EPM Infrastructure Limited for Now

Wes Miller analyzes and writes about Microsoft’s security, identity management, and systems management technologies. Before joining Directions on Microsoft, Wes... more

The current version of the Intune Endpoint Privilege Management (EPM) add-on service supports elevation of individual executable files, MSI-based installers, and PowerShell scripts. In the latter scenarios, the host processing the installer or script is elevated, not the MSI or PS1 file itself. (Note that EPM does not support elevation of WSH scripts or any other arbitrary file types; it supports only the three file types listed above.)

EPM requires that administrators specify the individual file to be elevated, and the digital certificate used to sign that file can also be applied to the rule to ensure that the executable file has not been modified or compromised since it was approved (the digital signature must also match in order to run).

The approach to elevate applications can be assigned in each rule:

Automatic, in which no UI is shown to the user and the operation happens transparently
User acknowledged, in which the user must approve the elevation (most users will likely

Atlas Members have full access

Get access to this and thousands of other unbiased analyses, roadmaps, decision kits, infographics, reference guides, and more, all included with membership. Comprehensive access to the most in-depth and unbiased expertise for Microsoft enterprise decision-making is waiting.

Membership Options

Already have an account? Login Now

Not a member but want to see the full content? Contact us.