Configure Microsoft Intune Endpoint Privilege Management for dev boxes

In this article, you learn how to configure Microsoft Intune Endpoint Privilege Management (EPM) for dev boxes so that dev box users don't need local administrative privileges.

Microsoft Intune Endpoint Privilege Management allows your organization's users to run as a standard user (without administrator rights) and complete tasks that require elevated privileges. Tasks that commonly require administrative privileges are application installs (like Microsoft 365 Applications), updating device drivers, and running certain Windows diagnostics.

Endpoint Privilege Management is built into Microsoft Intune, which means that all configuration is completed within the Microsoft Intune Admin Center. To get started with EPM, use the high-level process outlined as follows:

  • License Endpoint Privilege Management - Before you can use Endpoint Privilege Management policies, you must license EPM in your tenant as an Intune add-on. For licensing information, see Use Intune Suite add-on capabilities.

  • Deploy an elevation settings policy - An elevation settings policy activates EPM on the client device. This policy also allows you to configure settings that are specific to the client but aren't necessarily related to the elevation of individual applications or tasks.

Prerequisites

  • A dev center with a dev box project.
  • Microsoft Intune subscription.

License Endpoint Privilege Management

Endpoint Privilege Management requires either a stand-alone license that adds only EPM, or license EPM as part of the Microsoft Intune Suite.

In this section, you configure EPM licensing and assign the EPM license to a user.

  1. License EPM in your tenant as an Intune add-on:

    1. Open the Microsoft Intune admin center, and navigate to Tenant admin > Intune add-ons.
    2. Select Endpoint Privilege Management.
  2. Configure Intune admin role for EPM administration:

    1. In the Intune admin center, go to Users, and select the user you want to assign the role to.

    2. Select Add assignments the Intune Administrator role.

      Screenshot of the Microsoft Intune admin center, showing the available tenant admin roles.

  3. Apply the EPM license in Microsoft 365:

    In the Microsoft 365 admin center, go to Billing > Purchase services > Endpoint Privilege Management, and then select your EPM license.

  4. Assign E5 and EPM licenses to target user in Microsoft Entra ID:

    1. In the Intune admin center, go to Users, and select the user you want to assign the E5 and EPM licenses to.

    2. Select Assignments and assign the licenses.

      Screenshot of the Microsoft Intune admin center, showing the available licenses.

Deploy an elevation settings policy

A dev box must have an elevation settings policy that enables support for EPM to process an elevation rules policy or manage elevation requests. When support is enabled, the EPM Microsoft Agent, which processes the EPM policies, is installed.

In this section, you create a dev box and an Intune group that you use to test the EPM policy configuration. Then, you create an EPM elevation settings policy and assign the policy to the group.

  1. Create a dev box definition

    1. In the Azure portal, create a dev box definition. Specify a supported OS, like Windows 11, version 22H2.

      Note

      EPM supports the following operating systems:

      • Windows 11 (versions 23H2, 22H2, and 21H2)
      • Windows 10 (versions 22H2, 21H2, and 20H2)
    2. In your project, create a dev box pool that uses the new dev box definition.

    3. Assign Dev Box User role to the test user.

  2. Create a dev box for testing the policy

    1. Sign in to the developer portal.

    2. Create a dev box using the dev box pool you created in the previous step.

    3. Determine the dev box hostname. You'll use this hostname add the dev box to and Intune group in the next step.

  3. Create an Intune group and add the dev box to the group

    1. Open the Microsoft Intune admin center, select Groups > New group.

    2. In the Group type dropdown box, select Security.

    3. In the Group name field, enter the name for the new group (for example, Contoso Testers).

    4. Add a Group description for the group.

    5. Set the Membership type to Assigned.

    6. Under Members, select the dev box you created.

  4. Create an EPM elevation settings policy and assign it to the group.

    1. In the Microsoft Intune admin center, select Endpoint security > Endpoint Privilege Management > Policies > Create Policy.

      Screenshot of Microsoft Intune admin center, showing the Endpoint security | Endpoint Privilege Management pane.

    2. In the Create a profile pane, select the following settings:

      • Platform: Windows 10 and later
      • Profile type: Elevation settings policy
    3. On the Basics tab, enter a name for the policy.

      Screenshot showing the Create profile basics tab with Policy name highlighted.

    4. On the Configuration settings tab, in Default elevation response, select Deny all elevation requests.

      Screenshot showing the Configuration settings tab, with Endpoint Privilege Management enabled and Default elevation response set to Deny all requests.

    5. On the Assignments tab, select Add groups, add the group you created earlier, and then select Create.

      Screenshot showing the Create profile Assignments tab, with Add groups highlighted.

Verify administrative privilege restrictions

In this section, you validate that the Microsoft EPM Agent is installed and the policy is applied to the dev box.

  1. Verify that the policy is applied to the dev box:

    1. In the Microsoft Intune admin center, select Devices > the dev box you created earlier > Device configuration > the policy you created earlier.

      Screenshot showing the Microsoft Intune admin center, with the Devices pane and Device configuration highlighted.

    2. Wait until all the settings report as Succeeded.

      Screenshot showing the Profile Settings, with Setting status highlighted.

  2. Verify that the Microsoft EPM Agent is installed on the dev box:

    1. Sign in to the dev box you created earlier.
    2. Navigate to c:\Program Files, and verify that a folder named Microsoft EPM Agent exists.
  3. Attempt to run an application with administrative privileges.

    On your dev box, right-click an application and select Run with elevated access. You receive a message that the installation is blocked.