Security / Endpoint Control · Modern Endpoint Guides

🔐 Endpoint Privilege Management (EPM)

Complete Enterprise Guide – Deploy, configure and operate EPM in Microsoft Intune. Eliminate standing admin rights and enforce least-privilege with full audit trail.

Intune Suite / EPM Add-on Windows 10/11 Zero Standing Privilege Publisher + Hash Rules

📋 Overview & Licensing

Endpoint Privilege Management (EPM) allows standard users to elevate specific applications without requiring permanent local admin rights. Every elevation request is logged, auditable and policy-controlled via Intune.

Standard User

Users run as standard users at all times. No local admin. Drastically reduces attack surface.

Controlled Elevation

Specific applications can be elevated per policy: Automatic, User Confirmed, Support Approved or Deny.

Full Audit Trail

Every elevation event logged in Intune Reports. Who elevated, what app, when, with which justification.

No VPN Required

Cloud-native. Policy delivered via Intune MDM channel. Works from anywhere.

Licensing Requirements

License	EPM Included?	Notes
Microsoft Intune Suite	✓ Included	Recommended – includes all advanced Intune features
EPM Standalone Add-on	✓ Yes	~$3/user/month. Requires base Intune P1
Microsoft 365 E3	✗ Not included	Requires EPM Add-on
Microsoft 365 E5	✗ Not included	Requires EPM Add-on or Intune Suite
Microsoft 365 F3 (Frontline)	✗ Not included	–

💡

License Assignment: The EPM license must be assigned per user in Microsoft 365 Admin Center. Device must be enrolled in Intune and the user must have a valid EPM license for the policy to apply.

🏗️ Architecture

EPM is built on top of Intune's MDM channel and leverages the Intune Management Extension (IME) on Windows endpoints. Policy enforcement is done via a kernel-level component.

Intune Policy Engine

Elevation Settings + Elevation Rules delivered via MDM channel to IME on the endpoint.

EPM Client Component

Kernel-level component installed on Windows 10/11. Evaluates elevation requests in real-time.

Microsoft Entra ID

User identity context. Support Approved requires Entra ID authentication for the approval workflow.

Intune Reports

All elevation events flow back to Intune via telemetry. Available in EPM Reports dashboard.

💡

EPM Component: EPM installs as part of the Intune Management Extension (IME). No separate agent required. Runs as a protected kernel service that cannot be tampered with by standard users or malware.

✅ Prerequisites

Requirement	Details
Operating System	Windows 10 (21H2+) or Windows 11
Enrollment	Entra ID Joined or Hybrid AD Joined + Intune MDM enrolled
License	Intune Suite or EPM Add-on per user
IME Version	Intune Management Extension 1.43.203.0 or later
Admin Role	Intune Service Administrator or Endpoint Security Manager
EPM Activation	Tenant must have EPM enabled (automatic with valid license)

⚠️

Standard User Requirement: EPM only works for users who are NOT local administrators. Before deploying EPM policies, remove users from the local Administrators group. Use a Configuration Policy to enforce this: Accounts → Local Administrators Group → Remove Members.

⚙️ Elevation Settings Policy

The Elevation Settings Policy is the master policy that enables EPM and controls global behavior. Intune → Endpoint Security → Endpoint Privilege Management → Policies → Elevation Settings

Setting	Recommended Value	Notes
Endpoint Privilege Management	Enabled	Master switch – must be Enabled
Default Elevation Response	Deny All / Approved Elevations Only	Block everything not explicitly permitted
Validation (Elevation Rules)	Enforce Rules	Strict validation of elevation requests
Report-Only Mode	Off (Production)	Use Report-Only for pilot rollout first
Support Approved Expiry	60 minutes	How long an approval token is valid
Send elevation data to Microsoft	Enabled	Required for EPM Reports in Intune

✅

Report-Only Mode for Rollout: Start with Default Elevation Response = "Report-only" for 2 weeks. Review which apps users are trying to elevate. Then build rules and switch to "Deny All".

