Enable Windows standard users with Endpoint Privilege Management in Microsoft Intune

Great News guys i cant wait to trail it. Now please release LAPS for AAD ;)

This is really cool but we also need a cloud user interface for Application Control. Any plans for this?

This is really cool - can't wait to get hands on. I can see the new Intune suite available under add-ons in the console but not the standalone option for Endpoint Privilege Management. Is that being released separately? (Service release 2302)

While the feature to limit the elevation to specific actions and/or applications is a great direction for this solution, it does seem to me that this may introduce additional roadblocks to effectively deploying it (e.g. being a mature Intune org with well defined app policies). It would be easier to use the traditional time-linked elevation for say 1 hour but to have Intune's assistance in automating that process to reduce the risk of forgetting to remove it. Is that kind of feature an alternative option in the initial release or is it on the road map? Excited to learn of this feature for sure! Also, will it support Windows 10 or is it only Windows 11?

Great feature, however will this be included with E5 licenses? If not, I feel this is a kick in the teeth if we have to pay for another service...

This is a needed feature that Jamf has had for a while now.  I'm curious to see how this will get priced.  Reading the https://www.microsoft.com/en-us/security/business/Microsoft-Intune?rtc=1#plansandpricing sheet it looks like it's an add-on to E5.  

It looks like pricing for this is now available in the Marketplace.

This is a great feature but sometimes there is a need for automatic approval policy, so if certain conditions fulfilled them grant the approval automatically without administrator's action.

i am unable to find the option under endpoint security > manage,

i enable trial license for 250 user 90 days today, 

is there any other thing do i have to do ?

Any plans for EPM support to other OS besides Windows?

@ajnas - this feature is not yet released.

Hi @Mario Inglitsch LAPS for AAD is coming soon. 

Hi @ConorMartin it will preview with our March release (service release 2303), generally available with April's release (service release 2304).

Forgive me if I've missed this bit of detail, but the screenshots and article don't seem to mention these details:

1. The screenshots showing Windows 11 "default" menu (which btw, is awful)... I assume this option appears on the "classic" menu option as well?

2. Is this compatible with Windows 10 as well, or will this be a Windows 11 only feature?

@Mario Inglitsch Good to see them confirm it's "coming soon" (whatever that means... their definition rarely matches mine, lol), but in the meantime, you might want to search for LeanLAPS. It's an excellent open-sourced PowerShell solution that leverages Proactive Remediation scripting.

HI there, i was looking forward to trial the Privileged Access Management feature in the new Intune Suite but it was kind of unclear to me that this feature will not be released to all Tenants in March for Preview... now the trial is already activated and wasting me time for not being able to trial the feature. Is this only enabled in specific Tenants open for Preview in March and the Public only get it when it is GA in April ? or how does this work ?

A few answers:

It will support latest Windows 10 versions plus Windows 11. 

There will be an automatic 'zero touch' elevation type which can allow elevation based on admin defined criteria.

The "Run with elevated access" context menu item will be visible in the 'classic' menu.

Will EPM allow blocking apps on the endpoint from being installed/run as well?

@Matt_Call, @Alemeshet_Alemu, @FishingNotPhishing  

Is there any documentation on setting up Endpoint Privilege Management or troubleshooting it?

I've set up both an Elevation settings policy and an Elevation rules policy in the Microsoft Intune admin center.

The settings policy has been successfully deployed to my group of test devices. 

The report for the rules policy (assigned to the same group of devices) has a zero for all the statuses.

I would have expected that the total number of devices in the rules policy report would be the same as the number of devices for the settings policy report, not zero....

We have enabled the trial and assigned licenses to some users, but EPM does not show up in the Endpoint Security Blade. Anyone else having this issue?

@mark-derouen EPM isn't active yet - it should be available either this week or next week though, as it's supposed to release in Preview with the March Service Release, and then GA with the April Service Release. Those Service Releases are typically in the last week of the month. 

We're patiently waiting too, as we really need this feature. 

@Mark_Derouen 
EPM is expected to be released Public Preview for tenants with the 2303 version. If you have 2302, it's not going to show in the Endpoint Security blade.

It's worth mentioning that you don't need the trial to try out EPM, as it's in Preview. 

.

My tenant has been updated to the 2303 release but I'm still not seeing the EPM feature. Any ideas where exactly it should be available in the console or has it been omitted from the 2303 release?

This is an awesome tool, can't wait for its release. For budget planning purposes can it be assumed all future feature upgrades for intune (such as LAPS for AAD) will fall under the "add on" category?

