In-Depth Blog: Configuring Endpoint Privilege Management in Intune
Elevating specific apps without giving full admin rights is crucial for security and user productivity. Microsoft Intune’s Endpoint Privilege Management (EPM) lets you define rules that either automatically elevate approved applications or require user or admin approval. This guide walks through configuring EPM in the portal, adding a file-based elevation rule, and automating the process with PowerShell.
Why Use Endpoint Privilege Management?
Giving every user full administrative rights increases risk. EPM lets you:
-
Elevate trusted line-of-business apps only when needed
-
Allow helpdesk tools to run elevated without local admin rights
-
Audit and control who approves elevations
Part 1: Configure Tenant-Level EPM Settings
-
Sign in to the Microsoft Endpoint Manager admin center.
-
Go to Endpoint security > Endpoint Privilege Management.
-
Click Create and choose Windows 10 and later > Elevation settings policy.
-
Enter a Name and Description for your policy.
-
On the Settings page:
-
Toggle Enable Endpoint Privilege Management on.
-
Choose your Diagnostic data level.
-
Select a Default elevation response:
-
Not configured
-
Deny all requests
-
Require user confirmation
-
-
-
(Optional) Add Scope tags to delegate admin rights over this policy.
-
Assign the policy to All users or any specific Azure AD group.
-
Review and click Create.
Part 2: Add a File Elevation Rule
-
In Endpoint security > Endpoint Privilege Management, click Create policy and pick Windows 10 and later > Elevation rules policy.
-
Provide a clear Name and Description for this rule set.
-
On Configuration settings, click Add next to Applications. Then edit the default instance or click + Add to create a new one.
-
In the rule fly-out:
-
Give it a Rule name and Description.
-
Under Elevation conditions, choose:
-
Auto (no prompt)
-
User confirmation (with business justification)
-
Windows authentication (credentials prompt)
-
-
Decide how Child processes behave: allow, deny, or require their own rule.
-
-
Under File information, specify the app:
-
File hash: run
Get-FileHash -Path "C:\Path\To\app.exe"and paste the hash. -
Certificate: export via
Get-AuthenticodeSignature -FilePath "C:\Path\To\app.exe"and upload the cert. -
Enter the File name and optionally File path, Minimum version, Product name, etc.
-
-
Click Save, then Next.
-
Apply any Scope tags if needed, and click Next.
-
Assign the rule to the target user or device groups, then click Next and Create.
Part 3: Automate EPM Configuration with PowerShell
Automating EPM saves time and ensures consistency across tenants. You’ll use Microsoft Graph PowerShell to create both the tenant-wide elevation settings and individual rules.
A. Create Tenant-Wide Elevation Settings
-
Define variables:
powershell$name = "Elevation Settings Policy"
$description = "Tenant-level EPM settings"
$policyUri = "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies"
-
Build your JSON payload mirroring the UI choices:
powershell$policyJson = @"
{
"name":"$name",
"description":"$description",
"platforms":["windows10AndLater"],
"technologies":["mdm","endpointPrivilegeManagement"],
"settings":[
{
"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId":"device_vendor_msft_policy_elevationclientsettings_enableepm",
"choiceSettingValue":"device_vendor_msft_policy_elevationclientsettings_enableepm_1"
},
{
"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId":"device_vendor_msft_policy_elevationclientsettings_reportingscope",
"choiceSettingValue":"device_vendor_msft_policy_elevationclientsettings_reportingscope_2"
}
]
}
"@
-
Send the request and capture the new policy’s ID:
powershell$newPolicy = Invoke-MgGraphRequest -Method POST -Uri $policyUri `
-Body $policyJson -ContentType "application/json"
$policyId = $newPolicy.id
-
Assign it to all users:
powershell$assignUri = "$policyUri/$policyId/assign"
$assignJson = @"
{
"assignments":[
{"target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"}}
]
}
"@
Invoke-MgGraphRequest -Method POST -Uri $assignUri `
-Body $assignJson -ContentType "application/json"
B. Create an Elevation Rule via Script
-
Set your rule variables:
powershell$ruleName = "Elevate CMDRULE"
$description = "Auto-elevate cmd.exe"
$groupId = ""
$elevationType = "auto" # or "user", "credential"
$authType = "hash" # or "cert"
$filePath = "C:\Windows\System32\cmd.exe"
-
Calculate file hash or export certificate:
powershellif ($authType -eq "hash") {
$hash = (Get-FileHash -Path $filePath).Hash
} else {
$cerTemp = "$env:TEMP\$(Split-Path $filePath -Leaf).cer"
Get-AuthenticodeSignature -FilePath $filePath |
Select-Object -Expand SignerCertificate |
Export-Certificate -FilePath $cerTemp
$base64 = [Convert]::ToBase64String([IO.File]::ReadAllBytes($cerTemp))
Remove-Item $cerTemp
}
-
Assemble the JSON payload sections, choosing the right blocks for hash vs. cert and auto vs. user elevation.
-
Post the rule:
powershell$ruleUri = "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies"
$ruleJson = ""
$newRule = Invoke-MgGraphRequest -Method POST -Uri $ruleUri `
-Body $ruleJson -ContentType "application/json"
$ruleId = $newRule.id
-
Assign the rule to your group:
powershell$assignUrl = "$ruleUri/$ruleId/assign"
$assignBody = @{
assignments = @(@{target = @{
"@odata.type" = "#microsoft.graph.groupAssignmentTarget";
groupId = $groupId
}})
} | ConvertTo-Json
Invoke-MgGraphRequest -Method POST -Uri $assignUrl `
-Body $assignBody -ContentType "application/json"
Conclusion
Endpoint Privilege Management in Intune lets you elevate only what you trust. The portal flows make it easy to get started, and PowerShell automation ensures scale and repeatability. With these steps, you can secure your environment while keeping your users productive.