🎚️ Elevation Types

Automatic

Automatic Elevation

App elevates silently without user interaction. Use only for fully trusted, IT-managed applications (e.g., software update agents).

User Confirmed

User receives a dialog and must confirm the elevation with business justification. Default choice for most apps.

Support Approved

User submits a request via the Company Portal. Help Desk reviews and approves. One-time token valid for 60 min.

Deny

Explicitly block elevation of known dangerous or unauthorized apps. Shown as explicit "Denied" in reports.

📜 Elevation Rules

Intune → Endpoint Security → Endpoint Privilege Management → Policies → Elevation Rules

Rule Identification Methods

Method	Security Level	Use Case	Notes
Publisher Certificate	Medium	Apps signed by trusted vendor (Microsoft, Adobe)	Validates Authenticode signature
File Hash (SHA-256)	High	Specific app version	Hash changes with every update!
Publisher + Product Name	Medium-High	Specific product from specific vendor	More granular than Publisher alone
Publisher + Hash	Very High	Exact version of signed app	Most recommended for sensitive apps
File Path	Low	Avoid – path can be manipulated	Use only as last resort + combine with hash

Example: Creating an Elevation Rule

Navigate to Elevation Rules

Intune → Endpoint Security → Endpoint Privilege Management → Create Policy → Windows → Elevation Rules

Add Rule

Name: "Acrobat Installer – User Confirmed"
Elevation Type: User Confirmed
Child Process: Allow elevated child processes (if needed)

Set Identification

Certificate: Upload .cer from Adobe signing cert
Product Name: AcroRd32 Setup
File Hash: (paste SHA-256 from Get-FileHash)

Assign to Groups

Assign to device or user groups. Assign to Pilot group first, then all users after validation.

POST https://graph.microsoft.com/beta/deviceManagement/privilegeManagementElevations

{
  "displayName": "Acrobat Installer – User Confirmed",
  "description": "Allow Adobe Acrobat installer to elevate with user confirmation",
  "elevationType": "userConfirmed",
  "childProcessBehavior": "allowAll",
  "productName": "AcroRd32 Setup",
  "publisher": "Adobe Inc.",
  "fileName": "AcroRdrDCx64Setup.exe",
  "fileHash": "sha256:abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890"
}

# Get SHA-256 hash of an executable
Get-FileHash -Path "C:\Downloads\AcroRdrDCx64Setup.exe" -Algorithm SHA256

# Output:
# Algorithm  Hash                                                              Path
# ---------  ----                                                              ----
# SHA256     A1B2C3D4E5F6...                                                   C:\Downloads\...

# Get Publisher Certificate details:
$sig = Get-AuthenticodeSignature -FilePath "C:\Downloads\AcroRdrDCx64Setup.exe"
$sig.SignerCertificate | Select-Object Subject, Issuer, NotAfter
# Use Subject for Publisher field in Intune rule

🎫 Support-Approved Elevation Flow

👤

User Request

Right-click → Run with elevated access

→

📱

Company Portal

EPM request submitted

→

🎫

Approval Code

User receives ticket number

→

☎️

Help Desk

Verifies request in Intune portal

→

✅

Approval Token

6-digit code, valid 60 min

→

🔐

Elevation

App runs elevated once

Help Desk Approval Process

# Help Desk: Intune → Endpoint Security → EPM → Elevation Requests
# Filter: Status = Pending
# Review: User, App, Justification, Device
# Actions: Approve (generates 6-digit code) or Deny (with reason)

# Approved token expiry: 60 minutes (configurable in Elevation Settings Policy)
# One-time use: Token can only be used once
# Audit: All approvals/denials logged in Intune Reports

📊 Reports & Monitoring

Report	Location	Key Data
EPM Elevation Report	Intune → Reports → Endpoint Privilege Management	All elevations: user, app, type, result, timestamp
Managed Elevation Report	EPM → Elevation Reports → Managed	Policy-matched elevations with full details
Unmanaged Elevation Report	EPM → Elevation Reports → Unmanaged	Elevations not matching any rule – review regularly
Support Approved Requests	EPM → Elevation Requests	Pending/Approved/Denied approval requests
Denied Elevations	EPM → Elevation Reports → Denied	Apps blocked – may indicate new rules needed

💡

Review Unmanaged Elevations weekly! These are apps users tried to elevate but no rule existed. Use this data to build new rules or proactively install apps without requiring elevation at all.

