Understand just-in-time elevation in Endpoint Privilege Management
Endpoint Privilege Management helps organizations reduce the need for permanent local administrator rights. Instead of making users local admins, EPM lets standard users complete approved tasks that require elevated privileges, such as installing approved applications, updating drivers, or running diagnostic tools. This supports a least-privilege model while still allowing users to stay productive.
Why privilege management matters
Local administrator rights increase risk because users and applications can make system-level changes. If a device is compromised, local admin rights can also make it easier for an attacker to install tools, change security settings, or move further through the environment.
EPM helps reduce this risk by changing the default approach. Users work as standard users, and elevation is allowed only when policy permits it. This aligns with Zero Trust principles because access is limited, intentional, and based on defined conditions.
Benefits of Endpoint Privilege Management:
- Reducing the number of users with permanent local admin rights.
- Allowing approved admin tasks without changing the user's account type.
- Controlling which files, installers, or scripts can run with elevated privileges.
- Recording elevation activity for review and policy improvement.
Understand just-in-time elevation
Just-in-time elevation means elevated privileges are used only when they are needed for a specific task. The user doesn't become a permanent local administrator. Instead, EPM evaluates the elevation request and allows, denies, or routes the request based on policy.
How EPM supports least privilege
EPM is designed to keep users productive without giving them broad administrative access. For most elevation types, EPM uses a virtual account to run the elevated process. This account is isolated from the signed-in user account, and neither account is added to the local administrators group. This helps limit exposure while still allowing the approved task to run with administrative privileges.
There is also an Elevate as current user elevation type for scenarios where an application must run in the signed-in user's context. This can improve compatibility for some apps, but it has a broader security impact and should be used only when needed.
Licensing and platform requirements
EPM requires a subscription in addition to Microsoft Intune Plan 1 or Plan 2. It supports specific Windows 10 and Windows 11 versions, including supported virtual platforms such as Windows 365 and Azure Virtual Desktop single-session virtual machines. Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined, and they must be Intune-enrolled or co-managed with Microsoft Configuration Manager.
Supported versions include Windows 11 version 24H2, Windows 11 versions 23H2, 22H2, and 21H2 with required minimum builds and updates, and Windows 10 versions 22H2 and 21H2 with required minimum builds and updates. Elevation settings policies report as Not applicable on devices that don't run a supported operating system version. For current build requirements, see Endpoint Privilege Management prerequisites.
For licensing options, see Microsoft Intune plans and pricing and Microsoft 365 Security Enterprise Plans.
EPM also requires network access to the required Intune endpoints. SSL inspection isn't supported for required EPM traffic, so those endpoints should be reachable without SSL inspection. Workplace joined devices aren't supported and don't process EPM elevation settings or elevation rules policies.