What is Intune Endpoint Privilege Management?

Removing admin rights from end users just got easier for Microsoft Intune customers.

Published: Dec 06, 2024

Security Keyboard Hero

SHARE ARTICLE

When we consider Microsoft Intune Endpoint Privilege Management as a solution, we have a very real problem that’s being solved. Admin rights.

Technical solutions are there to solve a problem, right? Without a problem, a solution is just a gimmick – a token – a gesture, at best. As Bill Gates is said to have remarked: “The computer was born to solve problems that did not exist before.”

The solution to giving ‘regular users’ ‘admin rights’, aka elevated privileges, has always been pretty simple – don’t. This, however, often prompts an immediate – and valid – question. What do we do for those who genuinely need elevated privileges, but are otherwise ‘regular users’? Until now, the Microsoft answer to this has been… unremarkable.

It’s generally agreed that simply adding the user to the Local Administrators group is not acceptable. As a close second on the list of things we probably shouldn’t do; we can provide them with a second (privileged) account, that allows them to elevate when required.

Microsoft first released the Local Administrator Password Solution back in 2015, but even this wasn’t designed to solve the exact problem we face. In fact, this solution – now reinvigorated for the cloud – is designed to help avoid actual IT administrators having to use an identical username and password for the ‘Local Admin’ account across every endpoint, typically required for the worst recovery scenarios.

The solution to endpoint privilege management

And so, Endpoint Privilege Management (EPM) was born. EPM serves to allow ‘regular users’ to elevate their privileges to administrator level when required. This can be done ‘on-demand’ through a context-menu action, or automatically based on the application being launched. This has a number of benefits, for example:

  1. Reduces attack surfaces
    By limiting users to the minimum privileges needed to perform their roles, EPM ensures that unnecessary admin access is removed, ultimately preventing malicious actors and malware from exploiting elevated privileges on devices to gain persistence, or to perform lateral movement techniques.
  2. Protects against insider threats
    That said, not all security threats originate externally; insider threats, whether intentional or accidental, pose significant risks. EPM restricts users from accessing sensitive systems or data they don’t need, reducing the risk of data breaches or system compromise due to human error or malicious intent.
  3. Enhances compliance and governance
    Many regulations (e.g., GDPR, HIPAA, and PCI DSS) require organizations to implement the principle of least privilege as part of their security practices. EPM helps organizations demonstrate compliance by providing audit trails and ensuring users have access only to what is necessary for their roles.
  4. Supports zero trust principles
    EPM aligns with the Zero Trust security model by enforcing strict access controls and verifying users’ actions based on predefined policies. It ensures that trust is never implicit, even for internal users or endpoints.

How does Intune Endpoint Privilege Management work?

So, as we’re agreed that Endpoint Privilege Management solves a real technology problem for Intune administrators, let’s look at it in a little more detail.

EPM is a feature in Intune designed to manage user privileges on Windows devices without granting full admin rights. It’s used to allow standard users to perform specific admin tasks securely and enforce least privilege policies across endpoints.

Intune EPM requirements

This wouldn’t be an article covering a Microsoft topic if there wasn’t a section on licensing – so here it is.

Intune EPM licensing

EPM is not included in Windows Enterprise E3 or E5, nor is it included in Microsoft 365 E3 or E5, or Intune Plan 1 or Plan 2. In fact, Endpoint Privilege Management is one of the many advanced Intune features that are available as part of the Microsoft Intune Suite add-on.

Full guidance on the requirements and step by step implementation instructions are available on Microsoft Learn.

On the technical side, EPM requires:

  • Microsoft Entra ID joined or Microsoft Entra ID hybrid joined devices
  • Microsoft Intune Enrollment or Microsoft Configuration Manager co-managed devices
  • Supported operating system (Windows 11 21H2 and later, with required KB level)
  • Clear line of sight (without SSL-Inspection) to the required endpoints

Getting started with Intune EPM

With the technical and non-technical prerequisites out of the way, there are two core steps to enabling Endpoint Privilege Management in your environment.

Step 1. Deploy an elevation settings policy – This policy activates the EPM agent on the client device, and allows the configuration of general elevation related settings.

  • From Intune Admin Center, browse to Endpoint Security > Endpoint Privilege Management > Create Policy > Elevation Settings policy
Create an Elevation Settings profile in Intune Endpoint Privilege Management
Create an Elevation Settings profile (Image Credit: Dean Ellerby/Petri.com)

Step 2. Deploy one or more elevation rule policies – An elevation rule policy specifies the application, task or executable that will be elevated by EPM. This policy allows you to configure which applications are eligible to auto-elevation, user-requested elevation, or even admin-approved elevation.

  • From Intune Admin Center, browse to Endpoint Security > Endpoint Privilege Management > Create Policy > Elevation Rules policy
Create an Elevation Rules profile
Create an Elevation Rules profile (Image Credit: Dean Ellerby/Petri.com)

After deciding whether the elevation will be Automatic (the process elevates silently, without the user being notified) or User Confirmed (the user has to right-click and choose Elevate to initiate the process), you need to specify both the File name, and the File hash for the file that is to be elevated.

The File name should not pose a challenge – this is the full executable name, including the extension (vscode.exe for example).

Specify the File Hash
Specify the File Hash (Image Credit: Dean Ellerby/Petri.com)

On the other hand, File hashes are not so easy to come by. You can determine the file hash for the executable by running the PowerShell command Get-FileHash, or by running the Elevation by Application report built into Endpoint Privilege Management.

The Elevation by Application report shows all managed and unmanaged application elevations on EPM-managed endpoints, so if a user has elevated this application in the past (perhaps by virtue of one of those less than ideal methods), it will appear here.

‘Support approved’ elevation method

One additional elevation method available is ‘Support Approved’. With this method, users are asked to provide a justification and upon hitting send, their request is delivered to the Intune Admin Center, where an IT administrator can review and process their request.

When a user runs an app, which is specified in a support approved elevation rule, with the right-click option Run with elevated access Intune prompts for the justification.

  • The prompt lets the user enter a business reason for the elevation. This reason becomes part of the elevation request, which also contains the user’s name, device, and file name.
Intune EPM  - request elevation
Intune EPM – request elevation (Image Credit: Microsoft)

Alternatives to Intune Endpoint Privilege Management

There are, of course, alternatives to Endpoint Privilege Management, which aim to achieve a similar result. Solutions such as AdminByRequest and AutoElevate are examples that can provide a holistic Privileged Access Management platform, incorporating features that manage desktop elevation.

Will Microsoft extend support to macOS?

In summary, I believe it is vital that Microsoft have an offering like Endpoint Privilege Management for Windows, and hope that this will continue to be developed to support other platforms such as macOS in the future.

For now, you can access a trial of Intune Suite to try it out.

SHARE ARTICLE