In my second part of the Intune suite series I want to talk about Endpoint Privilege Management. This feature is brand new and was released yesterday. Endpoint Privilege Management (EPM) is a powerful feature in Microsoft Intune that allows you to enable users to run as standard users, without administrative rights, while still being able to complete tasks that require elevated privileges. This blog post will guide you through setting up Endpoint Privilege Management in your organization, ensuring users can remain productive without compromising on security.

Source: https://techcommunity.microsoft.com/t5/microsoft-intune-blog/enable-windows-standard-users-with-endpoint-privilege-management/ba-p/3755710

What is Endpoint Privilege Management?

EPM is a new feature to drive your organization’s zero-trust journey. This feature helps you to achieve a broad user base running with least privilege. Tasks that commonly require administrative privileges, such as installing applications (e.g., Microsoft 365 Applications), updating device drivers, and running certain Windows diagnostics, can be completed by users without compromising security.

What are the prerequisites?

Before setting up EPM, ensure that your full fill the following requirements:

• Licensing: During public preview, EPM doesn’t require a license. After public preview, your tenant must be licensed for EPM, either as part of the Intune Suite or as a standalone license.
• Windows Client requirements: EPM has specific operating system requirements, including Windows 11 (versions 22H2 and 22H1 with the appropriate KB updates) and Windows 10 (versions 22H2 or later, 21H2 or later, and 20H2 or later with KB5023773).
• Supported trust types: Only devices with a Hybrid Azure Active Directory join or Azure Active Directory join are supported. Workplace join is not a supported.

How to enable Endpoint Privilege Management

• Open the Intune Console
• Navigate to Endpoint Security -> Endpoint Privilege Management
• Click Activate

What are the different Menu options?

• Report: Here you can find the Elevation report and Managed elevation report. This can take up to 24h until you see data in this reports
• Policies: The section where you can create Elevation Rules Policy and Elevation Settings . More info about this below.
• Reusable settings (preview): In this section you can import certificates and reuse them in the different Elevation Settings Policy

What is the differences between Elevation Rules Policy and Elevation Settings Policy?

Purpose:

• Elevation Settings Policy: This policy focuses on configuring the overall behavior of file elevations when standard users request to run with administrative privileges. It enabling EPM and configure the data sharing with Microsoft.
• Elevation Rules Policy: This policy is specifically used to manage the identification of individual files and how elevation requests for those files are handled. It consists of elevation rules that define the files being managed and the requirements for them to be elevated.

Configuration:

• Elevation Settings Policy: It covers various settings, such as enabling EPM, defining default responses, setting validation options a d controlling data sharing with Microsoft.
• Elevation Rules Policy: It comprises elevation rules that identify files, set optional conditions, support certificate validation, and configure file evaluation types (e.g., user-confirmed or automatic elevation).

Focus:

• Elevation Settings Policy: The focus is on the overall behavior of file elevations and the default response when a file is not managed by an elevation rule policy.
• Elevation Rules Policy: The focus is on managing specific files and defining their elevation requirements individually.

In conclusion, the Windows Elevation Settings Policy deals with the general configuration and behavior of file elevations, while the Windows Elevation Rules Policy manages specific files and their elevation requirements. Both are necessary to configure EPM.

How to create a EPM Elevation settings policy?

Windows elevation settings policy is essential for deploying Endpoint Privilege Management (EPM) to users or devices, as it enables EPM on a device, sets default rules for elevation requests for unmanaged files, and configures the information EPM reports back to Intune. Follow these steps to create a Windows elevation settings policy:

• Click + Create Policy

• Select Windows 10 and later as Platform
• Select Elevation settings policy as Profile
• Click Create

• Enter a Name and click Next

On the Configuration settings page, configure the following options:

• Endpoint Privilege Management: Set to Enabled (default). When Enabled, a device uses Endpoint Privilege Management. When set to Disabled, the device doesn’t use EPM and will disable EPM if previously enabled. After seven days, the device will deprovision the components for EPM.
• Default elevation response: Configure how the device manages elevation requests for files that aren’t directly managed by a rule. Options include:
  • Not Configured (functions the same as Deny all requests)
  • Deny all requests
  • Require user confirmation
• Send data to Microsoft: Set to Yes (default) or No. If set to Yes, you can configure a Reporting scope.
• Reporting scope: Choose the type of information the device reports to Intune. Options include:
  • Diagnostic data and all endpoint elevations (Default)
  • Diagnostic data and managed elevations only
  • Diagnostic data only

• Click Next -> Next

• Create a assignment and click Next -> + create page.

