In this third blog post we are going to look at the EPM User Experience. In the previous section, we configured an elevation settings policy that rejects all elevation requests by default. In addition, we configured an Elevation rules policy that allows members of the test group to start Command prompt (cmd.exe) with elevated rights. Now we are going to see how the experience is for an end user with a Windows 10 and Windows 11 workstation.
EPM User Experience
Once you are in the explorer, there is a difference between Windows 10 and 11. In Windows 10, you right-click to select “Command Prompt” (1) to launch it with elevated access (2).
In Windows 11, an additional step is added. First you right-click select “Command Prompt” (1) then select “Show more options” (2) then you can start it with elevated access (3).
After starting an application with elevated access, then EPM checks in the background to see if the user is allowed to do so. If it is allowed then there are two options. If automatic elevation is chosen, then the application is started immediately. If User confirmed is selected then a login screen or a Business Justification screen as shown below is displayed:
If a user tries to launch an application for which he or she is not authorized, a message will be displayed “You can’t run this app as administrator” as you can see below:
There are currently two EPM reports in Intune that allow you to see status elevations.
It is important to note that the data is processed once 24 hours. Because of this, there is a delay before you see data in the report. In addition, it is important to note that the report is currently (may 26, 2023) still in preview. I’ve noticed that reporting doesn’t always work very well. It also seems to work better with Windows 10 than with Windows 11.
The Elevation report displays a list view with details about all reported elevations. This list includes elevations that are managed by specific rules and elevations that are captured by default elevation setting policies. There are three types of elevations: zero-touch, user-confirmed and unmanaged.
Managed Elevation report
The Managed elevation report displays the same types of detail as the Elevation report, but reports on only the elevations that are managed by a Windows elevation rule policy. In this report only displays the zero-touch and user-confirmed elevations.
In this blogpost we looked at the user experience of EPM. IIn the next blog post, we will look at how to troubleshoot EPM. – Troubleshooting EPM (4/4)