Forum Discussion

JamesMooney's avatar
JamesMooney
Brass Contributor
Nov 22, 2023

Endpoint Privilege Management Issue

We recently tested EPM via the trial. Created the deny all elevation settings policy detailed in most of the  guides out there to deny all requests and then created Elevation rules policy for some apps to test using the hash to verify. All worked well on trial so we purchased the license for a Pilot group to test.

Now it no longer works, policy is applied to users under the report and all are licensed but I get the following error on elevation

 

If I change the deny all elevation settings policy to user confirmation the rules work again but this is not the behavior I experienced on the trial.  Are you still required to block all requests as part of the initial setup?

 

  • Hello JamesMooney 

     

    Welcome to the Microsoft community, my name is Recep I'll be happy to help you today.

     

    • Ensure that the Endpoint Privilege Management licenses are correctly assigned to the users in your Pilot group. Sometimes, licensing issues can cause unexpected behavior.
    • Confirm that the EPM policies are being successfully applied to the devices in your Pilot group. Check the Intune console for any errors related to policy enforcement.
    • Double-check the configuration of your EPM policies. Ensure that the deny all elevation settings policy is configured correctly and is prioritized appropriately in relation to other policies.
    • Verify the configuration of your elevation rules for specific applications. Check the hash values and ensure that they match the applications you are trying to allow.

    If you still having issue, Please follow the below link

     

    https://learn.microsoft.com/en-us/mem/intune/protect/epm-policies 

     

    If I have answered your question, please mark your post as Solved

    If you like my response, please give it a Like :smile:

    Appreciate your Kudos! Proud to contribute! 🙂

     

    • terryhugill's avatar
      terryhugill
      Brass Contributor
      I appreciate this is old, but how do you prioritise the policies? I have the same issue. It is either all denied, or all allowed regardless of the fact that I have a file policy to allow elevation of PowerShell ISE for testing.
      • terryhugill's avatar
        terryhugill
        Brass Contributor
        I think I found the answer. The user policies are given higher priority than the device policies so it means that I should apply a deny all scoped to the device(s) and then an allow elevation policy to the users. I am testing it now.

Resources