Mar 14 2024 05:25 AM
Good Morning,
So currently we have everyone setup as Local Admin ( I know bad move ) but we have that setup like that just due to all the different apps for different companies that we use.
How can I use Intune or Endpoint Security to allow these apps to update without having the user have Local Admin privileges? Is it even possible? Could I say Anything in this folder is allowed to update without asking or give each exe auto admin and only way they can install something new is with our permissions?
What is a good way to handle this?
Thank you
Mar 23 2024 02:57 AM
No, unfortunately this is not possible.
If the app only has permissions in one folder, you could try to give the users rights to the folder, but usually the apps also need access to the registry etc., so unfortunately this isnt a solution.
But there are tools with which you can do this, e.g. in Intune there is the Endpoint Privilege Management. With this it is possible, for example, to allow certain exe files so that a normal user can execute them as admin.
Here is the documentation
https://learn.microsoft.com/en-us/mem/intune/protect/epm-overview
but the whole thing is only available in the Intune Suite license or as a separate addon license.
The alternative would of course be to put the software cleanly into Intune so that the users get the update via the Company Portal, which is very time-consuming I know we have the same problem with us.
We have also implemented LAPS and some users, e.g. users from development, can independently read out the LAPS password to install apps as admin.
Mar 23 2024 07:15 AM