Let’s Discuss the Intune EPM Support Approve Scenario in this post. Microsoft has shared detailed information about the Intune EPM support person approving the Scenario from the enduser side. The details are given in the latest Technical Takeoff session by Matt Call, Eric Schreiber, and Laura Arrizza.
In Intune Endpoint Privilege Management (EPM), standard users can ask for and get temporary permission to do certain tasks that require higher privileges, such as installing apps or updating drivers. It is Built into the Microsoft Intune.
EPM helps IT admins who have to choose between standard users or local admins. EPM is a better solution that makes security and productivity work together. It is part of the Intune suite, or available for standard licencing It allows keeping that standard user boundary.
Endpoint Privilege Management is a solution that manages who can access endpoints, like laptops, desktops, or virtual machines, with more privileges. This will help for more security and productivity by reducing the chance of malware or unwanted changes.
- Intune Feature Support Approved Elevation for EPM Endpoint Privilege Management
- Intune Support for Endpoint Privilege Management
- Intune Role-based Access Controls for Endpoint Privilege Management
Intune EPM Support Approve Scenario Explained
The user requests elevation for EPM rules, the admin either has a specific rule or a default behaviour for support approved. The EPM client sends the request to Intune, where the admin can approve it.
A temporary rule is created and sent to the client. This rule has four limitations: device, user, time, and binary. The user gets a notification and can elevate and use the app.
- User Requests elevation
- Support approved rule match
- No rule match – default behavior is support approved
- Request Submitted
- Request Approved
- Short lived rule created
- Rule delivered to the client
- User completes elevation
Enduser Experience Part 1 – EPM Support Approve Scenario
In this step, here is the user’s desktop. They have downloaded the finance application that was not assigned to them through Intune, but they want to install it, so this is the installer for that application. The first thing that you have to do.
- Right-click on the Finance app installer
- Select Run with elevated access
When you choose Run with elevated access, the usual EPM process will start. If the application is not recognized by the admin and there is no rule for it, it will fall back to the default behaviour.
This means the user will need to request the support team’s approval through this dialogue box. After clicking on the Send option, the request will be sent to the Intune.
- Click on Send for the request
Intune Admin Experience Part 1 – EPM Support Approve Scenario
In the Microsoft Endpoint Manager (EPM )admin center, the intune administrator will see this is going into the EPM ux going to elevation request. Here you can see the finance.exe, the request just submitted for context.
Here’s another example of an application that was submitted with additional metadata. The admin sees this one and click on the finance.exe from the list item.
When the administrator clicks on the Finance.exe, the admin gets more details about the application to see what device it is, what the user is and all the file paths and other information they may use to decide if they want to approve it.
- The admin looks at all the data, and the information is good – the admin clicks on the approve button.
|Elevation Request Properties
|File name, Publisher, User, Device, Intune compliant
|Status, Last Modified, Users Justification
|The file path, Certificate payload, Hash value, File versions, File description, Product name
Enduser Experience Part 2 – EPM Support Approve Scenario
When the admin approves the request, the user device will show a pop up window that informs the user that their request has been approved. This is done through the regular device check-in process and does not require any extra work. This is similar to any other Intune policy.
- The user launches the .exe file
- The Other window asks if they want to open this app as an administrator.
- Click on the continue
Note: The purpose of this pop-up window is to notify the user that their request matches the new policy
After approving continue, Then the .exe file runs and installs the finance application. The support approve scenario lets you use EPM for just enough access. It lets you create rules allowing elevation with support approval for specific cases the admin wants to control.
Note: This feature is in private preview and will be available in 2024.
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here – HTMD WhatsApp.
Krishna. R is a computer enthusiast. She loves writing on Windows 11 and related technologies. She likes to share her knowledge, quick tips, and tricks with Windows 11 or Windows 10 with the community.