⭐ Best Practices

Start with Report-Only

Run in Report-Only mode for 2–4 weeks. Discover what apps need elevation before enforcing deny.

Publisher + Hash Rules

Use Publisher + Hash for maximum security. Update rules when app versions change.

Remove Standing Admin

Use Configuration Policy to remove users from local Administrators group before EPM rollout.

Pilot Groups First

Deploy to IT team first, then 5% of users, then full rollout. Validate each phase.

Regular Rule Review

Review elevation rules quarterly. Remove stale rules. Update hashes after app updates.

Communicate with Users

Train users on the new process before removing admin rights. Prepare self-service guide.

🔧 Troubleshooting

Issue	Cause	Resolution
Right-click menu missing "Run with elevated access"	EPM not enabled / IME not updated	Check IME version ≥ 1.43; verify Elevation Settings policy applied
Rule not matching	Hash mismatch / Publisher name different	Compare actual cert Subject with rule Publisher field; regenerate hash
Support Approved code not working	Expired (>60 min) / wrong app	Re-request approval; verify exact app being elevated matches rule
Elevation Settings policy not applied	License not assigned / policy conflict	Verify EPM license; check policy assignment scope; Intune → Devices → Policy Status
User still has local admin rights	Config policy not applied yet	Check Configuration Policy for Local Admins; verify device sync

# Check IME version and EPM status on endpoint:
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\IntuneManagementExtension" | Select-Object Version, AgentExecutor

# Check EPM policy applied:
Get-WinEvent -LogName "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin" |
  Where-Object {$_.Message -like "*PrivilegeManagement*"} | Select-Object -Last 20

# IME Log – EPM events:
Get-Content "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log" -Tail 100 |
  Where-Object {$_ -match "EPM|ElevationRule|Privilege"}

💻 PowerShell & Graph API

Connect-MgGraph -Scopes "DeviceManagementConfiguration.Read.All"

# Get all EPM elevation events (last 7 days):
$since = (Get-Date).AddDays(-7).ToString("o")
$elevations = Invoke-MgGraphRequest -Method GET `
  -Uri "https://graph.microsoft.com/beta/deviceManagement/privilegeManagementElevations?`$filter=requestCreatedDateTime ge $since"

# Summary by elevation type:
$elevations.value | Group-Object elevationType |
  Select-Object @{N="Type";E={$_.Name}}, Count | Format-Table

# Top elevated apps:
$elevations.value | Group-Object fileName |
  Sort-Object Count -Descending | Select-Object -First 10 |
  Select-Object @{N="App";E={$_.Name}}, Count | Format-Table

# List all EPM elevation rules:
$rules = Invoke-MgGraphRequest -Method GET `
  -Uri "https://graph.microsoft.com/beta/deviceManagement/privilegeManagementElevations/rules"
$rules.value | Select-Object displayName, elevationType, publisher, fileName | Format-Table

# Export rules to JSON for backup:
$rules.value | ConvertTo-Json -Depth 10 |
  Out-File "C:\Backup\EPM-Rules-$(Get-Date -Format yyyyMMdd).json"

# Get pending Support Approved requests:
$requests = Invoke-MgGraphRequest -Method GET `
  -Uri "https://graph.microsoft.com/beta/deviceManagement/privilegeManagementElevations/requests?`$filter=status eq 'pending'"
$requests.value | Select-Object requestId, requestorUserPrincipalName, applicationName, justification | Format-Table

# Approve a request:
Invoke-MgGraphRequest -Method POST `
  -Uri "https://graph.microsoft.com/beta/deviceManagement/privilegeManagementElevations/requests/$requestId/approve" `
  -Body '{"reviewComment":"Approved for one-time use – valid 60 minutes"}'