Intune Endpoint Privilege Management (EPM) - App Elevation creates a virtual domain/profile

Mike 45 Reputation points
2024-11-08T13:17:30.3466667+00:00

Hello Community,

Recently, we implemented EPM as a replacement for PolicyPak. Unfortunately, EPM is not working as we expected. It seems that a virtual domain and profile are created. When launching applications, (sometimes) this virtual profile will be used which causes extensions/plugins not to work or not to be recognized (for example, Unity, Visual Studio Code (system installed), Command Prompt, etc.), since they no longer operate within the user’s own profile. Unfortunately, Microsoft didn’t include this information in the documentation, so we discovered it too late and are now facing issues within our organization, where applications no longer function as users were accustomed to.

When I review the EPM logging, I notice that not all applications/executables run under the virtual account. In fact, sometimes there are multiple processes with the same name (e.g., airtame.exe) but with different parameters. One process starts under the user’s profile, while the others start under a virtual profile.

Question 1: Is there any way to resolve this differently?

Question 2: Could someone explain how this works? Why does one application/process start under the virtual profile while another does not?

Here’s a useful and important link for anyone considering migrating to EPM: https://call4cloud.nl/virtual-account-epm-elevation/

Thanks in advance.

Kind regards,

Mike

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,313 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Crystal-MSFT 50,496 Reputation points Microsoft Vendor
    2024-11-11T02:51:12.7+00:00

    @Mike, Thanks for posting in Q&A. From your description, it seems some process run under standard user but others run under virtual account.

    I wonder if it relates to the setting "Child process behavior" under elevation rule we set. Did we set it as Require rule to elevate?

    https://learn.microsoft.com/en-us/mem/intune/protect/epm-policies#manually-configure-elevation-rules-for-windows-elevation-rules-policy

    For the entire application not run under virtual account, could you let us know if there's any error when we elevate the application in EPM log? Meanwhile, please confirm if the application is supported. Currently, EPM supports executable files including those with the .msi extension and .ps1 PowerShell scripts.

    https://learn.microsoft.com/en-us/mem/intune/protect/epm-deployment-considerations-ki#what-files-can-be-elevated-to-administrator

    If there's any update, feel free to let us know.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.