In this third blog post we are going to look at the EPM User Experience. In the previous section, we configured an elevation settings policy that rejects all elevation requests by default. In addition, we configured an Elevation rules policy that allows members of the test group to start Command prompt (cmd.exe) with elevated rights. Now we are going to see how the experience is for an end user with a Windows 10 and Windows 11 workstation.
EPM User Experience
As mentioned in the previous blogpost, you cannot simply launch applications with “Run as administrator.” Only applications started with “Elevated Access” are handled by EPM. In terms of user experience, there is not much difference between W10 and W11. The biggest difference is the menu used to launch elevated access. What is a major drawback at the moment is that you cannot start elevated access directly from the start menu or taskbar. There is simply no option to start elevated access, as you can see below. You always have to select more options (1) to start the file location (2) in an explorer windows. Only from the desktop or explorer can you start elevated access.
Once you are in the explorer, there is a difference between Windows 10 and 11. In Windows 10, you right-click to select “Command Prompt” (1) to launch it with elevated access (2).
In Windows 11, an additional step is added. First you right-click select “Command Prompt” (1) then select “Show more options” (2) then you can start it with elevated access (3).
After starting an application with elevated access, then EPM checks in the background to see if the user is allowed to do so. If it is allowed then there are two options. If automatic elevation is chosen, then the application is started immediately. If User confirmed is selected then a login screen or a Business Justification screen as shown below is displayed:
If a user tries to launch an application for which he or she is not authorized, a message will be displayed “You can’t run this app as administrator” as you can see below:
Reporting
There are currently two EPM reports in Intune that allow you to see status elevations.
It is important to note that the data is processed once 24 hours. Because of this, there is a delay before you see data in the report. In addition, it is important to note that the report is currently (may 26, 2023) still in preview. I’ve noticed that reporting doesn’t always work very well. It also seems to work better with Windows 10 than with Windows 11.
Elevation report
The Elevation report displays a list view with details about all reported elevations. This list includes elevations that are managed by specific rules and elevations that are captured by default elevation setting policies. There are three types of elevations: zero-touch, user-confirmed and unmanaged.
Managed Elevation report
The Managed elevation report displays the same types of detail as the Elevation report, but reports on only the elevations that are managed by a Windows elevation rule policy. In this report only displays the zero-touch and user-confirmed elevations.
In this blogpost we looked at the user experience of EPM. IIn the next blog post, we will look at how to troubleshoot EPM. – Troubleshooting EPM (4/4)