Endpoint Privilege Management

Starting with admin tasks in Microsoft Intune

by

This week is all about the recently newly introduced admin tasks node in the Microsoft Intune admin center. That node provides a centralized view for many different types of administrative tasks. The idea behind that node is to provide a unified experience that helps IT administrators with focusing on the tasks that really matter without navigating through all different nodes within Microsoft Intune admin center. The admin tasks node now provides an overview of all the different security tasks, user elevation requests, and admin approvals request. That further simplifies the life of an IT administrator, when using Microsoft Intune. And the best part of it: it only shows the administrative tasks that the IT administrator is allowed to see based on the original source node. …

Read more

Elevating in user context using Endpoint Privilege Management

by

This week is all about the new feature that was recently introduced in Endpoint Privilege Management (EPM), and that feature is the ability to elevate as the current user. Elevating files, or processes, as the current user enables it to run under the signed-in user account. That enables organizations to address one of the last gaps in the product, which is being able to access personal files while running elevated files, or processes. That means that it is actually running in the user context for that specific action, instead of using the virtual account that is normally used in EPM. It maintains the same user identity. That provides the user with access to the user profile, environment variables, and personalized settings, but also keeps audit …

Read more

Explicitly denying elevation of specified files using Endpoint Privilege Management

by

This week is all about a new feature that was recently introduced in Endpoint Privilege Management (EPM), and that feature is the ability to explicitly deny elevation. Explicitly denying the elevation blocks the specified file from running in elevated context. That enables organizations to work the other way around. Instead of configuring which file elevations are allowed, this enables organizations to allow every elevation with the exception of the elevations of those specifically specified files. Of course, the recommendation is to tightly control which files are allowed to elevate. That is, however, not always the situation that every organization is in. Often simply getting insights into what users are installing is already a huge step forward. Especially in combination with no local administrator privileges. As …

Read more

Understanding the local diagnosing and troubleshooting options for Endpoint Privilege Management

by

This week is focused on creating some awareness around the EpmTools PowerShell module. That PowerShell module is available to be used to diagnose and troubleshoot issues with Endpoint Privilege Management (EPM). Besides that, it can also be used to get the required attributes directly from a file or application. The best part is that the EpmTools PowerShell module is included by default with the installation of the Microsoft EPM agent. That provides IT administrators with a set of cmdlets to easily retrieve information about the actual local configuration of the Microsoft EPM agent, including the received policies, the applied client settings, and more. This blog post will provide an overview of the available cmdlets in the EpmTools PowerShell module, followed the steps and examples for …

Read more

Working with support approved elevations

by

This week is all about highlighting some recent functionalities that have been introduced in Endpoint Privilege Management (EPM). The most important functionality is probably the newly supported file extensions of .msi and .ps1. That provides a larger footprint for EPM in the world of often elevated file extensions. The same experience as already known for executables. Besides that, there is more new functionality within EPM that might even be more powerful. That functionality is support approved elevations. Support approved elevations allow IT administrators to require approval before an elevation is allowed. That makes sure that when a user tries to run a file in an elevated context that the user is prompted to submit an elevation request. That request is sent to Intune for a …

Read more

Getting started with Endpoint Privilege Management

by

This week is another post about one of the new Intune Suite add-on capabilities. This time it’s all about Endpoint Privilege Management (EPM). At this moment EPM is still in preview, but once it becomes general available it will be licensed as part of the Microsoft Intune Suite. EPM enables organizations to provide standard user permissions to their users and still enable those users to complete tasks that require elevated permissions. Those tasks can include the installation of applications, updating device drivers, running diagnostics, and more. With that, EPM fits perfectly in the Zero Trust architecture of any organization. It enables the principle of using the least privilege, while still allowing users to run specifically approved tasks with elevated permissions. So, users remain productive and elevations are …

Read more