In this blog post, I’m going to show you how to configure Endpoint Privilege Management. In the previous part, I told you that you configure EPM through elevation rules and settings policies. Let’s start with the elevation settings policy. Before proceeding, check that you meet all the requirements and have the necessary licenses. If the latter is not the case you will see the notification (1) below and you will not be able to create a policy (2).
Elevation settings policy
As mentioned in the previous post, the Elevation settings policy enables EPM and configures the default elevation response. Default responses are only processed for requests coming through the Run with elevated access right-click menu. If you start an application with “Run as administrator” you still get the User Account Control (UAC) screen to log in with an admin account.
1. To create a new elevation settings policy select in the Intune admin center: Endpoint security -> Endpoint Privilege Management -> “Create Policy” (1). Select the platform “Windows 10 and later” and Profile “Elevation settings policy” (2). Press “Create”(3) to continue.
2. Enter a recognizable name for your new “Elevation settings policy” and press “Next” to continue.
3. The first setting to configure is whether you want to enable EPM (1). The next setting is whether you want to forward elevation logging to Microsoft (2). (If you do not enable this setting, you will not see any reporting in Intune). Next, you specify the extent to which you want to forward the logging to Microsoft (3). You have 3 options:
Diagnostic data and managed elevations only | This option sends diagnostic data to Microsoft about the health of the client components AND data about elevations being facilitated by Endpoint Privilege Management. |
Diagnostic data and all endpoint elevations | This option sends diagnostic data to Microsoft about the health of the client components AND data about all elevations happening on the endpoint. |
Diagnostic data only | This option sends only the diagnostic data to Microsoft about the health of the client components. |
4. The last option is very important to understand well. At the “Default elevation response” you specify what happens by default when someone starts an Elevated Access file for which no elevation rule policy is configured. If you specify “require user confirmation” here, then all applications can be started with “elevated access.” If you select not configured or deny all requests, then only applications with an elevation rule policy can be started with “elevated access”. Think carefully about this before configuring.
5. If you nevertheless choose “require user confirmation,” you will be given the option to configure the Validation type. You have two options: Business justification and Windows Authentication. The first option requires the user to specify why elevated access is being used and Windows Authentication requires the user to authenticate again with and Password or Windows Hello for Business. You can select one, both or no Validation here. If no options are selected, then the user is only required to click continue to complete the elevation.
6. I choose the configuration below and follow the instructions to assign the policy to “all devices.” Note: it is currently not possible to apply a filter to an EPM policy.
Elevation rules policy
Additionally you use the Elevation rules policy to configure elevated access for certain files. Using the elevation settings policy, we have now configured that the default response to an elevated access request is do not allow. In this example, we are going to allow test group users to execute “Command prompt” (cmd.exe) with elevated access. For this, an elevation rules policy must be created. An elevation rules policy is a container for multiple rules that you can apply to a group.
7. To create a new elevation settings policy select in the Intune admin center: Endpoint security -> Endpoint Privilege Management -> “Create Policy” (1). Select the platform “Windows 10 and later” and Profile “Elevation settings policy” (2). Press “Create”(3) to continue.
8. Name the elevation settings policy. In this case, I’ll call it “Testgroup Elevation Rules.” In this policy, I add all elevation rules for the “Testgroup” group. Press “Next” to continue.
9. By default, an empty rule is added to each elevation settings policy. Select “+Edit instance” to configure this empty rule.
10. Enter a name and description for the rule (1). Next, select what happens when a user wants to start the application with elevated access. There are two options: Automatic and User confirmed (2). When you select automatic, the application is started without notification. If you select User confirmed, the user will get a notification. As with the settings policy, you can choose from two options: Business justification and Windows Authentication.
11. The next step is to add information about the file which can be started with elevated access. As stated under file information, it is important to add as many file attributes as possible to avoid unintended elevations. Add the file name and path. Next, select the signature source. This can be the certificate or the hash of the file.
12. To find out the signature source, run one of the commands below. In this example, I am using the File Hash.
File Hash | Get-FileHash “<Enter Exe file>” | select-object Hash |
Certificate | Get-AuthenticodeSignature “<Enter Exe file>” | Select-Object -ExpandProperty SignerCertificate | Export-Certificate -Type CERT -FilePath “<path to Certficate\certificatename>.cer” |
13. Copy and paste the file hash. Then press “Save” to save the rule.
14. The rule is now ready for use. Follow the wizard to assign the policy.
15. In this example, I assign the policy to a test group containing the test user Cynthia Carey.
Now that the we have the Elevation settings and rules policy configured and assigned we are going to look at how EPM works in the next post. – EPM User Experience (3/4)