Master Least Privilege Access with Microsoft EPM and Intune
In today’s modern IT environments, implementing the principle of least privilege is essential for security. But how can you quickly gain administrative or elevated privileges on client devices without compromising security?
- Customer Use Case – The Problem
- The Basics
- News from Ignite and more for Microsoft EPM
- Types of Policies
- Types of Elevations
- Creation of Elevation Rules based on Support Approved Request
- Community Solutions to receive Notifications within Teams
- Common Use cases of Microsoft EPM
- Customer Use Case – The Solution
- What's not possible (yet)
- That's it
Customer Use Case – The Problem
The main application of a customer of mine has a very important printing component to print out invoices and more. Sounds simple, doesn’t it? The issue is that this component requires manual updates every week—if that doesn’t happen, there are no printouts, no invoices, and ultimately, no revenue.
To solve this, the customer had to provide a person from internal IT department to install this new printing component every week. He manually had to connect to the remote pc and had used local admin privileges on the device to install the necessary software. After that the problem was gone – for a week.
There are several major downsides of this process:
- IT staff only needed elevated privileges to install the software, but they had local admin privileges for the whole device
- User couldn’t work during installation of new printing component
So what can be improved in this process you may asked yourself? I tell you: a lot!
Here Endpoint Privilege Management Solutions joins the game. Implementing an EPM tool provides just-in-time admin rights for your user, helpdesk or other departments, on a case by case basis. Within Intune Suite or as a standalone add-on, Microsoft already provides the right tool for it: Microsoft Endpoint Privilege Management (EPM).
The Basics
What is Microsoft EPM?
Endpoint Privilege Management (EPM) is a security solution that allows organizations to grant users temporary, just-in-time administrative access instead of permanently assigning full local admin rights. This not only minimizes security risks but also ensures that users receive only the elevated privileges they need—precisely when they need them. In today’s evolving threat landscape, EPM is a crucial tool for maintaining a secure environment while preserving operational efficiency.
Prerequisites for Microsoft EPM
Licensing
- Intune Plan 1
- Standalone EPM License / Intune Suite License
Requirements
- Microsoft Entra joined or Microsoft Entra hybrid joined device (including ARM)
- Microsoft Intune Enrollment or Microsoft Configuration Manager co-managed devices (no workload requirements)
- Supported Operating System
- Clear line of sight to the required endpoints
- Latest Windows 10/11 Patches
Service Endpoints
- *.dm.microsoft.com (TCP 443 outbound)
- *.events.data.microsoft.com (TCP 443 outbound)
Important
SSL inspection is not supported.
Supported Filetypes
Currently the following filetypes are supported:
- .exe
- .msi
- .ps1
News from Ignite and more for Microsoft EPM
At this years› Ignite, Microsoft announced the support of EPM for ARM devices (Intune Service release 2503) – so all available Windows 11 business / enterprise devices will support Endpoint Privilege Management in the near future. Additionally there will be:
- An improved elevation detection, especially for UAC prompts
- Support for Azure Virtual Desktop (AVD) Single Session desktops
- Support for command line arguments.
Types of Policies
Elevation Settings in Microsoft EPM
With Elevation Settings policies you define the general behaviour of EPM, the general reporting settings, and last but not least you enable EPM. The following settings can be configured:
Enablement
The first setting of this policy just enables Endpoint Privilege Management in general. The deployment of the EPM-Agent will happen automatically in the background.
Additionally, your devices will be joined to the new Intune backend. Like Rudy mentioned here:
Default Elevation Response
With this setting it’s possible to define the default behavior of EPM in case there’s no explicit elevation rule. There are the following options:
Important
You may choose Deny all requests or Require support approval.
Require user confirmation would be too insecure: with that the user could execute whatever he/she wants with EPM, providing «user confirmation» and opening the app with elevated permissions.
Info
Different types of elevations will be covered in the next chapter.
Reporting and Scope
Last but not least, you can define if elevation data should be sent to Microsoft for reporting.
