Intune Endpoint Privilege Management is probably the tool that receives the most updates and improvements from the Intune Suite in the last months, so let’s take a look at it again.
New Reports and Overview page
The most obvious change in the portal is probably the new Overview Page:
In conjunction with the new reports, it allows us to get an even better overview over our environment:
Support for Scope tag for elevation requests
One other long awaited feature in larger environments is the support for scope tags for elevation requests. The Portal will now only show you elevation requests for things that you are allowed to see. See announcement from Microsoft: https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/whats-new#scope-tag-enforcement-for-endpoint-privilege-management-elevation-requests
Forcing Apps to use EPM
While Intune EPM now supports running Apps in user context: https://mikemdm.de/2025/10/26/intune-endpoint-privilege-management-now-supports-elevation-in-user-context/, it’s currently not possible to do the with an automatic rule. Let’s imagine 7-zip in my example is a LOB App that needs to be executed with admin rights in the user context for reasons, while the new EPM Rule in user context allows it to be ran this way, it also forces the user to right click the application icon to specifically run it that way:
If the user forgets this, depending on the App, it will be launched without the required permissions and may fail in unexpected ways or will not start at all:
So, what can we do to work around this? Well, we can have a look in Procmon what happens when the user clicks on “Run with elevated access”:
Form Procmon we can see, the click on the “Run with elevated access” Button seems to call an interesting looking executable “EPMClientStub.exe”…
What happens when we call this executable manually and provide an argument for an app (without a rule) that we want to start?
Well, it opens a request to start a support approved EPM flow. That sounds promising, so let’s try it with out “LOB” App 7-Zip:
Nice, so all we need to do, is to create a shortcut to out App with the new parameters:
One word of caution, this trick is not official documented by MS and can stop working at any given moment, when Microsoft decides to change the inner working of EPM. Use at your own risk.
Conclusion
Intune EPM is on the way to become a real mature solution, just in time for the summer, when it will be available to all E5 customers without separate Intune Suite requirement.
Leave a Reply