What’s up, everyone!
Last week I had a first look into the wonderous world of the new Microsoft Intune Suite add-on and a new feature called Endpoint Privilege Management.
Even though I had a lot of fun I never got EPM fully up-and-running. So let’s dive deeper into EPM and find out what went wrong and see what we need to configure to get it up-and-running. Let’s get to it!
Requirements
The first thing you need to know is that Endpoint Privilege Management is in public preview. We can now preview a couple of features but there are a couple of things you need to be aware of.
Install the necessary updates
You need to have the correct updates installed for it to work on Windows 10 or Windows 11. Here is an overview:
Beware of the known issues
Microsoft released a list of known issues. If you’re going to work with EPM I suggest you have a look at that list because some of these issues can make you go down the rabbit hole costing you a whole lot of time to troubleshoot only to find out that you came across a known issue.
I will not copy and paste everything here, but I will name a few that I think are worth it to mention;
- Blocked files downloaded from the internet fail to elevate
- On Windows 11 ‘Run with elevated access’ is shown under ‘show more options’ when I right-click a file
- Rules for a network file might fail to elevate
- Virtual environments are currently not supported
- Currently only .exe’s can be elevated
- Elevations can fail if command line parameters are used
Personal experience
Yep, I’ll admit it! I went down the rabbit hole when I was troubleshooting Endpoint Privilege Management on a Windows 365 Cloud PC. So I made sure I installed the correct update, the settings policy and rule policy were configured correctly and then I started to test only to find out that there was no Run with elevated access option in the context menu. However, a standard user was able to execute the .exe file and I noticed there was no UAC prompt. But again, now I’m talking about an unsupported scenario. The good news is that Microsoft announced that virtual environments will be fixed in a future release.
Another thing that had me troubleshooting for quite a while was the following error:
When I checked the device configuration of my device I found an error on the setting ”Allow Device Health Monitoring“. The only thing I could think of was disabling the ”Send elevation data for reporting” setting in the settings policy. The error disappeared once I set it to No and the policy applied successfully to all of my devices.
A demo of Endpoint Privilege Management
I showed how to configure the Endpoint Privilege Management policies in my previous post so I won’t go into detail here. This demo is done on a physical device running Windows 11 Enterprise build 22H2 with the necessary update installed.
What happens if you are a local administrator?
Just a quick check shows that this account is member of the local administrators group:
I created a rule for C:\Windows\Regedit.exe in the previous post. The only thing I changed was that users will now need to provide a business justification. Let’s see EPM in action for a local administrator:
Make sure to click the image if the GIF doesn’t play automatically.
What happens if you are a standard user?
Just a quick check shows that this account is not a member of the local administrator group:
Let’s see if we can run registry editor as a standard user.
Make sure to click the image if the GIF doesn’t play automatically.
So the Endpoint Privilege Management option was available and popped up but the business justification did not work as expected. It was the first time this user account signed in to this device. Just to make sure I performed a sync and rebooted the device but when I tried again the end result remains the same. The EPM screen pops up but there is no business justification requirement.
I checked with the team at Microsoft who were able to reproduce these results and they confirmed it will be resolved in April 2023 and fixes will begin rolling out next week.
Logs for troubleshooting
EPM uses an agent and it’s installed in C:\Program Files\Microsoft EPM Agent. You can find the logs folder in the C:\Program Files\Microsoft EPM Agent\Logs location.
Reporting
We have two reports in the Microsoft Intune admin center we can review. I won’t be able to show the reports with data because sending data to Microsoft caused the settings policy to fail on my device. I do want to show you what information these reports contain and where you can find them.
You can find the reports in the following location: Microsoft Intune admin center, Endpoint security, Endpoint Privilege Management, Reports tab.
The Elevation report provides an overview for managed and unmanaged elevations. It will provide you the following information:
- The user who performed the elevation.
- The device where the elevation was performed.
- The file name.
- The publisher of the file.
- The type (meer informatie uitzoeken)
- The result (was the elevation successful or not)
- The date and time.
The Managed elevation report shows the status of elevations that occurred inside the elevation management policies. It will provide you the following information:
- The user name
- The device.
- The file name.
- The user type.
- The assignment status.
- The result.
- The date and time.
Resources
I used the following resources for this blogpost:
A first look at the Microsoft Intune Suite and Endpoint Privilege Management
Hi TechLab,
Thanks for the info, GREAT.
Where can I find the completed business justifications?
I would like to see what the end user has entered.
thanks a lot!