Endpoint Privilege Management - "Run with elevated access" only required once?

Question

Hi,&nbsp;I am just evaluating EPM and I just wanted to clarify the functionality.&nbsp; I've deployed my settings policy and created a rule to allow a specific app to run with evaluated privileges.&nbsp; The policy was deployed successfully to the PC.&nbsp; When I clicked on the test application (that requires elevated privilege permission) I got the UAC prompt, which is what I was expecting.&nbsp; Next I right click the app and this time select "Run with elevated access".&nbsp; For info the policy sets the application evaluation type to "Automatic" so the app loads with out the user having to enter a justification. I then close the app and this time just double click it to open it and it opens no UAC prompt or with the need to me to click "Run with elevated access" .&nbsp; I can see with Procmon that the application is running under the EPM account so I believe it is working OK.&nbsp;My question is once a application has been run once with the "Run with elevated access" command is it then approved to run all the time with out the need to select the "Run with elevated access" command?&nbsp; It not a massive issue as the app is authorised but it would be good to understand if this behaviour is correct.&nbsp;Thanks

rudy_ooms_mvp · Answer

Mmm... i just added the app with the same values as you did in epm and I can launch it without getting an additional uac prompt. Did you perhaps configured any additional uac settings? that could interfere with the consentpromptbehavior settings in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

jeroenburgerhout · Answer

👀. Rudy_Ooms_MVP

rudy_ooms_mvp · Answer

It depends on how you configured the rule... did you configured the rule on automatic of user confirmed?
If you configure the rule to be automatic... its automatic 🙂 .. so not right click and clicking run elevated

https://learn.microsoft.com/en-us/mem/intune/protect/epm-overview#important-concepts-for-endpoint-privilege-management

rob-ctl · Answer

Hi Rudy_Ooms_MVPThanks for the response, yes the policy is set to automatic but the question I was trying to ask, apologies if I wasn't clear, is why on first clicking of a approved privileged app it would cause the UAC prompt to appear and require the user to use the "Run with elevated access" command then after that the user can just double click the app and it will load i.e. not having to go through the "Run with elevated access" process. I am trying to document the process for users so I am just trying to understand if this behaviour is by design.

rudy_ooms_mvp · Answer

Which app did you configured for epm elevation?  As doing this for powershell doesn't give you the  uac prompt. I assume that app needs to perform some other tasks first to be able to be launched automatically.  If you have the name of the app or could share some more info, i could try to see whats happening and give you the reason why that uac is shown

Forum Discussion

Endpoint Privilege Management - "Run with elevated access" only required once?

7 Replies

Resources