Additionally, it’s possible to configure the reporting scope.
To understand these options it’s important to know what kind of reports exist.
| Report Name | Description | Key Points | Needed Data |
| Elevation Report | Displays all reported elevations, including those managed by specific rules and those captured by default elevation settings. | – File name: Name of the file that received an elevation request. – User: User who requested the elevation. – Device: Device where the request was made. – Result: Success or failure of the elevation. – Date and time: When the request was made. | Diagnostic data and all endpoint elevations. |
| Managed Elevation Report | Focuses on elevations managed by a Windows elevation rule policy. | Contains similar details as the Elevation Report but limited to managed elevations. | Diagnostic data and managed endpoint elevations only. |
| Elevation Report by Applications | Aggregates details of all managed and unmanaged elevations by application. | – Internal file name – File version – Publisher – Elevation type – Elevation count | Diagnostic data and all endpoint elevations. |
| Elevation Report by Publisher | Aggregates details of all managed and unmanaged elevations by publisher. | – Publisher – Elevation type – Elevation count | Diagnostic data and all endpoint elevations. |
| Elevation Report by User | Aggregates details of all managed and unmanaged elevations by user. | – Internal file name – File version – Publisher – Elevation type – Elevation count | Diagnostic data and all endpoint elevations. |
Info
To learn more about collected data in general, please have a look at Microsoft’s Data Collection Reference: Review the type of data that Microsoft Intune Endpoint Privilege Management collects | Microsoft Learn
Difference Diagnostic Data / Usage Data (Definition Microsoft)
Diagnostic Data
Diagnostic data is event data that is used by Microsoft to monitor the health of the client side components, that provide the capability to elevate as a standard user.
Usage Data
Usage data is elevation data that is used by admins to determine what elevations occur in their environment. This data is stored within your Intune infrastructure and is used to populate the elevation reports. When configuring reporting scope, you configure what scope of data is collected and can choose between:
- Diagnostic data and managed elevations only
- Diagnostic data only
- Diagnostic data and all endpoint elevations that take place on a device
Elevation Rules in Microsoft EPM
With elevation rules it’s possible to configure what happens if a user wants to start an app with elevated privileges (EPM). The following options are available:
Elevation Condition
First you have to set a rule name and description (optional). Besides that, there are the following options:
Elevation type
Specifies the method of elevation for the application:
– User Confirmed: Requires user confirmation.
– Automatic: Elevates without user intervention.
– Support Approved: Requires administrative approval.
Validation (User confirmed)
Additional user validation requirements:
– Business Justification: User provides a reason for elevation.
– Windows Authentication: User authenticates with organizational credentials.
Child process behavior
Controls elevation for child processes spawned by the elevated application:
– Require Rule to Elevate: Child processes need their own rules.
– Deny All: Child processes are not elevated.
– Allow All: Inherits the parent’s elevated context.
File Information
The most important part of elevation rules is the file information. Here you define which file you target exactly: if it’s identified by a certificate or file hash, or both of these options, and much more.
| Option | Required | Detail |
| Filename | Yes (if Filehash is used) | Filename of the executable |
| File Path | No | Path of the executable |
| Signature source | Yes (if certificate is used) | Option to configure if the certificate of the app is uploaded directly or used from reusable settings |
| Certificate Type | Yes (if certificate is used) | Option to configure what kind of certificate got uploaded or chosen |
| File hash | Yes (if Filehash is used) | Option to configure a filehash if needed |
| Minimum version | No | Option to configure minimum file version if needed |
| File description | No | Option to add a file description |
| Product name | No | Option to add a product name |
| Internal name | No | Option to add an internal name |
Reusable Settings
With reusable settings you can upload and apply a single cert-file to multiple elevation rule within Microsoft EPM. In case you have to update that certificate, you only have to update it once.
Types of Elevations
Support Approved
If you set your default response to «Deny all» in the elevation settings policy, a user will receive an error while opening an application for which there’s no rule created yet. To avoid that, you can configure «support approved». If you set this as a default response, a user can «request elevated permissions for any application» he or she wants. After requesting this app, Microsoft Endpoint Privilege Management Agent sends a request to Intune Admin Center.
