Elevate as Current User" in Microsoft Intune Endpoint Privilege Management (EPM)

-

 

What is "Elevate as Current User"?

"Elevate as Current User" is a new elevation rule in Microsoft Intune's Endpoint Privilege Management (EPM), introduced in October 2025. It allows processes to run with elevated privileges (like admin rights) under the logged-in user's own account, rather than an isolated virtual account. This improves compatibility for apps that need access to user-specific settings, profiles, or variables, while maintaining security. It's ideal for IT admins reducing unnecessary admin rights in organizations, ensuring better auditing and fewer compatibility issues.

Step-by-Step Guide to Configure and Use "Elevate as Current User"

This guide covers prerequisites, configuration options (automatic and manual), testing, and best practices. Ensure your Intune environment is updated to service release 2510 or later.

Prerequisites

Before setting up the rule:

  1. Intune Suite Access: You need the Intune Suite add-on for EPM features.
  2. Enable EPM on Devices: Assign a "Windows elevation settings policy" to target devices to activate EPM globally.
  3. Gather File Details: Identify the file or app needing elevation (e.g., filename like setup.exe, path, version, product name). Use PowerShell to get the file hash: Get-FileHash -Path "C:\Path\To\File.exe" -Algorithm SHA256.
  4. Certificates (Recommended): For secure validation, prepare a .cer file from the app's certificate or use a reusable settings group.
  5. Install EpmTools: Download and install the EpmTools PowerShell module to extract file attributes and certificates easily.

Option 1: Automatic Configuration (Recommended for Quick Setup)

Use EPM reports or support requests to auto-generate the rule:

  1. Log in to the Microsoft Intune admin center.
  2. Navigate to Endpoint security > Endpoint Privilege Management.



  3. Select a source:
    • From Reports > Elevation report: Locate the file in the "File" column and click it to open details.
    • From Elevation request: Select the relevant file.
  4. In the details panel, review file info and click Create a rule with these file details.
  5. Configure the rule:
    • Policy Option: Choose "Create a new policy" or "Add to existing policy".
    • Set Elevation type to Elevate as current user.
    • Define child process behavior (e.g., "Require rule to elevate" for security).
    • Optionally, check "Require the same file path" to lock the path.
    • Click OK.
  6. If creating a new policy, name it and assign it to user or device groups under Assignments.
  7. Review and deploy the policy.

Option 2: Manual Configuration

For custom setups:

  1. Log in to the Microsoft Intune admin center.
  2. Go to Endpoint security > Endpoint Privilege Management > Policies > Create Policy.
  3. Select:
    • Platform: Windows.
    • Profile: Windows elevation rules policy.
    • Click Create.
  4. Basics Tab: Enter a name (e.g., "Current User Elevation for AppX") and description.
  5. Configuration Settings Tab:
    • Click Edit instance on the default rule.
    • Rule Name: e.g., "AppX Elevation Rule".
    • Elevation Type: Select Elevate as current user.
    • File Name: Enter the filename (supports wildcards like * or ?).
    • File Path: Specify the path (e.g., C:\Program Files\) for added security (optional but recommended).
    • Signature Source: Choose certificate validation—upload a .cer file or select a reusable group.

    • File Hash: Add SHA256 hash if no certificate is used.
    • Child Process Behavior: Choose how to handle spawned processes (e.g., "Allow" or "Require rule").
    • File Arguments: Add allowed command-line parameters if needed (e.g., /install).
    • Click Save. Add more rules as required.
  6. Scope Tags Tab: Apply tags if your organization uses them.
  7. Assignments Tab: Assign to specific user or device groups.
  8. Review + Create: Verify settings and create the policy.

How It Works in Practice

  • When a user runs the targeted file, an EPM prompt appears.
  • The user enters their Windows credentials (supports MFA for added security).
  • The process elevates under their own user context, preserving profiles, environment variables, and settings.
  • No "business justification" is required, unlike some other rule types.

