As I published an article last year EPM in Intune about EPM setup, Now in the March release of Microsoft Intune, Endpoint Privilege Management introduced a new feature called support-approved elevations. Please look through previous article to do initial setup of EPM. Here’s a concise summary and steps to setup approval requests:
Background:
- Endpoint Privilege Management (EPM) ensures least privilege access.
- Previously, users faced denials for applications without elevation rules.
- Support-approved elevations simplify this process and improve first line support.
What’s New: Support-Approved Elevations:
- Windows standard users can request temporary admin privileges.
- Users provide a business justification.
- Intune administrators review and approve/deny.
- Approved users gain elevated access for 24 hours.
- This will be notified using windows inside notification prompts mechanism
First change will be in settings policy in case this is already pushed to devices, You need to set “Default elevation response” select “Required support approval” in setting policy.
Once initial setting policy is created/updated then check if it’s successfully pushed to devices, Further while creating rule for applications select “Support approved” for “elevation type“.
Once done, user can request application through endpoint elevated access. This is same as user usually do in case EPM is implemented to devices. Here user needs to give reason for installing this application.
Approval request
This reason will be visible to Intune Admin in EPM elevation windows with important details like User’s justification, expiration, device details, application folders where access is required. Base on this information admins can approve or reject application request.
In case of rejection admin needs to provide the reason so that user will be notified with justification.
Once the request is approved or rejected user will be notified with notification, It is observed that there is bit of delay in these responses and it not prompt. Here is one of the notification example showed to the user.
Benefits
- Empowers users while maintaining security though first line support.
- Adheres to Zero Trust framework.
- Provides visibility through reporting to analyse users behaviours when it comes to applications.