Microsoft Message ID

microsoftmessageid

Known Issues for Endpoint Privilege Management with Microsoft Intune – Microsoft Intune

Microsoft Technical Article






Endpoint Privilege Management Known Issues

🚀 Overview

Microsoft Intune Endpoint Privilege Management (EPM) allows organizations to adhere to the principle of least privilege by enabling users to operate as standard users while still performing authorized tasks that require administrative rights. While EPM bridges the gap between security and productivity, certain technical limitations, environmental configurations, and OS behaviors can affect its deployment. This document provides a comprehensive breakdown of known issues that IT Administrators must consider when managing EPM in a production environment.

⚙️ Key Technical Details

🛡️ Security and Policy Configuration

  • File Identity Risks: While administrators can create elevation rules based solely on a file name, this attribute is not protected by a file’s digital signature. To prevent security bypasses where a malicious file is renamed to match an approved rule, it is strongly recommended to use File Hash or Certificate properties to ensure identity integrity.
  • Certificate Expiration: EPM strictly validates the expiration date of certificates. If a rule is based on a certificate that has expired, all elevation attempts for associated files will fail.
  • Application Control (WDAC): EPM components are not part of the default Application Control for Business policies. Admins must explicitly define rules in their WDAC policies to allow EPM client components to execute. Failing to do so will result in EPM being blocked by the system’s own security policy.
  • Administrator Protection Conflict: EPM is currently incompatible with the “Administrator Protection” feature. If this protection is enabled on a device, elevation requests initiated via EPM will fail.

💻 Operating System & Infrastructure Constraints

  • UAC Dependency: EPM requires User Account Control (UAC) to be active. If UAC is explicitly disabled (e.g., via registry or by disabling specific Windows services), EPM will not function. Organizations should use standard Windows policy controls to manage UAC behavior rather than disabling it entirely.
  • Network Path Limitations: EPM is designed for files stored on local disks. It does not currently support elevating files located on network shares, UNC paths, or mapped drives.
  • Interactive Sign-in Requirements: EPM creates an isolated account to facilitate the elevation process. This account must be allowed to create an interactive sign-in session. Environments that restrict which users can sign in interactively may block EPM’s ability to function.
  • SSL Inspection: EPM does not support “Break and Inspect” SSL proxying. To ensure policy synchronization, the specific URLs required for Intune EPM must be exempted from SSL inspection in your network infrastructure.
  • Workplace Join Incompatibility: EPM is not supported on “Workplace Joined” (AadRegistered) devices. These devices will fail to process EPM policies or report status to the Intune console.

📂 File and Resource Behavior

  • Isolated Context & Resource Access: Applications elevated via EPM operate within an isolated security context. Because this context does not carry the user’s standard authentication tokens, the elevated application cannot access authenticated resources like OneDrive, SharePoint, or internal Network Shares.
  • Mark of the Web (MotW): Files downloaded from the internet are often flagged by Windows and prevented from executing until validated. If a file’s reputation is not confirmed, EPM may fail to elevate it. Admins or users must manually “Unblock” the file in the file’s properties pane before elevation will succeed.
  • Windows Settings & Control Panel: EPM primarily supports .exe, .msi, and .ps1 files. Certain built-in Windows functions, such as specific Control Panel applets or Settings app configurations, cannot be elevated directly by EPM. These may require being wrapped in a script to be managed by EPM.

📅 User Experience and Reporting

  • Windows 10 Notification Delays: There is a known issue where Windows 10 devices do not immediately receive “Support Approved” elevation notifications. Microsoft is currently working on a resolution for this behavior.
  • Primary User Requirement: Currently, on-demand elevation requests via “Support Approved” rules require the requester to be the Primary User of the device.
  • Policy Reporting Conflicts: If “Elevation Settings” profiles are modified and redeployed in very rapid succession, the Intune console may report a conflict or the device may temporarily default to “Deny” for elevations. This is a transient state that typically resolves itself within 60 minutes.
  • Context Menu Issues: On Windows versions earlier than 24H2 (without the April 2025 update), the “Run with elevated access” right-click option may not appear.

    Workaround: Manually install the shell extension by running the package: C:\Program Files\Microsoft EPM Agent\EPMShellExtension\EpmShellExtension.msix.

⚠️ Impact

For IT Administrators, these issues necessitate a more granular approach to policy authoring—specifically prioritizing file hashes over names and ensuring that network security appliances do not interfere with EPM traffic. The current limitation regarding network share access and authenticated cloud resources may require adjustments to how technical support tools or installers are distributed to end-users.

For End-Users, the primary impact is the requirement for files to be locally stored and unblocked before elevation. Additionally, the “Primary User” restriction means that shared device scenarios may face challenges when using support-approved workflows until a future update addresses this limitation.

Official Source: Read the full article on Microsoft.com


Prev :
Next :

Most Read

Recent News