Endpoints such as laptops, desktops, and mobile devices are vulnerable to cyberattacks, which can compromise sensitive data and cause serious damage to the organization. To address this challenge, Microsoft has developed Intune Endpoint Privilege Management, a solution that enables organizations to secure their endpoints by controlling and managing user access and permissions. This blog post aims to assist you in setting up Endpoint Privilege Management (EPM) in your organization so that your users can maintain their productivity while ensuring that security is not compromised.
Avatar
Latest posts by Mohammed Kaif Joey (see all)

Remember, Endpoint Privilege Management is in Public Preview at the time of writing and is expected to be rolled out anytime in April 2023. I am curious to test this out, and I believe you are too.

What is Endpoint Privilege Management?

Intune Endpoint Privilege Management is a cloud-based solution that allows IT admins to define policies that allow non-admin users to install and run defined applications with elevated access. Intune Endpoint Privilege Management offers a range of security features, including:

  1. Application control: Allows IT administrators to control which applications users can install and run on their devices. This helps prevent the installation of malicious software that can compromise endpoint security.
  2. Conditional access: Enables organizations to restrict access to sensitive data based on specific conditions, such as device compliance, user location, and network location. This helps prevent unauthorized access to sensitive data.
  3. Just-In-Time (JIT) Access: Allows users to request temporary access to specific resources that they need to complete their tasks. IT administrators can approve or deny these requests based on the policies defined by the organization.
  4. Least Privilege: Enables organizations to restrict user access to the minimum set of permissions required to perform their tasks. This helps prevent users from accidentally or intentionally accessing sensitive data.

Prerequisites for Endpoint Privilege Management

Before setting up EPM, ensure that you meet the following requirements:

  • Licensing: During Public Preview, EPM doesn't require a license. After Public Preview, your tenant must be licensed for EPM, either as part of the Intune Suite or as a standalone license.
  • Windows client requirements: EPM has specific operating system requirements, including Windows 11 (versions 22H2 with KB5022913 and 22H1 with KB5023774) and Windows 10 (versions 22H2 or later, 21H2 or later, and 20H2 or later with KB5023773).
  • Supported trust types: Only devices with a hybrid Azure Active Directory join or Azure Active Directory join are supported. Workplace join is not supported.

Important!

The elevation settings policy will be shown as not applicable if a device is not at the minimum version specified above.

How to enable Endpoint Privilege Management

  1. Open the Intune Console.
  2. Navigate to Endpoint Security > Endpoint Privilege Management.
  3. Click Activate.
Activating Endpoint Privilege Management

Activating Endpoint Privilege Management

Options available in Endpoint Privilege Management

Reports: Here, you can find the Elevation and Managed Elevation reports. It can take up to 24 hours until you see data here.

Policies: The section where you can create the Elevation Rules Policy and Elevation settings. More info about this is provided below.

Reusable settings (preview): In this section, you can import certificates and reuse them in the different Elevation settings.

Endpoint Privilege Management policies

There are two types of policies that can be configured by the IT Admins:

  • Elevation Settings
  • Elevation Rules

The Elevation Settings policy aims to set up the behavior of file elevations when standard users request administrative privileges. This includes enabling Endpoint Privilege Management and configuring data sharing with Microsoft.

On the other hand, the Elevation Rules policy is designed to manage the identification of individual files and the handling of elevation requests for those files. It involves creating elevation rules that specify which files are being managed and the criteria for elevating them.

Note: You don't have to use the elevation rule policy if you don't need to specify different rules for individual applications. But if, for example, you use the Elevation Settings policy to deny all elevation responses, and want to allow just some applications to run on some devices, you will need to create an Elevation Rules policy.

In this post, we will focus on creating an Elevation Settings policy.

Creating the Elevation Settings policy

From the Endpoint Privilege Management blade, click the Create Policy menu option, as shown, to create a policy for your environment.

  1. Select Windows 10 and later for the Platform (only option currently available).
  2. Select Elevation Settings policy for the Profile.
  3. Select Create to continue.
Creating an Elevation Settings profile

Creating an Elevation Settings profile

  1. Provide a suitable name for the new policy and select Next to continue.
  2. Ensure that the option Endpoint Privilege Management is set to Enabled, as shown below.
Elevation Policy settings

Elevation Policy settings

In this case, the Default elevation response is set to Require user confirmation.

  1. Select Next to continue.
  2. Assign the policy to an appropriate group with devices.
  3. Then, select the new policy to view it, and then select View report to see the results of how the policy has been applied in your environment.
Viewing EPM reports

Viewing EPM reports

When the policy is applied successfully to the device, you will find a new directory called C:\Programs Files\Microsoft EPM agent is created, as shown below.

EPM parent folder

EPM parent folder

If you look inside that directory, you will see the structure below.

EPM folder structure on the client machine

EPM folder structure on the client machine

Testing Endpoint Privilege Management

Now, it's time to test this solution. Let's try to install Teams (or any other executable) as a normal user. When you right-click the file, you should now see the option Run with elevated access, as shown below.

Installing Teams with elevated access

Installing Teams with elevated access

Note: The "Run with elevated access" option is located under the "classic menu," which requires clicking "Show more options." This can be inconvenient, but the Microsoft Intune team is planning to make the option available in the modern context menu.

Select Run with elevated access, and enter the business justification when the prompt below appears.

User prompted for business justification

User prompted for business justification

That's it. The user is now able to install the application, which usually requires admin rights.

Troubleshooting: Elevation Policy is Not Applicable

When you apply the Elevation Settings policy to a device that does not have the KB5023774 patch installed, you will receive this error message:

Not applicable for the client devices and does not apply.

Incompatible device showing as Not Applicable

Incompatible device showing as Not Applicable

The reason is that the device does not meet the prerequisites for EPM. The policy will not work if your device is not at the recommended level, as mentioned in the Prerequisites section above.

To solve this issue, ensure that KB5023774 is installed on the client device.

Downloading the update from MS Update Catalog

Downloading the update from MS Update Catalog

Device installed with the right update KB5023774 as required

Device installed with the right update KB5023774 as required

Conclusion

My initial trial of Endpoint Privilege Management is both satisfactory and encouraging, and I am delighted with the results. I recommend giving this feature a try, as I am confident that you will also find it useful. Additionally, I am excited to see the reporting features that have yet to be explored. As per Microsoft, data processing occurs every 24 hours, so there may be a delay in viewing elevation usage reports.

avataravatar
3 Comments
  1. Avatar
    Robert Price 7 months ago

    Does it only work on Microsoft products, what about 3rd part software?

  2. Avatar
    Robert Price 7 months ago

    Does it only work on Microsoft products, what about 3rd party software?

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account