Now your support department can allow or deny the request.
Information
It’s also possible to add the publisher certificate from the requested application to reusable settings from here. Pretty nice.
Automatic
In some cases it makes sense to configure an automatic elevation. For example, for a repetitive task. These use cases have to be well considered. Once configured for an application, the user can open the app with elevated permissions and won’t get asked for any type of reauthentication.
Example Printing Driver
Require User Confirmation
Elevation type «Require User Confirmation» is very useful in some use cases. Every elevation rule configured with elevation type «Require User Confirmation» is able to force the user to reauthenticate either with Windows Hello for Business, and/or a business justification. After doing that, the user will be allowed to open the app with elevated privileges.
Creation of Elevation Rules based on Support Approved Request
If you get many support approved requests for an application which doesn’t have a rule yet, it could make sense to create one, right? Of course. And Microsoft EPM gets you covered. It’s possible to create an elevation rule straight out of an elevation request.
Now you just have to choose the matching elevation type and decide about the elevation rule for child-processes. Optionally, you can require the same path as in the elevation request.
Then you name the policy and after some magic in the backend you have a finished Microsoft EPM Elevation Rule – with publisher certificate, and file hash already uploaded, and ready to get assigned to your users. Lovely, right?
Community Solutions to receive Notifications within Teams
So to receive support approved requests in Intune Admin Center is very nice, but what if you aren’t there all day long? Are there any possibilities to get notified about a new request? Natively unfortunately not yet, but the Intune Community already has some great solutions for that problem.
Just to mention some of them, please have a look at this perfect example from Jose:
https://intune.tech/2024/08/28/Notifications-for-epm-elevation-requests.html
Or this one from Joost:
Or this example from Peter:
I tested all of them in my lab environment, and they work perfectly. Amazing job guys!
Common Use cases of Microsoft EPM
- Application installations / updates
- Driver installations / updates
- System configurations
- Diagnostic operations
Example Use Case
Some users of your company need to be able to install updates for a certain application. Until now they maybe achieved that through LAPS admin, or similar methods.
Now, you would create an elevation rule for this specific app, and your users would be able to update this app themselves without having local admin permissions for the whole device. Instead, they only have elevated permissions for this specific use case.
Customer Use Case – The Solution
So with Microsoft Endpoint Privilege Management in place we were able to change the process of updating the printing component of that main software of my customer completely.
Until now, they had to manually update this component every week, which consumed significant time and resources, as the device user couldn’t perform the update independently.
But now, with Microsoft EPM, there’s an Elevation Rule for the update executable which provides the user it self with just-in-time elevated privileges for just this single .exe file. Like that the user can update the component himself, the local it can focus on managing the IT-Infrastructure and their clients will stay save and under their control. A win-win situation.
Example: HP Printing Driver Update
Automatic Elevation Rule based on support approved request for HP printing driver update.
What’s not possible (yet)
- Of course everything I mentioned in the «News» section. (Elevation detection, …)
- Support for more file-types
- Realtime notifications
Additionally, it could be difficult if you have developers, that for example need their own Visual Studio User Context, but with elevated privileges. Microsoft EPM elevates an application with a virtual user, because of that Visual Studio will be opened with elevated permissions, but not in the logged-on user context. For that, and many more use cases, there are already community solutions out there, to get you covered.
That’s it
Microsoft EPM is an amazing product, integrated perfectly within Microsoft Intune. The addon makes it possible for you to give your user elevated privileges, but only for the specific use case, and only when they need them. And the best: You as Intune Admin will always be in control.
Now you know everything about Microsoft Endpoint Privilege Management. It’s definitely worth testing it out. You’re only a few clicks away from getting a trial license for it in Intune Portal. I’m sure Microsoft will develop this product even further and hopefully there will be even more amazing new features in 2025. Let’s stay tuned!