Enable Windows standard users with Endpoint Privilege Management in Microsoft Intune
Published Mar 01 2023 08:01 AM 83K Views

The landscape for cyberattacks has become more complex in recent years. In 2022, Microsoft security researchers tracked a 130% increase in organizations that encountered ransomware over the last year. According to a Centrify study, historically, 74 percent of data breaches originated from compromised privilege access credential abuse.

Today's organizations need a new security model that more effectively protects people, devices, apps, and data wherever they're located. One of the most effective ways to limit the compromise of your endpoints is to run standard users.

Today, we're announcing that Microsoft Intune Endpoint Privilege Management, part of the Microsoft Intune Suite, will be in public preview in the March Intune release and generally available in the April Intune release.

Endpoint Privilege Management (EPM) allows IT and SecOps to run everyone as a standard user while elevating privileges only when needed, as designed by organizational rules and parameters set your organization. This supports the enforcement of least privilege access, a core tenant of a Zero Trust security architecture. EPM enables IT teams to manage standard users more efficiently and limit their attack surface by only allowing employees to run as administrators for specific, approved applications.

Understanding the value of EPM

Historically, IT admins have been forced to make a binary choice: run employees as standard users or local admins. If IT admins choose to run all employees as local administrators, the enterprise is left vulnerable to malicious actors. If admins choose a more conservative path and run everyone as a standard user, it comes at a cost, mostly shouldered by users and help desk staff, in the form of expensive support incidents due to restricted access to necessary work.

For organizations running as standard user, elevated admin rights are given for one-off tasks and often never revoked—creating the need for extra auditing and manual work, a hindrance to their security posture. Without admin rights, productivity is impeded as workers are interrupted when trying to complete basic tasks.

The need to balance security and productivity leaves organizations in a difficult situation, trying to handle both effectively. This approach often requires business processes and support of an additional piece of tooling to manage the workload effectively. To minimize the number of tools and process an organization needs to manage administrator privileges on devices effectively, we're providing capabilities built directly into Microsoft Intune, an industry leading unified endpoint management solution.

Endpoint Privilege Management offers a better, more controlled way to manage standard users. The feature enables admins to set policies that allow standard users to perform tasks usually reserved for an administrator. Elevated privileges are offered for a discrete task, keeping the scope and time to a minimum, per organizational policies. This allows enterprises to stay secure while improving efficiency for IT teams and removing friction to accomplish work and achieve business goals.

By creating these new rules and parameters that streamline privilege elevation built into Intune, we're uniquely positioned to provide a solution that lowers the cost of running standard users while minimizing attack surface. Here's how Endpoint Privilege Management works.

A look into the feature

Endpoint Privilege Management allows IT administrators to create a new policy, setting rules and parameters to configure standard users' privileges.

EPM 3_1200x681px.png

Megan, an IT administrator, begins by creating a new Endpoint Privilege Management policy.

Endpoint Privilege Management enables user-confirmed elevation, elevating a standard user's privileges for an approved application.

EPM 4_1200x681px.png

Finance manager Adele is working from home. She's missing a key application she needs to prepare for a customer event. The application isn't widely used in her enterprise, and she realizes it wasn't installed when she received her new machine. Once Megan provides Adele with the Finance app installer file, she installs it. This is user-confirmed elevation: Endpoint Privilege Management enables privilege elevation using policy-based configuration without requiring local administrator account credentials.

EPM 2_1200x681px.png

Adele selects Run with elevated access to continue.

EPM 1_1200x681px.png

The new user-confirmed elevation management experience prompts Adele to provide a business justification, which she does. Since an existing elevation rule policy exists, Adele can run the app and continue her work immediately after entering the business justification.

Reducing work for IT

We're thrilled to offer Endpoint Privilege Management to make your IT teams more efficient while better protecting your digital estate. At launch, we're beginning with automatic and user-confirmed elevations. Automatic elevations link an app to an action, allowing an end user to operate as an administrator for a specific task. The ability to create such a policy cuts down on the time and effort IT needs to spend on privilege management, freeing time for critical work.

User-confirmed elevations require end users to determine when elevation is needed. Employees specify that they want to run an app with elevated privileges. Additional controls can be implemented, such as a justification or multifactor authentication. This provides the security benefit of limited admin privileges, only allowing a constrained set of circumstances to elevate.

Both of these capabilities keep employees productive, removing friction so they can stay in flow and get work done. While we're excited about the value that automatic and user-confirmed elevations can provide, we aren't stopping here. The next capability we're developing is support-approved elevation scenarios.

How to get started

EPM will roll out in preview in the March release of Intune and will be generally available in April. At that time, in the Microsoft Intune admin center, under Intune add-ons, you'll be able to view the licensing options for Endpoint Privilege Management and the other new, advanced endpoint management solutions of the Intune Suite. This centralized experience also provides global and billing administrators direct access to the Microsoft 365 admin center to add the necessary licenses for the Intune Suite, a new standalone add-on for Endpoint Privilege Management. Or you can opt into a trial for up to 250 users for 90 days. Go here for more information about new Microsoft Intune plans.

Whether you are looking to reduce manual IT processes, strengthen your organization's security posture by reducing the risk of unapproved app installation, or improve the end user experience by eliminating the need to create additional support tickets, Endpoint Privilege Management is a solution that can provide a great benefit for your organization and allow you to do more for less.

Learn more how Endpoint Privilege Management is integral to the new Microsoft Intune Suite!

Read the launch announcement, check out the newest episode of Microsoft Mechanics, and take advantage of two amazing opportunities to explore Intune capabilities and use cases:

  • Microsoft Secure – March 28, 2023 (digital)
    Learn and share comprehensive security strategies to protect more with less.
  • Tech Accelerator: Microsoft Intune Suite – April 11-12, 2023 (digital)
    Get a closer look at the latest features, capabilities, and scenarios with two days of technical deep dives and live Ask Microsoft Anything (AMA) sessions delivered by the engineering teams building the future of Microsoft Intune.

You can also explore our Microsoft Intune Suite technical documentation.

Version history
Last update:
‎Mar 02 2023 06:26 AM
Updated by: