Troubleshoot and refine an EPM deployment
Endpoint Privilege Management policies should be reviewed and adjusted when elevation requests don't behave as expected. Troubleshooting usually starts by confirming that EPM is enabled on the device, that the correct policies are assigned, and that elevation activity is visible in reports. EPM rules only take effect when the device also receives a Windows elevation settings policy that enables Endpoint Privilege Management.
Check policy assignment and device readiness
Start by checking whether the device has received the correct EPM policies. The device needs an elevation settings policy to enable EPM and an elevation rules policy when specific files should be managed. If the elevation settings policy shows an error or not applicable, common causes include missing required Windows updates or blocked communication with the required Intune endpoints.
Also confirm that the device type is supported. Workplace joined Windows devices don't support Endpoint Privilege Management and don't process EPM elevation settings or elevation rules policies.
Review rule matching problems
If a file doesn't elevate as expected, check whether the file matches the elevation rule. A rule can identify a file by properties such as file name, file path, certificate, hash, version, and other file metadata. Rules can also include file arguments or command-line switches. When arguments are configured, EPM only allows elevation when the elevation request includes one of the defined command lines.
Rule matching problems often occur when:
- The file path in the rule doesn't match the actual file location.
- The file was updated and the hash or version no longer matches.
- The certificate used for validation has changed.
- Required file arguments are missing from the elevation request.
- The rule is assigned to the wrong user or device group.
- The file is launched from a location that EPM doesn't support.
EPM supports elevation for files stored locally on disk. Files run from a network location, such as a network share or mapped drive, aren't supported for EPM elevation.
Adjust the default elevation response
If users can elevate too broadly, or if expected requests are denied, review the Default elevation response in the Windows elevation settings policy. This setting controls what happens when a user requests elevation for a file that doesn't match an elevation rule. Available options include Deny all requests, Require support approval, and Require user confirmation.
Use Deny all requests or Require support approval when the goal is to prevent unmanaged elevation. Use Require user confirmation carefully because it applies to files that don't match a rule and can allow broad elevation unless additional validation is required.
Use reports to find policy gaps
EPM reports help identify where policies need adjustment. Reports can show managed and unmanaged elevation activity, depending on the reporting scope configured in the Windows elevation settings policy. Report data is available from Endpoint security > Endpoint Privilege Management, using the Overview and Reports tabs.
Check EPM limitations
Some issues are caused by platform or service limitations rather than policy mistakes. For example, applications elevated with EPM run in an isolated security context and can't access resources that require user authentication, such as network shares, OneDrive, SharePoint, or Azure resources. EPM also doesn't support SSL inspection for required EPM traffic, so required Intune endpoints should be exempted from inspection.
These limitations matter during troubleshooting. If an elevated application fails only when accessing a network or cloud resource, the rule may be working correctly while the application behavior is affected by the elevated security context.
For more information, see Known Issues for Endpoint Privilege Management.