Connect with experts and redefine what’s possible at work – join us at the Microsoft 365 Community Conference May 6-8. Learn more >

Endpoint Privilege Management (EPM)

5 Topics

Intune Endpoint Privilege Management - FIDO2
we have begun testing out Intune EPM as a replacement for local admin accounts in our org. We have users that authenticate with PIV certs via Smartcard as well as FIDO2 with Yubikeys. PIV authentication works no problem, but i cannot find a way to enable FIDO2 to work with EPM. Has anyone found a solution for this?
Solved
klenTAHN
Feb 25, 2025 Place Microsoft Intune
46Views
0likes
3Comments
Endpoint Privilege Management and Windows Terminal
Anyone had issues with using Windows Terminal or the Preview once Endpoint Privilege Management has been enabled? I've got a test rule base at the moment that just does powershell and notepad but now I'm getting blocked by EPM when I'm running Terminal. Our default rule is deny but I wasn't an admin before I enabled EPM and could run Terminal just fine then.
S_Rowell
Jun 10, 2024 Place Microsoft Intune
1.5KViews
0likes
8Comments
Endpoint Privilege Management not deploying
Hi Everyone, A while ago when EPM was on preview I have set up a rule and a group with 5 users for a quick test. It took ages to deploy to that test group but eventually, it deployed. Can't be precise how long it took because I had to work on other tasks but it was for sure more than a week. I currently have a trial activated for EPM and I have about 15 users for the test however it only deploys for the 5 people from my first test when it was under preview. The rest of them doesn't get the EPM rules, they are on Windows 11 latest version AAD joined. Does anyone have any idea why it doesn't deploy to the others? I've tested on a Win 10 hybrid joined with all updates installed, no joy. On this machine I also tried to install KB5023773 but it says "The update is not applicable to your computer". Thanks, Will.
Solved
WilliamBonomo
Mar 05, 2024 Place Microsoft Intune
4.2KViews
0likes
9Comments
Endpoint Privilege Management - "Run with elevated access" only required once?
Hi, I am just evaluating EPM and I just wanted to clarify the functionality. I've deployed my settings policy and created a rule to allow a specific app to run with evaluated privileges. The policy was deployed successfully to the PC. When I clicked on the test application (that requires elevated privilege permission) I got the UAC prompt, which is what I was expecting. Next I right click the app and this time select "Run with elevated access". For info the policy sets the application evaluation type to "Automatic" so the app loads with out the user having to enter a justification. I then close the app and this time just double click it to open it and it opens no UAC prompt or with the need to me to click "Run with elevated access" . I can see with Procmon that the application is running under the EPM account so I believe it is working OK. My question is once a application has been run once with the "Run with elevated access" command is it then approved to run all the time with out the need to select the "Run with elevated access" command? It not a massive issue as the app is authorised but it would be good to understand if this behaviour is correct. Thanks
Rob-CTL
Dec 06, 2023 Place Microsoft Intune
2.5KViews
0likes
7Comments
EPM Service Account Breaks User Context In Apps
Hi, I am working with a customer who is wanting to make use of EPM for their developer team to run some applications with elevated permissions. They have noticed that when elevating certain applications with EPM that a service account is used (see MEM\AzureAD_AdeleVance_$ below), which therefore runs the app with a new user profile, removing things like user preferences, context and also breaks some apps that rely on domain permissions/credentials. From my testing, this service account only seems to be used by EPM when elevating already installed applications, not application installers. Is this by design and is there a possible workaround that avoids EPM using this service account?
Solved
ethanchalmers
Dec 01, 2023 Place Microsoft Intune
1.5KViews
0likes
5Comments