also give a reason why. The user will have 24hrs elevated access to this app.
The user will receive a pop-up notification that the request has been approved. When a deny has been given no pop-up will be triggered unfortunately. There is also no built-in other way to notify the user which is somewhat frustrating. The notification for approval is done through the regular device check in process and does not require extra work, this is similar to any other Intune policy and can take some time. To force it ask the user to reboot his machine to speed this up. You can also notify the user that you have approved the request so no need to wait for the pop-up.
The user can now right click on the downloaded file choose Run with elevated access and install the application by clicking continue.
Conclusion
In some of Microsoft’s demo videos, I observed a feature allowing users to send requests, which admins could then approve within the Intune portal — a functionality expected to debut in the summertime. This functionality is eagerly anticipated as creating rules per EXE file isn’t as convenient for a true “approve only once” just-in-time approach.
Presently, EPM exclusively supports EXE files, with MSI file support planned for the near future, as communicated by the Microsoft Intune team.
The “Run with elevation access” option resides within the “classic menu,” necessitating a click on “Show more options,” which is a bit inconvenient. Nevertheless, the Microsoft Intune team is actively working to integrate this into the modern context menu.
Overall, the initial test of Endpoint Privilege Management is satisfying and shows promise. I’m genuinely pleased after trying out this feature. Give it a try.I believe you’ll find it beneficial.
Need newsletters
What do you mean by need newsletter?
Heyyy Joery, we have been using you fine blogpost to integrate EPM in our environment. When creating a Elevation Settings Policy of for example the VScode software installed on device we need to capture the filehash and exe location (default install location of VS). So far so good. When the VS is getting an update to newer version do we have to change the filehash everutime ?
Hi Erik, yes you need to change the file hash. Also take a look at the request approval, no need for a file hash there.
nice thank you
but IT admin must look at intune dashboard to see requests.
is there any way to get those requests by mail ?
Unfortunately no, this is the way that Microsoft designed the notifications. I’m also not a fan.
What happens when these certificates in the reusable settings expire? There would be no way to track which ones are due to expire and potentially break multiple rules. Is there a way to query these certs from Intune using Graph API?
Hi, i didn’t try this yet unfortunately, but i assume this will be possible. Sorry that i cannot give you a straight forward answer on this.
Hi, I am having a strange trouble with this and even Microsoft couldn’t solve it, at least not yet. When I am using this support approval I am getting the following error. When I clarify the reason where I need it and then press send this error pop ups: “There was an error with sending this request. Try again or contact your support person. Error code: 0x80004005 (-2147467259)”. Any ideas what can cause this problem? If I am not using this “Require support approval” everything works just fine.
Hi, i need to update the guide because some new stuff came out jus today. What i suggest that you do for your isse, disable EPM from the intune policy – remove the EPM or intune suite license from the user. Wait some time, let’s say about 15mins, switch everything back on again, wait again for like 15mins, reboot the machine and try again. Let me know please.
Hi, do you know if the problem I found when I tested EPM when it came out is solved?
When you right click on a shortcut in the Start menu or on the taskbar the “Run with elevated access” was not shown so you have to find the “Open file location” option and then right click on the actual file in the Explorer window that appears to kick off the EPM process with the option “Run with elevated access.”
This made the solution pretty much useless in my opinion as it is quite difficult to explain to the users and remember for them. Our current EPM solution taps into the “Run as administrator” which is present both in the Start menu/taskbar and on the file directly and therefore much more intuitive.
From my experience it had to do with the Windows version. I had this also in my first tests. It disappeared after i upgraded my windows version.
Thanks – perhaps it is time to give it another try.
We tested for 2-3 months before we went back to Admin by Request because of that and a couple of other shortcomings that seems to have been solved but I haven’t been able to find any documentation on this problem being solved.
Unfortunately the problem persists after I tested this again using the latest Windows 11.
The shortcuts found on the Desktop have the “Run with elevated access” menu item but everything in the Start menu or on the Taskbar does not and you have to right click on the shortcut and select the “Open file location”to be able to right click and elevate the program.
Only the “Run as administrator” can be found on the shortcuts in the Start Menu and Taskbar.
Hi,
To be honest i didn’t have the tome yet to play around with the newly released settings. As soon as i have the time i will have a look and let you know.
Hi! Do you know if its possible to combine Support approval and User approval?
I want the Elevation setting policy rule to be support approval.
Some users require application to be “run as administrator” (yeah, i know, shitty application), however, we need to solve it without user being local admin, so for that application, i want to create a Elevation rule policy with User approval, so the users that need that one application can start it with elevated access, all other application they need are support approval.
I have been testing, but can`t get it to work, is this supported?
To be honest i did not try to combine the 2.
Hello,
excellent article, very well explained.
I wanted to ask you if you think it would be possible to create a Python code that would allow me to launch an application (in my case powershell.exe) with elevated access, without having to go right-click every time.
I have tried but I can only find the syntax for “Run as administrator” and not “Run with elevated access”.