Intune EPM Support Approve Scenario Explained

Let’s Discuss the Intune EPM Support Approve Scenario in this post. Microsoft has shared detailed information about the Intune EPM support person approving the Scenario from the enduser side. The details are given in the latest Technical Takeoff session by Matt Call, Eric Schreiber, and Laura Arrizza.

In Intune Endpoint Privilege Management (EPM), standard users can ask for and get temporary permission to do certain tasks that require higher privileges, such as installing apps or updating drivers. It is Built into the Microsoft Intune.

EPM helps IT admins who have to choose between standard users or local admins. EPM is a better solution that makes security and productivity work together. It is part of the Intune suite, or available for standard licencing It allows keeping that standard user boundary.

Endpoint Privilege Management is a solution that manages who can access endpoints, like laptops, desktops, or virtual machines, with more privileges. This will help for more security and productivity by reducing the chance of malware or unwanted changes.

Patch My PC

Intune EPM Support Approve Scenario Explained

The user requests elevation for EPM rules, the admin either has a specific rule or a default behaviour for support approved. The EPM client sends the request to Intune, where the admin can approve it.

A temporary rule is created and sent to the client. This rule has four limitations: device, user, time, and binary. The user gets a notification and can elevate and use the app.

Adaptiva
  1. User Requests elevation
    • Support approved rule match
    • No rule match – default behavior is support approved
  2. Request Submitted
  3. Request Approved
  4. Short lived rule created
  5. Rule delivered to the client
  6. User completes elevation
Intune EPM Support Approve Scenario Explained- Fig.1 Creds to Matt Call, Eric Schreiber, and Laura Arrizza  Microsoft
Intune EPM Support Approve Scenario Explained- Fig.1 Creds to Matt Call, Eric Schreiber, and Laura Arrizza Microsoft

Enduser Experience Part 1 – EPM Support Approve Scenario

In this step, here is the user’s desktop. They have downloaded the finance application that was not assigned to them through Intune, but they want to install it, so this is the installer for that application. The first thing that you have to do.

  • Right-click on the Finance app installer
  • Select Run with elevated access
Intune EPM Support Approve Scenario Explained- Fig.2 Creds to Matt Call, Eric Schreiber, and Laura Arrizza  Microsoft
Intune EPM Support Approve Scenario Explained- Fig.2 Creds to Matt Call, Eric Schreiber, and Laura Arrizza Microsoft

When you choose Run with elevated access, the usual EPM process will start. If the application is not recognized by the admin and there is no rule for it, it will fall back to the default behaviour.

This means the user will need to request the support team’s approval through this dialogue box. After clicking on the Send option, the request will be sent to the Intune.

  • Click on Send for the request
Intune EPM Support Approve Scenario Explained- Fig.3 Creds to Matt Call, Eric Schreiber, and Laura Arrizza  Microsoft
Intune EPM Support Approve Scenario Explained- Fig.3 Creds to Matt Call, Eric Schreiber, and Laura Arrizza Microsoft

Intune Admin Experience Part 1 – EPM Support Approve Scenario

In the Microsoft Endpoint Manager (EPM )admin center, the intune administrator will see this is going into the EPM ux going to elevation request. Here you can see the finance.exe, the request just submitted for context.

Here’s another example of an application that was submitted with additional metadata. The admin sees this one and click on the finance.exe from the list item.

Intune EPM Support Approve Scenario Explained- Fig.4 Creds to Matt Call, Eric Schreiber, and Laura Arrizza  Microsoft
Intune EPM Support Approve Scenario Explained- Fig.4 Creds to Matt Call, Eric Schreiber, and Laura Arrizza Microsoft

When the administrator clicks on the Finance.exe, the admin gets more details about the application to see what device it is, what the user is and all the file paths and other information they may use to decide if they want to approve it.

  • The admin looks at all the data, and the information is good – the admin clicks on the approve button.
Elevation Request PropertiesIncluding Details
File detailsFile name, Publisher, User, Device, Intune compliant
Request DetailsStatus, Last Modified, Users Justification
File informationThe file path, Certificate payload, Hash value, File versions, File description, Product name
Intune EPM Support Approve Scenario Explained- Table.1
Intune EPM Support Approve Scenario Explained- Fig.5 Creds to Matt Call, Eric Schreiber, and Laura Arrizza  Microsoft
Intune EPM Support Approve Scenario Explained- Fig.5 Creds to Matt Call, Eric Schreiber, and Laura Arrizza Microsoft

Enduser Experience Part 2 – EPM Support Approve Scenario

When the admin approves the request, the user device will show a pop up window that informs the user that their request has been approved. This is done through the regular device check-in process and does not require any extra work. This is similar to any other Intune policy

  • The user launches the .exe file
  • The Other window asks if they want to open this app as an administrator.
  • Click on the continue

Note: The purpose of this pop-up window is to notify the user that their request matches the new policy

Intune EPM Support Approve Scenario Explained- Fig.6 Creds to Matt Call, Eric Schreiber, and Laura Arrizza  Microsoft
Intune EPM Support Approve Scenario Explained- Fig.6 Creds to Matt Call, Eric Schreiber, and Laura Arrizza Microsoft

After approving continue, Then the .exe file runs and installs the finance application. The support approve scenario lets you use EPM for just enough access. It lets you create rules allowing elevation with support approval for specific cases the admin wants to control. 

Note: This feature is in private preview and will be available in 2024.

Intune EPM Support Approve Scenario Explained- Fig.7 Creds to Matt Call, Eric Schreiber, and Laura Arrizza  Microsoft
Intune EPM Support Approve Scenario Explained- Fig.7 Creds to Matt Call, Eric Schreiber, and Laura Arrizza Microsoft

Video –Uplevel security with Endpoint Privilege Management + Windows LAPS

We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here – HTMD WhatsApp.

Author

Krishna. R is a computer enthusiast. She loves writing on Windows 11 and related technologies. She likes to share her knowledge, quick tips, and tricks with Windows 11 or Windows 10 with the community.

3 thoughts on “Intune EPM Support Approve Scenario Explained”

  1. Great information !
    Do you know when this feature will be available ?
    In my EPM I cannot see this specific tab yet … 🙁

    Reply
  2. And can we run this elevated, but to have the user with elevated rights? right now from my testing it runs as mem\username_$ user account when we elevate (adds a _$ at end of username)
    thanks 🙂

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.