- What is Endpoint Privilege Management?
- Prerequisites for Endpoint Privilege Management
- Options available in Endpoint Privilege Management
- Endpoint Privilege Management policies
- Creating the Elevation Settings policy
- Testing Endpoint Privilege Management
- Troubleshooting: Elevation Policy is Not Applicable
- Conclusion
- Security with Intune: Endpoint Privilege Management - Fri, Apr 28 2023
Remember, Endpoint Privilege Management is in Public Preview at the time of writing and is expected to be rolled out anytime in April 2023. I am curious to test this out, and I believe you are too.
What is Endpoint Privilege Management?
Intune Endpoint Privilege Management is a cloud-based solution that allows IT admins to define policies that allow non-admin users to install and run defined applications with elevated access. Intune Endpoint Privilege Management offers a range of security features, including:
- Application control: Allows IT administrators to control which applications users can install and run on their devices. This helps prevent the installation of malicious software that can compromise endpoint security.
- Conditional access: Enables organizations to restrict access to sensitive data based on specific conditions, such as device compliance, user location, and network location. This helps prevent unauthorized access to sensitive data.
- Just-In-Time (JIT) Access: Allows users to request temporary access to specific resources that they need to complete their tasks. IT administrators can approve or deny these requests based on the policies defined by the organization.
- Least Privilege: Enables organizations to restrict user access to the minimum set of permissions required to perform their tasks. This helps prevent users from accidentally or intentionally accessing sensitive data.
Prerequisites for Endpoint Privilege Management
Before setting up EPM, ensure that you meet the following requirements:
- Licensing: During Public Preview, EPM doesn't require a license. After Public Preview, your tenant must be licensed for EPM, either as part of the Intune Suite or as a standalone license.
- Windows client requirements: EPM has specific operating system requirements, including Windows 11 (versions 22H2 with KB5022913 and 22H1 with KB5023774) and Windows 10 (versions 22H2 or later, 21H2 or later, and 20H2 or later with KB5023773).
- Supported trust types: Only devices with a hybrid Azure Active Directory join or Azure Active Directory join are supported. Workplace join is not supported.
Important!
The elevation settings policy will be shown as not applicable if a device is not at the minimum version specified above.
How to enable Endpoint Privilege Management
- Open the Intune Console.
- Navigate to Endpoint Security > Endpoint Privilege Management.
- Click Activate.
Activating Endpoint Privilege Management
Options available in Endpoint Privilege Management
Reports: Here, you can find the Elevation and Managed Elevation reports. It can take up to 24 hours until you see data here.
Policies: The section where you can create the Elevation Rules Policy and Elevation settings. More info about this is provided below.
Reusable settings (preview): In this section, you can import certificates and reuse them in the different Elevation settings.
Endpoint Privilege Management policies
There are two types of policies that can be configured by the IT Admins:
- Elevation Settings
- Elevation Rules
The Elevation Settings policy aims to set up the behavior of file elevations when standard users request administrative privileges. This includes enabling Endpoint Privilege Management and configuring data sharing with Microsoft.
On the other hand, the Elevation Rules policy is designed to manage the identification of individual files and the handling of elevation requests for those files. It involves creating elevation rules that specify which files are being managed and the criteria for elevating them.
Note: You don't have to use the elevation rule policy if you don't need to specify different rules for individual applications. But if, for example, you use the Elevation Settings policy to deny all elevation responses, and want to allow just some applications to run on some devices, you will need to create an Elevation Rules policy.
In this post, we will focus on creating an Elevation Settings policy.
Creating the Elevation Settings policy
From the Endpoint Privilege Management blade, click the Create Policy menu option, as shown, to create a policy for your environment.
- Select Windows 10 and later for the Platform (only option currently available).
- Select Elevation Settings policy for the Profile.
- Select Create to continue.
Creating an Elevation Settings profile
- Provide a suitable name for the new policy and select Next to continue.
- Ensure that the option Endpoint Privilege Management is set to Enabled, as shown below.
Elevation Policy settings
In this case, the Default elevation response is set to Require user confirmation.
- Select Next to continue.
- Assign the policy to an appropriate group with devices.
- Then, select the new policy to view it, and then select View report to see the results of how the policy has been applied in your environment.
Viewing EPM reports
When the policy is applied successfully to the device, you will find a new directory called C:\Programs Files\Microsoft EPM agent is created, as shown below.
EPM parent folder
If you look inside that directory, you will see the structure below.
EPM folder structure on the client machine
Testing Endpoint Privilege Management
Now, it's time to test this solution. Let's try to install Teams (or any other executable) as a normal user. When you right-click the file, you should now see the option Run with elevated access, as shown below.
Installing Teams with elevated access
Note: The "Run with elevated access" option is located under the "classic menu," which requires clicking "Show more options." This can be inconvenient, but the Microsoft Intune team is planning to make the option available in the modern context menu.
Select Run with elevated access, and enter the business justification when the prompt below appears.
User prompted for business justification
That's it. The user is now able to install the application, which usually requires admin rights.
Troubleshooting: Elevation Policy is Not Applicable
When you apply the Elevation Settings policy to a device that does not have the KB5023774 patch installed, you will receive this error message:
Not applicable for the client devices and does not apply.
Incompatible device showing as Not Applicable
The reason is that the device does not meet the prerequisites for EPM. The policy will not work if your device is not at the recommended level, as mentioned in the Prerequisites section above.
To solve this issue, ensure that KB5023774 is installed on the client device.
Downloading the update from MS Update Catalog
Device installed with the right update KB5023774 as required
Conclusion
My initial trial of Endpoint Privilege Management is both satisfactory and encouraging, and I am delighted with the results. I recommend giving this feature a try, as I am confident that you will also find it useful. Additionally, I am excited to see the reporting features that have yet to be explored. As per Microsoft, data processing occurs every 24 hours, so there may be a delay in viewing elevation usage reports.
Does it only work on Microsoft products, what about 3rd part software?
Does it only work on Microsoft products, what about 3rd party software?
This solution is only for Windows devices. It controls any executable file within the Windows OS.