Endpoint Privilege Management (EPM) is one of the most anticipated features of the Microsoft Intune premium add-on suite and was already announced at Microsoft Ignite 2022. With EPM, Microsoft has finally developed a solution for assigning temporary administrator rights. Users no longer need to be made local administrators. Instead, your users can be given standard account permissions and be designated administrators for specific tasks. Microsoft has now released a first public preview. This blog article covers first test impressions about the new Microsoft Intune Endpoint Privilege Management feature.

1. Licensing
2. Windows Client requirements
3. What files can be elevated
4. Documentation
5. Activate Endpoint Privilege Management (EPM)
6. First test run – First impressions
   1. Admin Configuration – Elevation settings policy
   2. User Experience with Elevation settings policy in place
   3. Admin Configuration – Elevation rules policy
   4. User Experience with elevation rules policy in place
7. Troubleshooting and further testing
8. Conclusion

Licensing

During the public preview, EPM does not require a license to be purchased or deployed. Once the product becomes generally available, your tenant must be licensed for Endpoint Privilege Management. This license is available as a part of the Intune Suite or standalone license.

Windows Client requirements

Endpoint Privilege Management (EPM) is available for Windows 10 and 11. Only devices with a Hybrid Azure Active Directory join or Azure Active Directory join are supported.

Depending on the OS version a KB update must be installed.

What files can be elevated

Endpoint Privilege Management (EPM) currently supports only executable files in this public preview. Microsoft is currently working on extending support for other file types (MSI, etc.) and providing a simple method to elevate privileges for common operating system tasks.

Documentation

Fortunately, the feature has already been well documented by Microsoft: https://learn.microsoft.com/en-us/mem/intune/protect/epm-overview

Activate Endpoint Privilege Management (EPM)

The feature can be easily activated via the Microsoft Intune admin center:

Microsoft Intune admin center (https://intune.microsoft.com) – Endpoint security – Endpoint Privilege Management – Activate

First test run – First impressions

In the first test attempt we will now activate EPM for a Windows 11 22H2 test client and approve the software VLC for a test user, so that standard users can install it without admin rights.

My Windows 11 22H2 test client already has the march 2023 CU installed (KB5023706 OS Build 22621.1413). From this, we can conclude that the February update KB5022913 referenced in the Windows client requirements is obsolete.

Admin Configuration – Elevation settings policy

First we create the Elevation settings policy to enable the feature on the test client and define settings regarding elevation response/reporting.

Microsoft Intune admin center (https://intune.microsoft.com) – Endpoint security – Endpoint Privilege Management – Create Policy

Platform: Windows 10 and later
Profile: Elevation settings policy

Configuration settings:

Endpoint Privilege Management: Enabled
Send data to Microsoft: If you want to use the EPM Reporting Features, you have to select Yes.
Reporting scope: As we want to test all reporting features – Diagnostic data and all endpoint elevations.

Default elevation response: Since we do not want to allow all application requests by default, we select: Deny all requests.

User Experience with Elevation settings policy in place

Once our elevation settings policy has arrived on the client, we should now already have a new option (Run with elevated access) when we right-click on a file – Show More options.

It is interesting that the option “Run with elevation access” can only be found under the classic menu context. In already published Microsoft demos and also in many screenshots, the option could be seen directly under the Windows 11 context menu. According to Microsoft this will be fixed in a future version.

We can also detect that the EPM Agent (C:\Program Files\Microsoft EPM Agent) has been installed:

If we now try to start the VLC installation setup with “elevated access”, this attempt will fail because we have not yet created an approval policy for VLC.

Admin Configuration – Elevation rules policy

So now let’s create an elevation rules policy for VLC.

Microsoft Intune admin center (https://intune.microsoft.com) – Endpoint security – Endpoint Privilege Management – Create Policy

Platform: Windows 10 and later
Profile: Elevation rules policy

Configuration settings:

Click on “Edit instance” and configure your rule.

Choose a descriptive Rule name and description.
Elevation type: We want the user to provide a business justification for the application and that the user must authenticate for installation. So we choose: User confirmed and select Business justification and Windows authentication.

Signature source: For our first test run we choose: Not configured
When no certificate is used, you must provide a file name and file hash.

File name: Specify the file name and its extension. in our test run this is: vlc-3.0.18-win64.exe

File hash: We can easily read the file hash using the PowerShell cmdlet Get-Filehash:

Get-FileHash "provide your exe file path"

This results in the following configuration:

If you want to use a “Signature source” the file certificate can be exported with the PowerShell cmdlet Get-AuthenticodeSignature:

Get-AuthenticodeSignature "provide your exe file path" | Select-Object -ExpandProperty SignerCertificate | Export-Certificate -Type CERT -FilePath "Exportpath\Name.cer"

User Experience with elevation rules policy in place

Alrighty Then… Once our elevation rules policy has arrived on the client, the user experience should look better and the test user should be able to install VLC without admin rights.

So we start the VLC installation setup again with “elevated access”. This time we are asked for a business justification as defined in our policy.

Then the credentials are requested, also as defined in our policy:

After the credentials have been entered… Ok, this error message comes unexpectedly:

But the VLC setup nevertheless starts with admin rights and installs successfully

Troubleshooting and further testing

Further application tests with 7-Zip and cmd.exe were successful without “Something went wrong” message.

Upon further testing, I noticed something else:

There is a behavior in Windows that assigns an attribute to files downloaded directly from the Internet that prevents their execution until they are verified. If this is enabled, the installation with EPM will fail.

If this is the case, just set it to “unblock” in the General Properties:

Conclusion

Except for the first test with VLC, all other EPM installation tests ran without errors (without “Something went wrong” message).

The EPM reports currently provide “no data”, although the reporting is actually completely activated in the configuration. According to documentation, this can take up to 24 hours. So a little patience is still needed here.

Data is processed once every 24 hours. There may be a delay before seeing data in the elevation usage reports.

https://learn.microsoft.com/en-us/mem/intune/protect/epm-reports

Now I would be interested in your experience with Endpoint Privilege Management (EPM)? Did the first tests work properly for you? Feel free to ask me questions or share your personal experiences in the comments.