How to setup Endpoint Privilege Management
Microsoft keeps expanding the Intune Suite with new add-on capabilities. One of the most interesting additions is Endpoint Privilege Management (EPM). EPM is licensed as part of the Intune Suite (or as a standalone product, always on top of Intune Plan 1).
With EPM, organizations can keep users on standard user permissions while still allowing them to perform tasks that require elevation — like installing apps, updating drivers, or running diagnostics. This aligns perfectly with a Zero Trust approach: applying least privilege by default, while enabling controlled, auditable elevations.
What is Endpoint Privilege Management?
EPM is fully integrated into Microsoft Intune and configured via the Intune admin center. Once enabled, the configuration consists of two main components:
- Elevation settings
The foundation of EPM. Configured via an Elevation settings policy, this defines:
Whether EPM is enabled on targeted devices
The default elevation behaviour
Reporting options for elevation events - Elevation rules
The link between an application and an elevation action. Configured via an Elevation rules policy, this defines how specific applications behave when elevation is required.
Once EPM is enabled, the EPM agent is installed on the device. From that point, it’s important to distinguish between:
- Managed elevations – handled by EPM
- Unmanaged elevations – outside of EPM (e.g., Run as administrator)
- In both cases, the result is the same: the process runs with full administrative rights. The difference is that managed elevations are controlled and auditable.
Manual
Step 1: We will start with creating a settings policy, second will be a rule policy for specific applications. Go to https://intune.microsoft.com and go to Endpoint security, Endpoint Privilege Management, Policies and then Create Policy
Create a new profile with an Elevation settings policy.
Create a profile name
From the new profile configure the settings as required for your organisation. If you leave them default everything will be blocked.
Assign a group and save the policy
STEP 2: Create a rule
Now create the next profile and select a Rules policy this time.
Give it a name again.
TIP: To get the File Hash of the file for the next step, use Get-FileHash to retrieve it.
In this step click on + Edit instance, make sure to configure the required settings. Use the filehash from above to allow only this file (or use a signed certificate if you have one)
Assign this rule as well to the group that needs to run this application set.
How does that look like for an enduser?
If a user needs to open a file with privileged permissions, the user will need to right click on the file (or shortcut) to Execute with privileged access.
The user receives a message if they want to run this application as an administrator. If the user proceeds, he/she is required to enter their Windows Hello for Business PIN to run the application with increased permissions.
About The Author
