top of page
Writer's pictureRaman Lodhi
May 102 min read

"How to Implement Intune Endpoint Privilege Management"

Updated: May 11


Intune EPM allows users with non admin rights to run a task/program with administrative rights.


Licensing requirements - Intune Suite or Standalone

Limitations - Only applies to windows 10/11 (Entra or Hybrid Joined)


Three Steps Involved for Enablement:


Assign the license > Set Elevation Setting policy>Set Elevation rule policy


  • Elevation settings policy installs the EPM component on the client device.

  • Elevation rules policy links a task/action to an elevation action.




Step 1: Create the Elevation settings policy


Once policy is pushed, there will be a EPM agent will be installed on the user's machine.



Practical Example - Let's consider that we want our end users the capability to "quick repair" office which requires admin rights.


Solution: I will just create one Script file and wrap that into exe file which can be pushed from Intune to the devices. Then we will create a rule in Intune to allow user run this app as admin.


#SampleScript, Save it somewhere as ps1 file.

#====================================================================

$command64 = @'

cmd.exe /C "C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe" scenario=Repair platform=x64 culture=en-us RepairType=QuickRepair forceappshutdown=True DisplayLevel=True

'@

$command86 = @'

cmd.exe /C "C:\Program Files\Microsoft Office 15\ClientX86\OfficeClickToRun.exe" scenario=Repair platform=x86 culture=en-us RepairType=QuickRepair forceappshutdown=True DisplayLevel=True

'@

if(Test-Path -Path "C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe"){

Invoke-Expression -Command:$command64

} elseif(Test-PAth -Path "C:\Program Files\Microsoft Office 15\ClientX32\OfficeClickToRun.exe"){

Invoke-Expression -Command:$command86

}

#=====================================================================


I will just save it as quickrepair.ps1 file and convert it using powershell.

Next install a powershell module on your device called Ps2exe


Install-module ps2exe -Scope CurrentUser


Now let's convert our exe:


Invoke-PS2EXE -inputFile .\Scriptname -outputFile .\Repairoffice.exe -x64 -noConsole



Step2: Create an elevation rule policy but before we do that lets understand that EPM gives us two ways to verify the integrity for the process/app that we want to allow to be run as admin.


One way is to get the hash of the application and other way is to get the cert.

In this example, I am using file hash. We can use the PowerShell cmdlet Get-FileHash.



Note down the hardware hash above as we will need that in our policy.




As I chose "User confirmed" , User will have to right click and choose the new option

"Run with elevated access"


User will be required to enter business Justification and click on continue.




Hope this helps you setting up Intune Endpoint privilege management and find useful solutions for your environment.

42 views0 comments

Recent Posts

See All

Comments

bottom of page