Does anyone know where the Business justification go after the user fills it out?  Also I noticed there is no Elevation Access for Uninstalling an application, shouldn't there be one as well?

Business justification is sent up to Intune for reporting to Intune admins, assuming the admin has configured the client settings for EPM to send this data to Microsoft.  This can be used for auditing by the company.  

In order to use elevation through EPM for uninstall, a rule would need to be created for the .exe which uninstalls the application.  We do not yet support MSI.

We would like to know if there are any plans to allow users to set policies per user per machine. Specifically, we are interested in setting the default elevation response to "Require user confirmation" for a specific user on a specific device.

For instance, on DeviceA, we would like UserA to be able to elevate any application after providing a business justification. However, if UserB logs into DeviceA, the request should be denied.

If this feature is not currently available, we would appreciate any information on whether it might be developed in the future. Thank you for your attention to this matter, and we look forward to your response.

loved the new epm... Question.. are their plans so that if a user attempts to install / uninstall an application that doesn't have a rule assigned for the action. That it could have a dashboard in Intune. So an administrator could Approve/Deny said action. Then then notifiy the user it's either under review or Approved and to try again. As we are already collecting that information? 

@mgbnet here is documentation you asked for Learn about using Endpoint Privilege Management with Microsoft Intune | Microsoft Learn.

@tkirwan AAD LAPS is going to be offered as part of your existing subscription. Add on is not required.

@DonovanSobrero that is in the roadmap. We had a demo of it at MS Secure earlier this week. Have a look at  Cyber-Safety and IT efficiency fueled by Microsoft Intune Suite

@chrisnelmes you could consider a model where default elevation policy is set to deny. Target that to the device. Then have an elevation rule policy which grants elevation for desired user group(s). More information here: Learn about using Endpoint Privilege Management with Microsoft Intune | Microsoft Learn

Cool feature, I have been waiting for this.

However, I have the following questions:

- Can we allow temporary elevation not just on files but also specific configuration settings, e.g. so users can edit their network configuration, firewall rules, etc.? Maybe we can add a rule for the corresponding control panel applet to start elevated?

- Can we allow for temporary elevation of en entire installation source directory, for instances where the installation source consists of multiple files and subdirectories.

- Can we allow for temporary elevation of subprocesses that are started by the main process when we run the executable? E.g. if a .exe installer unpacks a .msi file, will that .msi file be elevated as well?

- Can we allow for temporary elevation of not only .exe installer files but also other filetype extensions, e.g. .MSI, .ZIP, etc.?

- Allow of temporary elevation to other secure directories like e.g. C:\Users or C:\Window or C:\Program Files (for manual placement of config or license files).

@Alemeshet_Alemu What kind of timeframe on the roadmap is the ability for the User to request the elevation and admins to approve/deny?  

Will EPM only apply to licensed users? Example, if a policy is applied to all devices, but a user on the device is not licensed, will the policy not apply to unlicensed users?

Will EPM work on both Hybrid Azure AD joined computers and on Azure AD joined? @Alemeshet_Alemu 

I would like to see the "need" for local administrator access eliminated. I have never needed root access to my phone.

Through simplifying our configurations and attempting to manage everything through Intune (and the Company Portal), we have come close. Reaching the limits of this policy, we would like to give a group of people local administrator rights to a group of "less managed" devices. Can EPM be used in this way?

At the moment, it is looks like we may have to assign traditional local administrator rights through an Account Protection policy to the group of PCs for our group of admins. Then, if we want EPM's reporting, and don't mind the price, we can assign a "deny all" Elevation Policy.

@Nathan Hartley 

"I have never needed root access on my phone."

This is because smartphones are very much locked down into walled gardens with their respective app stores gatekeeping any and all app installations.  To achieve this with Windows you need to look into S-Mode.
https://support.microsoft.com/en-us/windows/windows-10-and-windows-11-in-s-mode-faq-851057d6-1ee9-b9...

This may or may not be the future of the Windows OS but I can see lots of reasons why it may be impossible in the real world.  People and businesses would be giving up tremendous amounts of freedom to install and run apps from anywhere with a tradeoff of much tighter security.

Feedback from some of our test users:

1) It's not running in the user's own context, so they have to reconfigure a lot of stuff for some applications.

2) They don't have access to the files they need because the files are on a network location.

3) They can no longer right-click files and select Edit with Notepad++. They have to open Notepad++ and from there open the file. (Workaround is to not have a specific configuration for Notepad++ in EPM and then re-register the notepad++ extension dll). 

