Control Admin Rights with EPM
Endpoint Privilege Management lets standard users run specific apps with elevated permissions β without giving them permanent local admin rights. Zero Trust for the desktop.
What is Endpoint Privilege Management?
Think of EPM like a bouncer who checks your ID before letting you into the VIP section.
Normally, standard users canβt install software or change system settings β they donβt have the βVIP passβ (local admin rights). But sometimes they genuinely need to run a specific app that requires admin permissions β like a printer driver or a development tool.
EPM lets them request temporary elevation for that specific app. Depending on your policy, it either auto-approves (the bouncer recognises them), asks for a business justification (the bouncer checks the list), or requires a managerβs approval (the bouncer calls upstairs). Once done, theyβre back to standard user β no permanent admin rights.
The three elevation types
| Feature | Automatic | User-Confirmed | Support-Approved |
|---|---|---|---|
| How it works | App elevates silently β no user interaction | User provides a business justification before elevation | User requests elevation, IT admin approves or denies |
| User experience | Seamless β like having admin rights for that app | Prompt appears asking why they need it | Request submitted β wait for approval β then run |
| IT involvement | None (policy-driven) | None (justification logged but not reviewed) | Yes β admin reviews and approves each request |
| Best for | Known-safe apps that always need elevation | Apps that sometimes need elevation β audit trail needed | Sensitive apps where IT must explicitly approve each use |
| Example | Printer driver installer | Developer tool that occasionally needs admin | Software that modifies system settings |
| Security level | Lowest (most permissive) | Medium | Highest (most restrictive) |
How EPM works
Step 1: Remove local admin rights
Use Intuneβs Account Protection policy (from Module 7) to remove users from the local Administrators group. Now theyβre standard users.
Step 2: Create elevation rules
In Intune admin center β Endpoint security β Endpoint Privilege Management:
| Rule Setting | What It Controls |
|---|---|
| File name | Which executable can be elevated (e.g., setup.exe) |
| File path | Where the file lives (e.g., C:\Tools\) |
| File hash | SHA-256 hash of the specific file version |
| Certificate | Publisher certificate that signed the file |
| Elevation type | Automatic, user-confirmed, or support-approved |
| Child process behaviour | Whether child processes also run elevated |
Step 3: Assign to groups
Target the elevation policy to device or user groups β just like any other Intune policy.
Real-world example: Chen Wei at Meridian Bank
| App | Elevation Type | Why |
|---|---|---|
| Approved printer drivers | Automatic | IT has verified these drivers β safe to auto-elevate |
| Visual Studio (developer team) | User-confirmed | Developers need it daily, but log the justification for audit |
| Legacy banking app installer | Support-approved | Only IT should approve installs of this sensitive financial software |
| Unknown/unsigned executables | Blocked (default behaviour) | Standard users canβt elevate anything not in the EPM policy |
Exam tip: EPM requires Intune Suite
EPM is part of the Microsoft Intune Suite β itβs an add-on licence, not included in standard Intune. The exam may test this:
- Intune Plan 1 (included in M365 E3/E5) β standard Intune features
- Intune Suite (add-on) β EPM, Remote Help, Advanced Analytics, Tunnel for MAM, Cloud PKI, Enterprise App Catalog
If a question asks βwhat licence is needed for EPM?β β the answer is Intune Suite (or Intune Plan 2, which includes the Suite).
Deep dive: EPM reporting and audit
Every elevation event is logged and reportable:
- Who elevated (user account)
- What was elevated (file name, hash, path)
- When the elevation occurred
- Why (business justification for user-confirmed elevations)
- Approval details (for support-approved elevations)
Chen Wei uses these reports for compliance audits β the banking regulator wants evidence that admin rights are controlled and justified. EPMβs built-in reporting provides this without additional tools.
π¬ Video walkthrough
Flashcards
Knowledge Check
Chen Wei removed all users from the local Administrators group at Meridian Bank. Now a developer can't install Visual Studio updates β they require admin rights. The developer needs this daily. What's the best EPM approach?
A user at Meridian Bank tries to run an unsigned executable they downloaded from the internet. EPM is configured but there's no rule for this file. What happens?
Next up: Intune Suite: Apps, Analytics & Remote Help β the Enterprise App Catalog, Advanced Analytics, and Remote Help capabilities.