Removing admin rights from end users just got easier for Microsoft Intune customers.
Published: Dec 06, 2024
When we consider Microsoft Intune Endpoint Privilege Management as a solution, we have a very real problem that’s being solved. Admin rights.
Technical solutions are there to solve a problem, right? Without a problem, a solution is just a gimmick – a token – a gesture, at best. As Bill Gates is said to have remarked: “The computer was born to solve problems that did not exist before.”
The solution to giving ‘regular users’ ‘admin rights’, aka elevated privileges, has always been pretty simple – don’t. This, however, often prompts an immediate – and valid – question. What do we do for those who genuinely need elevated privileges, but are otherwise ‘regular users’? Until now, the Microsoft answer to this has been… unremarkable.
It’s generally agreed that simply adding the user to the Local Administrators group is not acceptable. As a close second on the list of things we probably shouldn’t do; we can provide them with a second (privileged) account, that allows them to elevate when required.
Microsoft first released the Local Administrator Password Solution back in 2015, but even this wasn’t designed to solve the exact problem we face. In fact, this solution – now reinvigorated for the cloud – is designed to help avoid actual IT administrators having to use an identical username and password for the ‘Local Admin’ account across every endpoint, typically required for the worst recovery scenarios.
And so, Endpoint Privilege Management (EPM) was born. EPM serves to allow ‘regular users’ to elevate their privileges to administrator level when required. This can be done ‘on-demand’ through a context-menu action, or automatically based on the application being launched. This has a number of benefits, for example:
So, as we’re agreed that Endpoint Privilege Management solves a real technology problem for Intune administrators, let’s look at it in a little more detail.
EPM is a feature in Intune designed to manage user privileges on Windows devices without granting full admin rights. It’s used to allow standard users to perform specific admin tasks securely and enforce least privilege policies across endpoints.
This wouldn’t be an article covering a Microsoft topic if there wasn’t a section on licensing – so here it is.
EPM is not included in Windows Enterprise E3 or E5, nor is it included in Microsoft 365 E3 or E5, or Intune Plan 1 or Plan 2. In fact, Endpoint Privilege Management is one of the many advanced Intune features that are available as part of the Microsoft Intune Suite add-on.
Full guidance on the requirements and step by step implementation instructions are available on Microsoft Learn.
On the technical side, EPM requires:
With the technical and non-technical prerequisites out of the way, there are two core steps to enabling Endpoint Privilege Management in your environment.
Step 1. Deploy an elevation settings policy – This policy activates the EPM agent on the client device, and allows the configuration of general elevation related settings.
Step 2. Deploy one or more elevation rule policies – An elevation rule policy specifies the application, task or executable that will be elevated by EPM. This policy allows you to configure which applications are eligible to auto-elevation, user-requested elevation, or even admin-approved elevation.
After deciding whether the elevation will be Automatic (the process elevates silently, without the user being notified) or User Confirmed (the user has to right-click and choose Elevate to initiate the process), you need to specify both the File name, and the File hash for the file that is to be elevated.
The File name should not pose a challenge – this is the full executable name, including the extension (vscode.exe for example).
On the other hand, File hashes are not so easy to come by. You can determine the file hash for the executable by running the PowerShell command Get-FileHash, or by running the Elevation by Application report built into Endpoint Privilege Management.
The Elevation by Application report shows all managed and unmanaged application elevations on EPM-managed endpoints, so if a user has elevated this application in the past (perhaps by virtue of one of those less than ideal methods), it will appear here.
One additional elevation method available is ‘Support Approved’. With this method, users are asked to provide a justification and upon hitting send, their request is delivered to the Intune Admin Center, where an IT administrator can review and process their request.
When a user runs an app, which is specified in a support approved elevation rule, with the right-click option Run with elevated access Intune prompts for the justification.
There are, of course, alternatives to Endpoint Privilege Management, which aim to achieve a similar result. Solutions such as AdminByRequest and AutoElevate are examples that can provide a holistic Privileged Access Management platform, incorporating features that manage desktop elevation.
In summary, I believe it is vital that Microsoft have an offering like Endpoint Privilege Management for Windows, and hope that this will continue to be developed to support other platforms such as macOS in the future.
For now, you can access a trial of Intune Suite to try it out.