Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In this article, you learn how to configure Intune Endpoint Privilege Management for dev boxes so that dev box users don't need local administrative privileges.
Intune Endpoint Privilege Management allows your organization's users to run as a standard user (without administrator rights) and complete tasks that require elevated privileges. Tasks that commonly require administrative privileges include:
- Installing applications (like Microsoft 365 applications).
- Updating device drivers.
- Running certain Windows diagnostics.
Endpoint Privilege Management is built into Intune, which means that all configuration is completed within the Microsoft Intune admin center. To get started with Endpoint Privilege Management, use this high-level process:
- License Endpoint Privilege Management: Before you can use Endpoint Privilege Management policies, you must license Endpoint Privilege Management in your tenant as an Intune add-on. For licensing information, see Use Intune Suite add-on capabilities.
- Deploy an elevation settings policy: An elevation settings policy activates Endpoint Privilege Management on the client device. With this policy, you can configure settings that are specific to the client but aren't necessarily related to the elevation of individual applications or tasks.
Prerequisites
- A dev center with a dev box project.
- An Intune subscription.
License Endpoint Privilege Management
Endpoint Privilege Management requires either a stand-alone license that adds only Endpoint Privilege Management, or a license for Endpoint Privilege Management as part of the Intune Suite.
In this section, you configure Endpoint Privilege Management licensing and assign the Endpoint Privilege Management license to a user.
License Endpoint Privilege Management in your tenant as an Intune add-on:
- Open the Microsoft Intune admin center, and go to Tenant admin > Intune add-ons.
- Select Endpoint Privilege Management.
Configure an Intune admin role for Endpoint Privilege Management administration:
In the Microsoft Intune admin center, go to Users, and select the user for whom you want to assign the role.
Select Add assignments, and select the Intune Administrator role.
Apply the Endpoint Privilege Management license in Microsoft 365:
In the Microsoft 365 admin center, go to Billing > Purchase services > Endpoint Privilege Management, and then select your Endpoint Privilege Management license.
Assign Microsoft 365 E5 and Endpoint Privilege Management licenses to target users in Microsoft Entra ID:
In the Microsoft Intune admin center, go to Users, and select the user for whom you want to assign the Microsoft 365 E5 and Endpoint Privilege Management licenses.
Select Assignments and assign the licenses.
Deploy an elevation settings policy
A dev box must have an elevation settings policy that enables support for Endpoint Privilege Management to:
- Process an elevation rules policy.
- Manage elevation requests.
When support is enabled, the Endpoint Privilege Management Agent, which processes the Endpoint Privilege Management policies, is installed.
In this section, you create a dev box and an Intune group that you use to test the Endpoint Privilege Management policy configuration. Then, you create an Endpoint Privilege Management elevation settings policy and assign the policy to the group.
Create a dev box definition:
In the Azure portal, create a dev box definition. Specify a supported OS, like Windows 11, version 22H2.
Note
Endpoint Privilege Management supports the following operating systems:
- Windows 11 (versions 23H2, 22H2, and 21H2)
- Windows 10 (versions 22H2, 21H2, and 20H2)
In your project, create a dev box pool that uses the new dev box definition.
Assign the Dev Box User role to the test user.
Create a dev box for testing the policy:
Sign in to the developer portal.
Create a dev box by using the dev box pool that you created in the previous step.
Determine the dev box's host name. You use this host name to add the dev box and Intune group in the next step.
Create an Intune group, and add the dev box to the group:
Open the Microsoft Intune admin center, and select Groups > New group.
In the Group type dropdown box, select Security.
In the Group name field, enter the name for the new group (for example, Contoso Testers).
Enter a group description for the group.
Set Membership type to Assigned.
Under Members, select the dev box that you created.
Create an Endpoint Privilege Management elevation settings policy and assign it to the group:
In the Microsoft Intune admin center, select Endpoint security > Endpoint Privilege Management > Policies > Create Policy.
On the Create profile pane, select the following settings:
- Platform: Select Windows 10 and later.
- Profile type: Select Elevation settings policy.
On the Basics tab, enter a name for the policy.
On the Configuration settings tab, in Default elevation response, select Deny all requests.
On the Assignments tab, select Add groups, add the group that you created earlier, and select Create.
Verify administrative privilege restrictions
In this section, you validate that the Endpoint Privilege Management Agent is installed and the policy is applied to the dev box.
Verify that the policy is applied to the dev box:
In the Microsoft Intune admin center, select Devices, and select the dev box that you created earlier. Then select Device configuration, and select the policy that you created earlier.
Wait until all the settings report as Succeeded.
Verify that the Endpoint Privilege Management Agent is installed on the dev box:
- Sign in to the dev box that you created earlier.
- Go to c:\Program Files, and verify that a folder named Microsoft Endpoint Privilege Management Agent exists.
Attempt to run an application with administrative privileges.
On your dev box, right-click an application, and select Run with elevated access. You receive a message that the installation is blocked.
