In this blog series, I’m going to look at Intune Endpoint Privilege management (EPM). EPM allows you to give users admin rights only for the applications they need it for. For example, some applications require local admin rights to configure them. By giving the user local admin rights only on these applications, fewer users with local admin rights are needed which reduces the attack surface of the computers.
Pic1: Endpoint Privilege Management – Elevated Access windows
Endpoint Privilege Management (EPM) was presented at Ignite 2022 as part of Intune Premium Suite and became available in preview in late March. Although EPM is generally available, not all of the components presented at Ignite are yet available. For example, it is currently not yet possible to activate admin rights on user request. This is important to know. In addition, I have noticed EPM reports are not always working properly and are still in Preview. Also it is currently not possible to let child processes inherit administrator rights. This is expected to follow later this year. For more things to consider, see the Microsoft Documentation page.
Prerequisites
Intune Add-Ons
To use Endpoint Privilege Management, there are a number of additional prerequisites. First, relative to Intune plan 1, you need an additional license. You can currently choose from two Intune add-on options:
- Microsoft Intune Suite Add-on
- Standalone Endpoint Privilege Management Add-on
Windows Client Requirements
To use EPM, there are also some system requirements that the client must meet. If the client does not meet the minimum requirements, the policy in Intune shows not applicable. The following clients are currently supported:
- Windows 11, version 22H2 (22621.1344 or later) with KB5022913
- Windows 11, version 21H2 (22000.1761 or later) with KB5023774
- Windows 10, version 22H2 (19045.2788 or later) with KB5023773
- Windows 10, version 21H2 (19044.2788 or later) with KB5023773
- Windows 10, version 20H2 (19042.2788 or later) with KB5023773
At this time, Windows 11 ARM is not yet supported. Support is expected to be added around fall 2023. When an EPM policy is applied ot Windows 11 ARM you currently get “Error” displayed.
EPM Policy types
Endpoint Privilege management uses two types of policies: Elevation settings policy and Elevation rules policy. These two policies together determine what happens when a user wants to launch an application with elevated access. The Elevation settings policy enables EPM and configures the default elevation response. Additionally you use the Elevation rules policy to configure elevated access for certain files.
Pic1: Endpoint Privilege Management – Elevation rules and Elevation settings policy
To give an example: The elevation settings policy is used to configure that the default response to “Run with Elevated access” is answered with “deny.” You then configure an elevation rules policy to ensure that a particular exe file is allowed to run with elevated access. This way you ensure that only a certain file is allowed to be run with elevated access.
Now that you know what you can use EPM for, let’s see how to configure it in the next post – Configure Endpoint Privilege Management (2/4)