In this post I will show you how to use Endpoint Privilege Management feature using Intune. This is a feature with is part of Intune Suite allowing standard users to run the application with elevated privileges. There could be certain application or specific requirement for an application where elevated rights would be required. In those scenarios, we have to provide local administrative rights to the standard user. But usage of admin rights could be quite destructive for mere using some specific application. This gap is now been covered by introduction of Endpoint Privilege Management (EPM) feature.
Endpoint Privilege Management is part of Endpoint security. This is the initiative towards achieving the zero trust. With zero touch strategy, organizations are focusing more on principles such as using lease privilege access using Just-In-Time access, verify explicitly to always allow authentication and Assume breach to minimize the blast radius and segment access.
Endpoint Privilege Management (EPM) Prerequisites
- License Requirement: You need to have additional license apart from Microsoft Intune Plan 1. There are two options to get this:
- EPM standalone license: License provides the EPM capability only.
- Microsoft Intune Suite: EPM is part of Microsoft Intune Suite. This suite contains other capabilities as well such as Advanced endpoint analytics, Firmware-over-the-air-update, Microsoft Tunnel for Mobile Application Management, Remote help and Specialized devices management.
- Operating system support: Windows 10 and Windows 11 are supported, but they need to have a minimum patch level. Following is for your reference:
- Windows 11, version 22H2 (22621.1344 or later) with KB5022913 – Release date: Feb 28’2023
- Windows 11, version 21H2 (22000.1761 or later) with KB5023774 – Release date: March 28’2023
- Windows 10, version 22H2 (19045.2788 or later) with KB5023773 – Release date: March 21’2023
- Windows 10, version 21H2 (19044.2788 or later) with KB5023773 – Release date: March 21’2023
- Windows 10, version 20H2 (19042.2788 or later) with KB5023773 – Release date: March 21’2023
Endpoint Privilege Management components involved
There are two components involved in Endpoint privilege management (EPM):
- Elevation settings policy: This first component is responsible for enabling the EPM services on the client. This policy installs EPM agent at following location C:\Program Files\Microsoft EPM Agent. The installation of the agent creates a right-click context menu option with the name Run with elevated access which I will show you soon through screenshots in upcoming section. This setting creates the default rule for the device whether to allow or deny the elevation request.
- Elevation rule policy: This policy is required to enable the elevation access for specific file or application.
Enable Endpoint Privilege Management
Create Elevation settings policy
Login to Intune Admin Center and navigate to Endpoint Security > Endpoint Privilege Management > Policies and click on Create Policy.
Select Elevation settings policy and click Create.
Under Basics page, specify the name as Settings Policy – Deny and click Next.
Under Configuration settings page, specify:
- Endpoint Privilege Management: Enabled
- Send elevation data for reporting: Yes
- Reporting scope: Select Diagnostic data and all endpoint elevations. We have other options as well – Diagnostics data and managed elevations only, Diagnostic data only.
- Default elevation response: SelectDeny all request, we have other options – Require user confirmation which provides the elevation and ask user to acknowledge.
Complete rest of the wizard by targeting the policy on a group.
Once policy arrives on the device, EPM agent will get install. If we right click any application, we can see the option available as Run with elevated access.
If we click on elevated access, we will get the error You can’t run this app as administrator in Endpoint Privilege Management window. This happening because of the setting policy we just created to deny all request as default option.
Let’s say, we wanted to allow Notepad++ to run with elevated access. This is where we need to create another policy
Create Elevation rules policy
Once again go back to Endpoint Privilege Management page, create new policy and select Elevation rules policy from the profile option and click Next.
Under Basics page, specify the name as Allow Notepad++ and click Next.
Under Configuration settings page, click on Edit instance to open Rule properties blade.
We are going to create the rule now. We have option to use either certificate base rule or file hash rule. Certificate based rule provides a strong type of attribute for authenticating the app. However, for demonstration purpose, we are going to use file hash. Let’s get the file hash value of file by running the command on system having notepad++, following is the command:
Make the note of hash value and navigate back to Rule properties on Intune admin center. Specify the following:
- Rule name: Allow Notepad++
- Elevation type: Select User confirmed which will ask user to acknowledge the elevation. If we select Automatic, there will not be any prompt.
- Validation: We can select one or both the options. We have Business justification and Windows authentication options. While the former will ask to provide the justification, the latter one will ask for authentication.
- Child process behavior: Select Require rule to elevate, we have other options Allow all child processes to run elevated, Deny all.
- File Name: Specify the file name as npp.8.6.Installer.x64.exe.
- Signature source: Select Not configured as we are going to use File hash.
- File hash: Provide the value which we captured using Get-FileHash PowerShell command.
The information provided is sufficient to create the rule, click on Save.
We have rule created, we can have multiple rules added in one single rules policy.
Complete rest of the wizard by targeting the policy on a group.
Navigate back to the same device where we previously deployed settings policy. Once rule policy is applied, we can try launching Notepad++ installer with using feature Run with elevated access. This time we can see the business justification window has come, just provide the justification and you are good to initiate the exe.
If you get error Something went wrong, Unable to elevate this app because it came from the Internet or another computer, then simply go to the properties of application and click on Unblock under security.
EPM agent got installed under C:\Program Files\Microsoft EPM Agent including few interesting folders, one is EPMTools and another is Logs.
EpmTools is a PowerShell module which comes with set of cmdlets which can be used to get the EPM policies, elevation rules, client settings, file attributes etc. Run the following command to import EpmTools:
Import-Module 'C:\Program Files\Microsoft EPM Agent\EpmTools\EpmCmdlets.dll'
While running two PowerShell commands, I was able to see the rules and settings applied to the device:
Get-Policies -PolicyType ElevationRules
Get-Policies -PolicyType ClientSettings
Another useful cmdlet is Get-FileAttributes, we can run the command as:
Get-FileAttributes -FilePath C:\temp\npp.8.6.Installer.x64.exe
The cmdlet will all the properties of the file including FileHash, product name, version etc.
While opening EPM.log located under C:\Program Files\Microsoft EPM Agent\logs, we can see the request information captured in the log file which can be helpful to know what is happening behind the scenes and for troubleshooting purpose as well.