Intune Endpoint Privilege Management got more and more features in the last months (child process behavior, argument support, etc.), converting it from a relatively basic EPM solution to a competitive product. However even with all that improvements, there are still a few things that are not as intuitive as they could be, so I wanted to show you a few tips and tricks from the field, showing you how you can solve some of the more complex scenarios
Driver Properties like COM Port Settings
If you want to allow (selected) users to change driver properties like rs232 port settings in device manager, you can create an automatic elevation rule for the deviceproperties.exe, which will result in the following experience for your users:
When you start the Device Manager, you will get the usual “non elevated user” Message, which you can ignore:
Once the device is selected, the user can click on “Change settings”
And then modify the port settings, like baud rate or COM port number:
Modify Network Settings like IP Address
Another often-requested feature is the possibility to let users change network settings like static IP addresses on their devices to be able to connect to e.g. an PLC or similar. Unfortunately, this one is not as easy as the device properties before. We can’t just elevate ncpa.cpl, as it will not inherit the elevation to the network properties window:
We also cannot directly elevate the properties windows, as it is not a standalone executable itself, but handled by a COM CLSID, which is not supported by Intune EPM (yet?):
To work around that limitation, I created a PowerShell script that you can elevate itself and that will inherit the elevated token to the com object, by calling the CLSID directly from a Start-Process command like that:
start-process -FilePath "::{7007ACC7-3202-11D1-AAD2-00805FC1270E}\::{c24e94dc-bd42-4dcb-b376-fe32b363d041}"I uploaded the script to my GitHub:
Scripts/EPM/EPMNetworkHelper.ps1 at main · mmeierm/Scripts
When you run this script elevated, it will show you a list of network adapters, similar to the list view in ncpa.cpl:
From there, you can select any adapter and open the selected adapters options:
From there you can modify all network-related settings, just like you could do from an administrative account:
Conclusion
While Intune EPM evolved from a pretty limited product to a great privilege management solution, there are still things to improve. Until that we have a few workarounds available to get the job done.
Leave a Reply