Deployment Considerations and frequently asked questions for Endpoint Privilege Management
Note
This capability is available as an Intune add-on. For more information, see Use Intune Suite add-on capabilities.
With Microsoft Intune Endpoint Privilege Management (EPM) your organization’s users can run as a standard user (without administrator rights) and complete tasks that require elevated privileges. Tasks that commonly require administrative privileges are application installs (like Microsoft 365 Applications), updating device drivers, and running certain Windows diagnostics.
Endpoint Privilege Management supports your zero-trust journey by helping your organization achieve a broad user base running with least privilege, while allowing users to still run tasks allowed by your organization to remain productive.
The following sections of this article discuss deployment considerations and frequently asked questions for EPM.
Applies to:
- Windows 10
- Windows 11
Deployment considerations for Endpoint Privilege Management
Windows 10 devices might not immediately receive confirmation of support approvals
We are working to resolve a few scenarios that prevent Windows 10 devices from automatically receiving the notification that a new approval is ready for the device when you use support approved elevations. We are working with the owner to resolve this as quickly as possible.
Organizations use Application Control for Business might experience issues running Endpoint Privilege Management
Application Control for Business policies that do not account for the EPM client components could prevent the EPM components from functioning. In order to use EPM with AppControl, ensure that your Application Control policy includes rules that allow EPM to function.
Organizations restricting users who can log on interactively might see issues with Endpoint Privilege Management
Endpoint Privilege Management uses an isolated account to facilitate elevations. This account requires the ability to create an interactive logon session. Organizations who limit the ability for users to create interactive sessions will need to make changes for EPM to function properly.
Authoring files with a file name as one of the sole attributes for identification
File name is an attribute that can be utilized to detect an application that needs to be elevated. However, it isn't protected by the signature of the file.
File names are highly susceptible to change, and files that are signed by a certificate that you trust could have their name changed to be detected and subsequently elevated which might not be your intended behavior.
Important
Always ensure that rules including a file name include other attributes that provide a strong assertion to the file's identity. Attributes like file hash or properties that are included in the files signature are good indicators that the file you intend is likely the one being elevated.
Elevation settings policies might show conflict if changed in quick succession
Endpoint Privilege Management reports status of individual settings applied using the Elevation Settings profile. If settings in this profile (Default elevation behavior for instance) are changed multiple times in quick succession, it might result device reporting conflict or falling back to the default behavior of Denying the elevation. This is a transient state and resolves without further action (in less than 60 minutes). This issue will be fixed in a future release.
Blocked files downloaded from the internet fail to elevate
Behavior exists in Windows to set an attribute on files that are downloaded directly from the internet and prevent them from executing until validated. Windows has functionality to validate the reputation of files downloaded from the internet. When a files reputation isn't validated, it might fail to elevate.
To correct this behavior, unblock the file by unblocking the file from the file properties pane. Unblocking a file should only be done when you trust the file.
Windows devices that are "workplace joined" fail to enable Endpoint Privilege Management
Devices that are workplace joined are not supported by Endpoint Privilege Management. These devices will not show success or process EPM policies (elevation settings or elevation rules) when deployed to the device.
Rules for a network file might fail to elevate
Endpoint Privilege Management supports executing files that are locally stored on disk. Executing files from a network location, such as a network share or mapped drive, is not supported.
Endpoint Privilege Management doesn't receive policy when I use a 'SSL-inspection' on my network infrastructure
Endpoint Privilege Management doesn't support SSL inspection, which is known as 'break and inspect'. In order to use Endpoint Privilege Management, ensure the URLs listed in the Intune Endpoints for Endpoint Privilege Management are exempt from inspection.
Frequently asked questions
Why is my virtual device not onboarding to Endpoint Privilege Management?
Currently, Endpoint Privilege Management isn't supported with Azure Virtual Desktop. This issue will be fixed in future release.
Support for Windows 365 (Cloud PCs) was added in September 2023.
Why is my elevation settings policy showing error/not applicable?
The elevation settings policy controls the enablement of EPM and the configuration of the client side components. When this policy is in error or shows not applicable, it indicates the device had an issue enabling EPM. The two most common reasons are missing the required Windows updates or failure to communicate with required Intune Endpoints for Endpoint Privilege Management.
What happens when someone with administrative privileges uses a device that is enabled for EPM?
Endpoint Privilege Management doesn’t manage elevation requests by users that have administrative permissions on a device. There might be instances where an administrator launches a file that has an elevation rule (specifically an automatic elevation rule) that's defined on the device. This application launches as it normally does for the administrator and an event for an unmanaged elevation will be generated by EPM.
What files can be elevated to administrator?
Endpoint Privilege Management supports executable files. Microsoft is currently working on extending support for other file types (MSI, etc.) and providing an easy method to elevate common operating system tasks.
Why doesn't 'Run with elevated access" show on start menu items?
Certain items that reside in the start menu or taskbar have a curated right-click menu and the EPM right-click context menu isn't able to be added to those menus. We plan to fix this issue in a future release.
Can I launch multiple files as elevated with the "Run with elevated access" right-click context menu?
Only one file can be elevated at a time. To launch multiple files elevated, right-click each file individually and select Run with elevated access.
Next steps
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for