Testing and Validation

  1. Assign the policy to a test group of devices/users.
  2. On a test device, attempt to run the file as a standard user.
  3. Verify the prompt appears and elevation succeeds under your user account (check Task Manager for user context).
  4. Monitor reports: Go to Endpoint Privilege Management > Reports > Elevation report to review events and logs.
  5. Check for consistency in audit logs—actions should log under the original user, not a virtual one.

Best Practices and Considerations

  • Security Trade-Offs: This rule offers less isolation than virtual accounts, so use it only for apps that truly need user context. Prefer virtual accounts when possible.
  • Limit Scope: Apply to trusted files/paths only. Use certificates for validation to prevent tampering.
  • Testing: Start with a small pilot group to avoid disruptions.
  • Troubleshooting: If issues arise, review device logs or use EPM reports. Common fixes include verifying file hashes or certificates.
  • Limitations: Supports Windows only; child processes may need separate rules.

Kommentarer

Skicka en kommentar

Populära inlägg i den här bloggen

🚀 Force Reinstallation of an Intune App

-
Bild
  – When Intune refuses to reinstall a program you’ve already removed Sometimes an application deployed through Microsoft Intune won’t reinstall even after you’ve manually uninstalled it. That’s because Intune tracks installation status using both registry entries and detection rules to decide whether an app is already present. Here’s how to fully reset that state and force a reinstallation — step by step. 💡 Why Intune won’t reinstall the app When a Win32 app is deployed via Intune, the Intune Management Extension stores app metadata in the Windows registry under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps This registry data tells Intune which apps are installed, when, and by which user. On every policy sync, Intune checks the detection rule defined for the app. If the detection rule still reports the app as “installed” — even though you removed it — Intune will skip reinstallation . 🔧 Step-by-Step Guide 1️⃣ Uninstall the App F...
Read more »

🚀 Windows Autopilot Self-Deploying Mode — Zero-Touch Setup That Feels Like Magic

-
Bild
Just imagine this: You unwrap a brand-new PC or reinstall Windows 11 from scratch… and before you even touch the keyboard, the device automatically: ✅ Joins Microsoft Entra ID (Azure AD) ✅ Syncs all Intune apps, settings, and policies ✅ Lands straight on the sign-in screen — ready for the user No technician. No clicks. No wasted time. That’s Windows Autopilot Self-Deploying Mode — effortless, hands-free provisioning that just works. The only prerequisite? Register the device’s Hardware Hash (HWID) in Intune first. Here’s the cleanest 10-minute setup guide to make it happen — perfect for brand-new or freshly reinstalled devices. ⚡ Step-by-Step: Configure Windows Autopilot Self-Deploying Mode in Under 10 Minutes 1️⃣ Start Fresh Use a new PC or perform a clean Windows 11 installation (OOBE stage). 2️⃣ Insert a USB Drive 3️⃣ Identify the Drive Letter Press Shift + F10 , open PowerShell, and run: Get-Volume Find your USB drive letter (e.g., E:). 4️⃣ Run the Script Execute: .\auto...
Read more »

Boost Your Graphics Power med GPU-acceleration i Azure Virtual Desktop!

-
Bild
  🎯 Purpose Optimize performance for Remote Desktop sessions by enabling GPU acceleration and video optimization via Microsoft Intune or Group Policy (GPO). 🧠 Prerequisites & Requirements Required skills: Basic knowledge of Windows device management Experience with Microsoft Intune or Group Policy Understanding of Remote Desktop (RDP/AVD) concepts Technical requirements: Windows 10/11 on session hosts GPU-enabled VMs (e.g., NVv3, NVadsA10 v5, NCasT4_v3) Microsoft HEVC codec installed on client devices Proper GPU drivers installed (NVIDIA GRID or AMD) 1. Sign in Go to: https://intune.microsoft.com 2. Create or edit a configuration profile Go to Devices > Configuration profiles Click Create profile Select: Platform: Windows 10 and later Profile type: Settings catalog 3. Add settings Click Add settings and browse to: Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host ...
Read more »