What is Endpoint Privilege Management?
Endpoint Privilege Management is a feature of the new Microsoft Intune Suite product. Endpoint Privilege Management allows an organization’s users to run as a standard user (without administrator rights) and complete tasks that require elevated privileges. Tasks that commonly require administrative privileges.
This feature is designed to help organizations reduce the number of users with administrative rights, which can help reduce the risk of security breaches and other issues. By allowing users to complete tasks that require elevated privileges without giving them full administrative rights, endpoint privilege management can help organizations maintain a more secure and stable environment.
Endpoint Privilege Management provides the following benefits:
- Least privilege access: Endpoint Privilege Management allows users to perform tasks that require elevated privileges without granting them full administrative rights.
- Reduced risk: By reducing the number of users with administrative rights, endpoint privilege management can help reduce the risk of security breaches and other issues.
- Improved compliance: Endpoint privilege management can help organizations meet compliance requirements by providing granular control over user access.
- Increased productivity: By allowing users to complete tasks that require elevated privileges without requiring IT intervention, endpoint privilege management can help increase productivity and reduce IT workload.
How does Endpoint Privilege Management work?
EPM works by implementing policies and rules that define who can do what at which endpoint. For example, an EPM policy can restrict the use of administrative privileges, block unauthorized applications, or limit access to certain network resources. EPM also provides visibility and auditing capabilities that allow administrators to track and review the activities of users and applications on their endpoints.
License requirements:
- Microsoft Intune Endpoint Privilege Management, Standalone License
- Microsoft Intune Plan 1
- Microsoft Intune Plan 2
- Microsoft Intune Suite
Windows client requirements
Endpoint Privilege Management has the following operating system requirements:
- Windows 11, version 22H2 (22621.1344 or later), with KB5022913
- Windows 11, version 21H2 (22000.1761 or later), with KB5023774
- Windows 10, version 22H2 (19045.2788 or later) with KB5023773
- Windows 10, version 21H2 (19044.2788 or later) with KB5023773
- Windows 10, version 20H2 (19042.2788 or later) with KB5023773
Exclaimer: Be careful I lost a lot of time when I was testing this feature just because I did not check my Windows version 🙂
How to Implement?
Create elevation settings policy
Choose and create an elevation settings policy.
The elevation settings policy defines default settings for devices. The policy is executed for all elevated requests that are not specifically defined in Elevation Rule Settings.
For example, in the organization’s settings policy, all requests for elevation are denied, but if there is an elevation settings rule that allows elevation for a specific application, it will be elevated and will bypass the elevation settings policy.
Enable Endpoint Privilege Management.
Define the default elevation response. There are three options:
- Deny all requests.
- Require user confirmation.
- Not configured (requests will be denied).
Define assignments and click “Create.”
Create an Elevation Rules policy.
Choose and create an elevation settings policy.
The Elevation Rules Policy defines elevation settings for specific applications. All applications defined in that policy override the default policy, which is defined in the Elevation Settings policy.
Click “Edit instance.”
Upload the certificate from the application. In this example, we will upload a certificate file from the Notepad++ application.
Navigate to the application, right-click, and choose properties.
Click on “digital signatures” and “details.”
View certificate.
Click copy to file.
Optional step – Get File Hash of application. This step is not required but It’s recommended.
Get-FileHash "C:\Program Files\Notepad++\notepad++.exe" Algorithm Hash Path --------- ---- ---- SHA256 A559EC6A8B7951551B1E10943326A9A7C585181ACF91CF4EF267B2BDE9B8173C C:\Program Files\Notepad++\no...
Navigate back to Privilege Endpoint Management. Choose elevation type and validation.
The same settings were defined in the Elevation Settings Policy. But for Notepad++, this will be overridden.
Upload a certificate and paste the file hash.
Click Next, define assignments, and create a policy.
Showcase
Notepad++: Run with elevated access.
We can run Notepad++ in elevated mode because the elevation rules for Notepad++ override the default elevation settings policy.
CMD: Run with elevated access.
We cannot run CMD in elevated mode because there is no specific rule and the default elevation settings policy is applied (we define that the default settings policy denies all elevating attempts).
See Yaa in next blog posts 🙂