We’re thrilled to announce that Microsoft Intune Endpoint Privilege Management added support-approved elevations in the March release of Microsoft Intune. Since Endpoint Privilege Management was released a year ago, IT pros have used the solution to ensure end users remain productive while maintaining least privilege access. Until now, IT pros have created elevation rules for the most used applications in their environments. However, when end users requested elevated privileges to use applications that had no associated rules, they were automatically denied. This required end users to submit a help desk ticket to proceed. Today, there is a simpler solution with the new capability of support- approved elevations.
Support-approved elevations empower users to request temporary administrative privileges for specific applications or tasks, streamlining their workflow while maintaining a strong security posture. Windows standard users can request approval to elevate an application that has no existing privilege elevation rule associated with it. Support-approved elevations require Intune administrators to review elevation requests on a case-by-case basis. The Intune administrator approves or denies the request, allowing the end user to proceed when deemed appropriate.
In general, Endpoint Privilege Management enables standard users to perform tasks that typically require elevated privileges, such as installing applications or updating device drivers. For IT admins, Endpoint Privilege Management makes it easier to manage standard users while maintaining a Zero Trust framework. The capability also offers reporting, providing visibility into privilege elevation across an organization.
How it works
When a standard user encounters a task that requires elevated privileges, they can now request support approval directly from the application’s context menu. The end user will provide a business justification for the request.
When needed, an end user can right click an application and select “run with elevated access.” They will then be asked to submit a business justification and validate their identity before submitting the request. Here, the end user writes, “I need to debug my app.”
The request is sent to IT administrators, who can approve or deny the elevation based on the provided business justification.
To review and approve or deny a request, an IT admin can find the “Elevation requests” tab in the Endpoint Privilege Management page of the Microsoft Intune console.
The Intune administrator can decide whether to approve or deny the request, providing the user with elevated access to the application for 24 hours.
If approved, the user can proceed with the elevated task for the next 24 hours. Support approved elevations are managed within the Microsoft Intune admin center, enabling IT pros to manage endpoints and privileges from one console. The elevation request properties provide detailed information, including the application name, user details, and the business justification provided.
IT pros can use Endpoint Privilege Management reporting to identify applications for which they’re receiving a high volume of support approved elevation requests. If appropriate, they might decide to create an automatic or user confirmed elevation rule for the application, saving their support teams more time and effort.
Getting started
Microsoft Endpoint Privilege Management is a critical solution of the Microsoft Intune Suite. It’s available as an add-on to any Microsoft 365 plan that includes Intune. To get started with Endpoint Privilege management and the new support approved elevation capability, start a trial of Microsoft Intune Suite today. For more information on Microsoft Intune Endpoint Privilege Management, visit our Microsoft Intune technical product documentation as well as the product webpage.
Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune on X to continue the conversation.
Microsoft
