Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
This capability is available as an Intune add-on. For more information, see Use Intune Suite add-on capabilities.
With Microsoft Intune Endpoint Privilege Management (EPM) your organization's users can run as a standard user (without administrator rights) and complete tasks that require elevated privileges. For more information, see EPM Overview.
Applies to:
- Windows
To deploy Endpoint Privilege Management (EPM), start by enabling reporting, then use reports to create rules for elevation. This article describes some common deployment scenarios and outlines the recommended deployment phases for your organization.
- Windows elevation settings policy.
- Windows elevation rules policy.
- Reusable settings groups, which are optional configurations for your elevation rules.
Deployment overview
EPM can help control the elevation of applications in Intune and Local Users and Groups can be used to control the local administrators group and transition users from administrators to standard users.
The common deployment phases are:
- Phase 1: Auditing - Enable EPM client and enable reporting collection using an elevation settings policy.
- Phase 2: Persona identification - Identity groups of users with common requirements.
- Phase 3: Build rules - Use EPM reports to create elevation rules for different personas.
- Phase 4: Monitoring - Iterate and refine rules, identify new scenarios.
- Phase 5: Review user privileges - Identify and optionally move users from administrator to standard user using Local Users and Groups. Consider enabling support approved elevation so that users can request elevation for apps that aren't covered by rules.
Repeat phases 2 to 5 continuously to ensure your users have least privilege in line with Zero Trust principles.
The common deployment scenarios for EPM are:
| Scenario | Local User (Before) | Local User (After) | Example Role | Use Case |
|---|---|---|---|---|
| 1 | Admin | Admin | IT Support Technicians | A certain subset of users required ongoing local admin – but you want to gain security improvements by using EPM. |
| 2 | Admin | Standard User | Information Workers | You want to move users with local admin rights to standard users, with minimal disruption. You want to allow them to request an app to run as admin on occasion. For step by step instructions on how to achieve this scenario with EPM, see Using EPM to transition users from administrator to standard users |
| 2 | Standard User | Standard User | Developers | You want to allow specific users to 'elevate up' without granting local admin rights or using LAPS. |