Let’s check the details of how Intune Endpoint Privilege Management works in Windows. Endpoint Privilege Management will allow you to set rules and parameters in Intune to configure a standard user’s permissions to be automatically elevated, self-managed, or set to require authorization.
Microsoft enables IT admins to securely support their employees in this new hybrid world with reduced support costs. So they can securely perform tasks such as adding approved apps, printers, or other peripheral devices without needing to contact your IT helpdesk, saving you time and money.
With Endpoint Privilege Management, you will no longer need to make users local admins. Instead, end users can have standard account privileges and be dynamically elevated to admin privilege for specific admin approved tasks, based on company policies helps to improve productivity while enhancing security.
In early 2023, organizations with subscriptions to Intune will be able to experience Endpoint Privilege Management in public preview. This will help you automate and manage when workers have permission to use admin privilege for specific tasks on both Windows cloud connected and co-managed endpoints.
This capability will allow IT to set policies to dynamically elevate standard users with admin permissions, removing barriers to productivity while reducing the risk of attack on users with admin privileges.
- What Is Microsoft Unified Endpoint Management UEM?
- Intune Support For Linux Platform Started Rolling Out
How Intune Endpoint Privilege Management Support – Scenarios
Here you will get to know how you can complete users’ requests without remotely exchanging
privileged credentials and without giving broad administrative access to the device.
In the scenario presented by Ramya Chitrakar, Director of Engineering, A user is missing an important application that needs to install for customer work. Let’s check the capabilities you can leverage with Endpoint Privilege Management.
Scenario – The local helpdesk team provides a location and instructs the user to copy the files locally to execute the installation. Once the user attempt to execute the installation, a prompt indicates that your system administrator has blocked the app. As you do not have administrative privileges on the device.
You need to request to temporarily open this application with elevation access to get the application installed on the device.
A user needs to Right click on the App and select Run with elevated access to start the elevation request.
Then after, the support-driven elevation management experience you will get to send a request to have administrator access to this app.
Here you need to provide a business justification and then submit the elevation requests. Admin will review your elevation request in Intune Portal.
Once the request is successfully sent, A prompt will appear with the message “You’ll have administrator access to this app after your request is approved.”
- Create AppLocker Policies to Secure Windows Environments Intune
- Turn on Cloud Protection for Windows 11 Microsoft Defender Using Intune
Access Endpoint Privilege Management from Intune Portal
In the Intune admin center https://endpoint.microsoft.com/, Navigate to the Endpoint Security under Manage and click on Privilege management.
Here you will get details under the New requests tab, You can see the file details, publisher, and device name along with the username in the summary. Click on the file name to get additional information.
Intune Endpoint Privilege Management will become generally available as part of the suite of advanced endpoint management solutions and be available as an individual add-on to your Intune subscription.
A flyout New elevation request will be open with the request summary and file detailed information. Once you validate the file version, the file is properly signed and can be approved.
You need to click on Approve the elevation request. Once approved, this request sends a new rule to the user’s device allowing them to complete elevation temporarily to get back to being productive.
Once the user initiates the installation and this time, they can successfully launch and complete the elevation. The user was able to complete the elevation for that specific scenario without needing to take their device to a support professional, delays.
Results, The helpdesk team is able to complete users application installation requests without remotely exchanging privileged credentials and without giving broad administrative access to the device.
Hi Jitesh,
Is it possible to run custom PowerShell script if user/s open ups windows PowerShell ISE using this approach, thanks?
Hi Vishal, Good point – It would be interesting to see and get more details once in the public preview!!
Hi Jitesh,
Do you think it would be possible to set an ‘Allow for all’ rule for application requests. So after it’s allowed for one person other users are also granted to install this (version) of the application without requesting approval ?
Hi Michel, I don’t think a set for all will be ideal here..Usually if the application is already required for everyone.. Should be added as part of the exception. We can do it from the App locker or the policy you managing!
Let’s wait, would love to see more once it is in public preview!
Any idea of the cost for this add on ?
Now that this has been made available, I do not see the “New Requests” tab under Endpoint Privileged Management. Has MS removed the request feature?