Endpoint Privilege Management
Intune Endpoint Privilege Management is an interesting feature, he permit to a standard user (so without administrator rights) the possibility to elevate privileges if needed. The policy of least privilege is respected.
Endpoint Privilege Management require Intune suite or standalone licence.
For use EPM – Endpoint Privilege Management, the following operating systems must be used.
- Windows 11 22H2 with KB5022913
- Windows 11 22H1 with KB5023774
- Windows 10 22H2 with KB5023773
- Windows 10 21H2 with KB5023773
- Windows 10 20H2 with KB5023773
Run with elevated access. This option in the right click context menu appear after that EPM (Endpoint Privilege Management) is enabled on the device. The elevation rules policies try to determine if the file can be elevated to run with an administrative righr and how it’s possible. If it’s possible,
File elevation and elevation types. EPM permit at the allowed standard users without privilege right to run processes in the administrative context. After the elevation rules is created, she allow to proxy the target to run with administrator privileges on the device. The application has thus full administrative capability on the device. Two options are available with EPM :
- Automatic elevation : the elevation is automatically performed by EPM without input from the user. This option has an widespread impact to the security of the organization.
- Elevation with user confirmation : the option Run with elevated access in the right click context menu must be used to elevate the right. This option is the best choice for the security of the organization.
Disabling and deprovisioning. A component are installed on a device for onboarding. To remove Endpoint Privilege Management on a device, the elevation settings policy must be created. Intune immediately disables the client-side components and EPM will be removed after seven days. With this delay, accidental temporary or accidental changes in policy or assignments is ensured.
Enable Endpoint Privilege Management
Before use EPM, you must Active the feature on the tenant. Click on Endpoint security.
Create Windows elevation settings policy
The policy permit to enable Endpoint Privilege Management on a device and set the fefault rules for elevation requests. This last settings is used for any file that isn’t managed by EPM (Endpoint Privilege Management) rules. You can also configure wich informtion is reported to Intune.
The policy permit to configure the following optionsFrom the Intune portal, click on Endpoint Security, Endpoint Privilege Management then on Create policy.
In the Platform drop-down list, select Windows 10 and later then Elevation settings policy in Profile.
Enter the desired name then click on Next.
Select Enabled then configure the option to send data to Microsoft. I choose to send only Diagnostic data information. The Default elevation response and the validation can be configured. The Default elevation response have three options
- Not configured : This option functions the same as Deny all requests
- Deny all requests : The elevation of files is not facilitate, the user have a pop-up windows with information about the denial. Users with administrative permission can use Run as administrator option to run unmanaged files
- Default elevation response : This option permit to configure the defaut response for an elevation request. All file that’s not managed by a Windows elevation rule policy are concerned. Two options are availble, Deny all requests for blocks the elevate request action if the file are not defined in a Windows elevation rules policy. Require user confirmation, with this setings the user confirmation is mandatory. If no setting is delivered, built-in default option (deny all request) is applied.
Two validation options are available when the default elevation response is configured to Require user confirmation. Business justification, the end user need provide justification before the elevation is completing. Windows authentification, the end user must authenticate to completing elevation.
The reporting scope settings must be configured, three options are availble :
- Diagnostic data and managed elevations only : Health of the client component and data about elevations facilitated by Endpoint Privilege Management are send to Microsoft.
- Diagnostic data and all endpoint elevations : Health of the client component and data about all elevations are send to Microsoft.
- Diagnostic data only : Only the health of the client component are send to Microsoft..
Configure the different settings and click on Next.
Configure the assignment and click on next. click on Create to create the policy.
Create elevation rules policy
The elevation rules policy permit to identify specific file and configure how elevation requests are handled. On the policy, different settings must be configured.
- Uses the file name to identify the file the rule applies to : This settings permit to identify the derired file. The extension is also including with the file name. Minimum build version, product name or internal name is a optional condition that it is possible to use.
- Supports use of a certificate to validate the files integrity before it runs on a device : Certificates can be added directly to a rule.
- Supports use of a file hash to validate the file : A file hash is used by the policy to identify the file.
The file evluation type allows you to configure the behavior when an elevation request is made. By default, the Confirmed user option is selected. Two options must be selected :
- User confirmed : The user must click on a confirmation prompt to run the file. The user confirmatio can be performed using his credential or by entering justification.
- Automatic : The elevation happens invisibly to the user. The elevation is performed without prompt and no indication.
In the Platform drop-down list, select Windows 10 and later then Elevation rules policy in Profile.
Enter the desired name, then click to Next.
Check User confirmed then click on Edit instance. A new windows appear.
Enter the name of the rule and select the Elevation type. Select the desired Validation option.
Enter the file name and choose the signature source. If you want use the file hash, select Not configured on the Signature source drop-down list. I ant to choose certificate, I use Upload a certificate file option.
For getting the file hash, run the following command :
Get-FileHash "C:\Users\NicolasBONNET\Downloads\readerdc_fr_hi_mdr_install.exe" | select-object Hash
For getting the file certificates, run the following command :
Get-AuthenticodeSignature "C:\Users\NicolasBONNET\Downloads\readerdc_fr_hi_mdr_install.exe" | Select-Object -ExpandProperty SignerCertificate | Export-Certificate -Type CERT -FilePath "c:\Temp\AcrobatReader.cer"
Upload the file certificate and choose Publisher in the Certificate type drop-down list.
Click on Save then configure assignment.
Right click on the installation file (Acrobat reader in my case) and select Run with elevated access option.
A windows appear, enter the Business justification and click to Continue. Installation is in progress…