Event banner
Event details
41 Comments
- Does the client computer need to be AAD joined or Hybrid joined or does it also work on AD-joined to support EPM and/or Windows LAPS?
- LauraArrizza
Microsoft
EPM requires the device to be hybrid or AAD joined. Windows LAPS supports devices that are hybrid, AAD joined and can be used for on prem devices with some limitations. Check out the full details for Windows LAPS with Active Directory here: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-faq#windows-laps-and-active-directory
- LauraArrizzaFYI, there will be a dedicated Windows LAPS session hosted by Jay Simmons "Windows LAPS: enhancements and roadmap" on Nov. 29 @ 10:30 AM PST. Make sure to check it out to learn more about Windows LAPS. Bookmark the link here: https://aka.ms/TT/WindowsLAPSEnhanced
- Having EPM use notifications is possibly an issue for us. Many users disable notifications or use focus assist, so they might not see the popup?
- Matt_CallThanks for the feedback Paul! Are you saying that you want EPM to break through your notification channel or you want us to use a separate one?
- er, yes! Either would do! As an Intune admin we have had to stop using toast notifications as so many people just don't see them.
- For the EPM rules, what would be best to simplify the rule, file hash or a CA cert?
- Matt_CallHey Byrnzie! File hash is extremely specific. Using our certificate rules, you can easily assert trust for a publisher or signer, and put guardrails in place (like file version, internal name, etc) to control what from that publisher is allowed to elevate. Just be careful to make sure your rules are not too broad... Let us know if you have any other questions.
- We are hoping to trial EPM in the new year. Is there a trial checklist or guide available, so that we can make sure to make the most of the trial period, utilising the full feature set?
- Matt_CallHey Teresa! Our team is on the verge of publishing some 'Getting Started' documentation and deployment guidance. More to come soon! Keep an eye on our docs page (https://aka.ms/IntuneEPMDocs)
- How can EPM be leveraged to allow certain tasks/settings changes inside of Windows itself that are normally restricted for non-admin users (i.e. allowing certain users to change network/IP address settings, allowing all users to edit the Public Desktop, etc.)?
- With Windows 10 there were several "workarounds", but those are not working in Windows 11. For instance, In Win 10 a non-admin could change the IP address of a device by going through Settings but could not change it via Control Panel. Conversely a non-Admin could change their Time Zone through Control Panel but not through Settings or the Task Bar. We're having to use the Network Configuration Operators group for IP address changes, which makes things messy as in many cases the user gets over-provisioned. Matt, add me as a user who needs some of these permissions to allow non-Admins to perform some tasks.
- Matt_CallHey Jonathan! Our team is currently working on supporting different Windows Settings that are traditionally in the 'application realm'. We're hoping to have something for you all in the near future!
- "Is there a specific configuration required for LAPS on Autopilot hybrid domain-joined devices? Although the policy shows as succeeded on the device, it states 'No local administrator passwords found.' It worked for Azure-joined devices but not for those in the hybrid domain-joined setup."
- LauraArrizza
Thanks Glenda for the question! I would suggest confirming that the LAPS policy configurations are set up correctly to match the backup storage location with the type of device you are targeting. i.e. either AAD or AD only. If the storage location is configured correctly, I would confirm that the policy reports back the device has the settings applied Successfully (via the policy report or the device report) or complete a policy sync/refresh the page until it appears. There is also a prerequisite to toggle LAPS "on" in Entra portal. Hope that helps! Check out docs for more info: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-management-policy-settings
- Thanks for the reply. The Backup Directory is set to Azure AD only but I can't read the LAPS info for the device in the case of a hybrid domain joined device. Do I need any different configuration for the hybrid domain joined?
Welcome to Uplevel security with Endpoint Privilege Management + Windows LAPS and to day 2 of Microsoft Technical Takeoff for Windows + Intune! Have a question? Post here in the Comments so we can help. Let’s make this an active Q&A!