It is recommend to first select a small group to evaluate the the setting. It’s crucial to ensure that devices have this policy enabled before they can process an elevation rules policy or manage elevation requests

After some minutes you should find the following folder on you file system: C:\Program Files\Microsoft EPM Agent

How to create a Windows Elevation Rules Policy?

A Windows elevation rules policy can be deployed to users or devices to manage elevation requests for specific files through Endpoint Privilege Management (EPM).

• Click + Create Policy

• Select Windows 10 and later as Platform
• Select Elevation settings policy as Profile
• Click Create

• Enter a Name and click Next

In the Configuration settings page, add a rule for each file managed by this policy. Configure the first blank rule, and click Add to include more rules if needed.

To configure a rule:

1. Click Edit instance to open its Rule properties page.
2. Enter a descriptive Rule name and an optional Description.
3. Set the Elevation type (User confirmed or Automatic).
4. Specify the File information (file name, file path, signature source, file hash, minimum version, file description, product name, and internal name).

User Confirmed: When a file with this elevation type is executed, the user receives a prompt to confirm their intent to run the file with elevated privileges. Additional validation prompts can be added, such as requiring a business justification or Windows authentication. This option is recommended for most files, as it ensures user awareness and provides an additional layer of security.
Automatic: With this elevation type, the file in question is automatically run with elevated permissions, without any user interaction or prompting. This option should be used with caution and reserved for trusted files only, as poorly defined rules with automatic elevation can potentially allow unauthorized applications to run with elevated privileges.

• Get the certificate from the application

• Another way to get the certificate it via the following Powershell command:
  Get-AuthenticodeSignature pathToFile | Select-Object -ExpandProperty SignerCertificate | Export-Certificate -Type CERT -FilePath outputPath

• Select the certificate and select the Certificate type

• Add the file hash in the File Hash field (You can get the file hast with the following command: Get-FileHash pathToFile)

• Click Save

• Click Next -> Next
• Create a assignment and click Review + create

How is the user experience for EPM

• Right click on the App select Show more options and select Run with elevated access (This will be changed in later versions that it is directly in the first menu)

Source: https://techcommunity.microsoft.com/t5/microsoft-intune-blog/enable-windows-standard-users-with-endpoint-privilege-management/ba-p/3755710

• Enter a business justification and click Continue and the app will start with elevated rights.

Source: https://techcommunity.microsoft.com/t5/microsoft-intune-blog/enable-windows-standard-users-with-endpoint-privilege-management/ba-p/3755710

Reports for Endpoint Privilege Management

Note that data processing occurs every 24 hours, so there may be a delay in viewing elevation usage reports.

Two types of reports are available:

• Elevation Report: This report lists details about all reported elevations, including managed elevations and those captured by default elevation setting policies. Information columns include file name, user, device, result, and date and time. By selecting an entry, users can view further details about the elevation request and the associated file.
• Managed Elevation Report: This report provides similar details as the Elevation Report but focuses only on elevations managed by a Windows elevation rule policy.

Using Graph to get Reports

Here I will give the the graph Endpoints to Access the reports. You can use it e.g. to create alerts.

https://graph.microsoft.com/beta/deviceManagement/privilegeManagementElevations?top=20

In my case it is currently empty because it can take up to 24h until the records are listed.

More sources

• https://techcommunity.microsoft.com/t5/microsoft-intune-blog/enable-windows-standard-users-with-endpoint-privilege-management/ba-p/3755710
• https://techcommunity.microsoft.com/t5/microsoft-intune-blog/reduce-your-overall-tco-with-a-new-microsoft-intune-plan/ba-p/3650725
• https://learn.microsoft.com/en-us/mem/intune/protect/epm-overview