Intune Endpoint Privilege Management configuration

PT Maliborski 286 Reputation points
2024-11-27T12:18:23.9133333+00:00

Hi All,

I went through Microsoft docks about Endpoint Privilege Management (EPM) and many different videos and didn't find anything regarding EPM policies vs licenses.

I activated EPM trial in my tenant and first message I got on the screen was "Assign licences to users via Users in Admin Portal".

This is clear for me - license needs to be assigned to a user.

Now, I created "Elevation settings policy" and assigned to a group of targeted devices - from all I found, I should only target specific devices with that policy as Intune will configure EPM feature on these devices. In that case, why the hell there is an option to assign that policy to All Users?

Microsoft docs says:

"Rules deployed to a device are applied to every user that uses that device. Rules that are deployed to a user apply only to that user on each device that they utilize."

Ok, rules are like a 2nd step in the config, but optional. And this part I understand.

Rules are actually not related to my case as these only narrow down EPM usage.

So if I assign "Elevation settings policy" to a group of devices to activate EPM feature, then assign EPM license to my account, will I be able to use EPM on any of these devices? OR will I have to configure a group of users in EPM with my account in it, with assigned EPM license to my account and assigned to the same "Elevation settings policy" to be able to "Run with elevated access" on these devices?

All these comes from my business case:

I have 5 users in production that want to be able to manage their devices.

Should I configure 5 separate sets of "Elevation settings policy", with 5 separate user groups (for each user) and 5 separate devices groups (for each of the user's computers) and add these in pairs to each policy?

Can someone please clarify that for me?

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,327 questions
0 comments No comments
{count} votes

Accepted answer
  1. Crystal-MSFT 50,591 Reputation points Microsoft Vendor
    2024-11-28T06:10:12.0633333+00:00

    @PT Maliborski, Thanks for posting in Q&A. In fact, when you assign an "Elevation settings policy" to a group of devices, it activates the EPM feature on those devices. However, for users to utilize EPM, they must also have an EPM license assigned to them.

    For your scenario, you can follow the steps as below:

    1. Create a Device Group: Group the devices that these users will manage.
    2. Create an Elevation Settings Policy: Assign this policy to the device group.
    3. Assign EPM Licenses: Assign EPM licenses to the 5 users.
    4. (Optional) Create Elevation Rules: If needed, create specific rules and assign them to either the users or the devices.

    This setup ensures that the EPM feature is active on the devices and that the licensed users can utilize EPM functionalities on any of these devices.

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.