4) It's great that "Program A" is set to always start elevated as this should be standard, but occasionally they actually need to run it as their own user. If it's set to automatically start elevated, there should be a way to force it not to start elevated.

Feedback from me as an admin: Why is it such a mess to get log files from the elevations and why is filtering those logs so limited? We had 20 people enabled and for the first week we got like 10 log items from a single device on day 2 and then nothing for like a week and now we're getting logs from like 4 people and their devices. Everything is enabled, nothing is blocked by the firewall and EPM says everything is succesfully configured and we're enabled in settings to send all logs. 

Great solution! Anyway, some feedback from our testing:

1) If you create policies for cmd or powershell (I know, it´s not intended to do so), these command lines cannot be invoked from Windows Terminal app anymore, even when Terminal app is started unelevated.

2) If you create policies for mmc, the computer management links won´t work anymore (empty mmc dashboard), even if started unelevated.

3) With a policy for tools like Notepad++, calling these tools via file context menu is no longer possible (see comments above).

4) Windows hello just seems to be implemented inconsistently. Some of our users can only authenticate with password, others via PIN, others via biometrics. No systematic recognizable for us ...

5) With an elevated app it´s not possible to access network shares (elevation starts in separated local user context)

6) It would be great, if you could start Windows internal system functions like network adapter configuration via EPM (see comments above). The elevation of third-party tools like "simple ip config" is not really feasible for us. We also don´t want our users to have such permissions permanently eg via membership in the local network configuration operators group.

7) It would be great, if EPM could allow users to install any esp. Microsoft store apps with elevated permissions without the need to manage these apps in a software deployment solution.

8) We also would appreciate an approval workflow for elevations like its implemented in the access packages workflows.

We are looking forward to see new EPM features in the near future!

When are Microsoft going to secure this properly?

We have implemented an Endpoint Privilege Management policy in Intune which allows users to run EXE files with elevated access if they submit their password.
We have found that if a user WITHOUT local administrator rights navigates to windows\system32 folder and right clicks on CMD.EXE, then selects "Run with elevated access" they can then run a "net localgroup" command and add themselves as local administrator on their device. 

They can do likewise with MMC.EXE (and add the computer mgmt snap in which will run with elevated access) or with CompMgmtLauncher.exe which does the same thing.
Any user without local administrator rights can bypass the restriction put in place by the EPM settings policy, unless you're running with "Deny All" policy and a white list of applications which have to be added individually. (I don't know how many man hours that would require and how much outage it would cause as new apps come on stream, it doesn't bear thinking about). 

@MelmixDK @Oskaloq @TM-GTN thank you for your feedback.  We appreciate you taking the time to share it with us.

Allowing users to run cmd.exe as elevated is not something we would typically recommend anyone do.  As you noted, once you have cmd.exe running with administrator level permissions, the user can use it to launch any other process.  All child processes inherit the permissions of the parent process, which means everything launched from the cmd.exe window will be elevated as well.

We are working on adding the ability to control what happens with any child processes, giving the administrator the ability to specify if those child processes will be allowed to run elevated.  This will be coming in a future release.

We will also have other fixes and improvements coming in each monthly service release, which will take care of many of the issues you have noted above. We're excited to continue to add value for you each month.

@FishingNotPhishing, thank you very much for your response. Of course you are absolutely right with your comments about cmd.exe. The possibility to specify the handling of child processes sounds exciting anyway. I am looking forward to further improvements of the already great solution.

Question -

1. If we use a Deny All Policy then create rules to allow specific apps. - If the app is updated by the publisher, does that mean to install the new updated app, we need to create new rule each time there is a change to allow the new app to install and then another new rule to allow them to run the new app if it requires elevated permissions?

2. How do we know if to run an app once it is installed, elevated permissions are required (in order to create a rule for that app)?

@GeorgeF- 

1) This depends on how the allow rule is configured.  If it uses the certificate that signed the app, then doesn't specify a version, then a new version of the same app (presuming it is signed by the same certificate), a new rule would not be required.

2) The only way I know would be testing.  If you allow an installer to elevate because the installer requires elevation to install, the actual app executable can be a different file.  If they are signed by the same signing cert, you can create a certificate based rule that allows anything signed by that certificate.  But you should be careful with this, as it can allow anything singned by the cert to elevate, and you may not know what other applications are signed by the same cert, and they may be dangerous to allow to elevate.

@Matt_Call This isn't currently supported in the Azure Virtual Desktop. When AVD be supported?