Featured image of post Microsoft Intune Endpoint Privilege Management
Modern Work Security

Microsoft Intune Endpoint Privilege Management

Essential tutorial on Intune Endpoint Privilege Management: learn how to enable standard users to run executables with administrative privileges, securely. 🚀

Hello everyone, IT specialists! 👋 Today we will explore a very interesting feature of Microsoft Intune: Endpoint Privilege Management (EPM).

Video

You can find the entire video below, or you can continue reading the article.

What is Endpoint Privilege Management?

Endpoint Privilege Management is a feature of the Intune Suite that allows non-administrative users to perform tasks with elevated privileges, such as running .exe, .msi, and .ps1 files. In other words, it allows the installation and execution of software and scripts without requiring an administrative password.

How to: Implementing EPM

Creating Elevation Settings Policies

To activate the EPM feature, you need to create an elevation settings policy. This policy serves to awaken the feature within the Windows client and establish the default baseline in case of elevation. In this video, as an example, I created a policy that denies all elevation requests.

Let’s see if it really works!

Perfect, it works! Now let’s create the first Elevation Rule.

Creating and Managing Elevation Rules

Elevation rules are used to establish the behavior of a specific elevation request, intercepting specific files by name, hash, or other parameters. These rules can require an approval flow or be executed automatically.

Example of an Elevation Rule with Approval

Let’s create an elevation rule with approval.

Okay, now let’s check on the client what happens if we try to install 7-Zip.

See? Approval from the system administrator is required. The elevation request can be approved directly on the Intune portal.

Let’s go back to our Windows machine to see if the user can now install 7-Zip.

Perfect, everything works! 😊

Example of an Automatic Elevation Rule

Now let’s try to create an automatic elevation rule that does not require any approval flow for file execution. A typical use case for this situation could be internally developed company software.

Let’s see how to create the rule for this situation.

Rule created! Now let’s see what happens on the Windows client.

See? Everything runs smoothly without any additional messages or interactions.

Strategies for Managing Software Versions

If the version of a software installer changes, you need to recalculate the hash or retrieve it from the Intune portal in the elevation report. With those, you can create a new policy. However, there are techniques to intercept all software from a certain publisher using reusable settings. These settings allow you to associate different policies without having to create new rules each time.

Attached Documentation

As always, here is the documentation package for your further study.

📌 Use Endpoint Privilege Management with Microsoft Intune
📌 Guidance for creating elevation rules with Endpoint Privilege Management
📌 Configure policies for Endpoint Privilege Management
📌 Deployment Considerations and frequently asked questions for Endpoint Privilege Management

Conclusion

Microsoft Intune’s Endpoint Privilege Management offers an effective way to manage the privileges of standard users, allowing them to perform tasks with elevated privileges in a controlled manner. If you want to learn more, leave a comment and subscribe to my YouTube channel to not miss the next videos! 📚🔔
Thank you!

Your IT Specialist,
Riccardo