In this blog post, I’ll be explaining how to configure EPM Rule Explicitly Deny Elevation with Microsoft Intune. Microsoft Endpoint Privilege Management (EPM) has introduced a new capability within elevation rules the Deny file elevation type. This enhancement allows administrators to explicitly block specific files from running with elevated privileges.
By adding Deny rules to your EPM configuration, you gain more control over which applications or scripts can escalate privileges, thus improving the security posture of your organization. While the primary purpose of EPM is to enable standard users to run specific trusted applications with elevated rights, Deny rules serve as an essential safeguard.
They ensure that potentially harmful or unauthorized files, including known malware or unapproved tools, are prevented from executing with elevated permissions, even if users attempt to do so. This feature strengthens your defense against privilege escalation attacks. Microsoft introduced EPM explicitly deny elevation from Service Release 2505 onwards.
Although Deny rules are a powerful addition, it is still recommended to focus primarily on allowing elevation for trusted and approved applications. Using a combination of allow and deny rules enables you to balance security with productivity, giving users the access they need without compromising endpoint integrity.
Table of Contents
EPM Rules Explicitly Deny Elevation Pre-requisites
Here is a table outlining the prerequisites for using Endpoint Privilege Management (EPM) rules that specifically deny elevation, utilizing the “Deny” file elevation type.
| Prerequisite | Details |
|---|---|
| Windows Version | Windows 10, version 21H2 (19044.3393 or later) with KB5030211 to Windows 11, version 24H2 |
| Microsoft Intune | Microsoft Intune Enrollment or Microsoft Configuration Manager co-managed devices (no workload requirements) |
| EPM Licensing | Requires Microsoft Intune Suite license or the EPM add-on license for Microsoft Intune. |
| EPM Policy Deployment | EPM policies (including Deny rules) must be deployed via Endpoint Privilege Management settings in Intune. |
| File Hash or Path Details | Deny rules must target a file via file hash, certificate, or file path. Accurate values are required for proper enforcement. |
| Device Scope | Ensure the target device group is properly assigned to the EPM policy containing Deny rules. |
| Policy Configuration | A custom EPM elevation rule must be created with the action set to Deny and proper conditions (file path, hash, etc.) defined. |
| Device Type | Microsoft Entra joined or Microsoft Entra hybrid joined |
| EPM Agent Status | Devices must have the EPM client component properly installed and running (Service Name : Microsoft EPM Agent Service). This can be monitored in the Intune admin center. |
- Most Restrictive Elevation Behaviour with Intune Endpoint Privilege Management
- Copilot with Endpoint Privilege Manager to Identify Potential Elevation Risks using Intune
- Easy Guide to Configure EPM Reusable Settings with Intune
- Best Method to Create EPM Elevation Rules Policy from Elevation Request Using Intune Policy
Create an EPM Deny Elevation Rules Policy in Intune
To create an Endpoint Privilege Management Deny Elevation Rules Policy from scratch, start by signing in to the Microsoft Intune Admin Center with your administrator credentials.
- Navigate to Endpoint Security > Endpoint Privilege Management > Choose Policies
- Click on +Create policy
In the Create a profile window, select Platform as Windows and choose Profile as Elevation rules policy. An other option is the Elevation Settings Policy, which configures and enables the EPM service. For now, we will focus solely on the Elevation rules policy.
On the Basics page, I will enter our policy name: HTMD – Deny EPM Elevation Rule Policy. If necessary, provide a brief description of the policy and then click Next.
On the Configuration settings page, Elevation Rules define the conditions that allow users to gain just-in-time access to apps and files on their devices. By default, the Elevation type will show as “User Confirmed.” To change the settings, click the +Edit instance under the Configure settings option.
Now, we will configure the Rule properties screen based on the Deny elevation type. Several options are mandatory. Please review the options below and select them accordingly. In this instance, I will be denying the VNC-Viewer application using the Elevation Rules policy.
Important Notes! To obtain the file hash, you must first install the EPM PowerShell module.
Import-Module "C:\Program Files\Microsoft EPM Agent\EpmTools\EpmCmdlets.dll"
To retrieve the File Attributes for the application binary, use the following PowerShell command line:
Get-FileAttributes -Filepath = "C:\Users\HTMDTestAccount\Downloads\VNC-Viewer-7.13.1-Windows.exe"- Rule name: VNC-Viewer Deny Rule
- Elevation type: Deny
- Child process behavior: Deny all
- File name: VNC-Viewer-7.13.1-Windows.exe
- Signature Source: Not configured
- File hash: 7CB888C789083EAC23E16B061CEE49AEA14BBE14E7A784FB0FCA5CE0C23ED429
On the next page, keep the default scope tags. If you have any other custom scope tags available, you can select one according to your requirements.
Click Next and assign the HTMD – Deny EPM Elevation Rule Policy to either a Device Group or a User Group, as both options are supported. In this example, I will be deploying it to a Device Group called HTMD – Test Computers. To do this, click Add groups under the Included Groups section, and then select the desired device group.
On the Review + create pane, carefully check all the settings defined for the Deny EPM Elevation Rule Policy. Once you have confirmed everything is correct, select Create to implement the changes.
- How to Configure Support Approved EPM Elevation using Intune | Highly secured option
- Configure User Confirmed EPM Elevation Settings Policy using Microsoft Intune
- Configure Endpoint Privilege Management EPM Reusable Settings Policy using Intune
- How to Deploy Trusted Root Certificate using Intune Configuration Policy
Monitor the EPM Rule Explicitly Deny Elevation Deployment
The newly created EPM rule policy has been deployed to the Microsoft Entra ID group called HTMD – Test Computers. The policy will take effect as soon as the device has been synced. To monitor the status of the policy deployment, please follow the steps below in the Intune Portal.
- Navigate to Endpoint Security > Under Manage > Endpoint Privilege Management > Policies
Search for the HTMD – Deny EPM Elevation Rule Policy. Click on it to view the policy’s Endpoint check-in status. Selecting View report allows you to explore the deployment, Device name, Logged in user, Check-in status, and more.
End User Experience – EPM Rule Explicitly Deny Elevation
We need to verify if the Deny EPM Elevation Rule Policy is functioning properly. To do this, log in to one of the devices that the policy targets. In this example, I downloaded VNC-Viewer-7.13.1-Windows.exe and saved it in my Downloads folder. Next, I attempted to install it as a standard user (without admin rights). Please follow the steps outlined below.
- Right-click on the VNC-Viewer-7.13.1-Windows.exe App binary and choose “Run with elevated access“
You will likely encounter an error message stating, “You can’t run this app as an administrator“. “Your organization doesn’t allow you to run this app as administrator. Contact your support person for more information. Error code: 0x87E00207(-2015362553)”.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Vaishnav K has over 11 years of experience in SCCM, Device Management, and Automation Solutions. Writes and imparts knowledge about Microsoft Intune, Azure, PowerShell scripting, and automation. Check out my profile on LinkedIn.