|
| 1 | +--- |
| 2 | +title: Configure Microsoft Intune Endpoint Privilege Management |
| 3 | +description: Learn how to configure Microsoft Intune Endpoint Privilege Management for dev boxes so that dev box users don't need local administrative privileges. |
| 4 | +author: RoseHJM |
| 5 | +ms.author: rosemalcolm |
| 6 | +ms.service: dev-box |
| 7 | +ms.topic: how-to |
| 8 | +ms.date: 02/27/2024 |
| 9 | + |
| 10 | +#customer intent: As a platform engineer, I want to configure elevated privilege management for dev boxes so that dev box users do not need local administrative privileges. |
| 11 | + |
| 12 | +--- |
| 13 | + |
| 14 | +# Configure Microsoft Intune Endpoint Privilege Management for dev boxes |
| 15 | + |
| 16 | +In this article, you learn how to configure Microsoft Intune Endpoint Privilege Management for dev boxes so that dev box users don't need local administrative privileges. |
| 17 | + |
| 18 | +Microsoft Intune Endpoint Privilege Management (EPM) allows your organization’s users to run as a standard user (without administrator rights) and complete tasks that require elevated privileges. Tasks that commonly require administrative privileges are application installs (like Microsoft 365 Applications), updating device drivers, and running certain Windows diagnostics. |
| 19 | + |
| 20 | +Endpoint Privilege Management is built into Microsoft Intune, which means that all configuration is completed within the Microsoft Intune Admin Center. To get started with EPM, use the high-level process outlined as follows: |
| 21 | + |
| 22 | +- *License Endpoint Privilege Management* - Before you can use Endpoint Privilege Management policies, you must license EPM in your tenant as an Intune add-on. For licensing information, see Use Intune Suite add-on capabilities. |
| 23 | + |
| 24 | +- *Deploy an elevation settings policy* - An elevation settings policy activates EPM on the client device. This policy also allows you to configure settings that are specific to the client but aren't necessarily related to the elevation of individual applications or tasks. |
| 25 | + |
| 26 | +- *Deploy elevation rule policies* - An elevation rule policy links an application or task to an elevation action. Use this policy to configure the elevation behavior for applications your organization allows when the applications run on the device. |
| 27 | + |
| 28 | +## Prerequisites |
| 29 | + |
| 30 | +- A dev center with a dev box project. |
| 31 | +- Microsoft Intune subscription. |
| 32 | + |
| 33 | +## License Endpoint Privilege Management |
| 34 | + |
| 35 | +In this section, you configure EPM licensing and assign the EPM license to the target user. |
| 36 | + |
| 37 | +Endpoint Privilege Management requires either a stand-alone license that adds only EPM, or license EPM as part of the Microsoft Intune Suite. |
| 38 | + |
| 39 | +1. Configure the Azure tenant administrator for EPM purchasing: |
| 40 | + |
| 41 | + 1. Open the [Microsoft Intune admin center](https://intune.microsoft.com), and navigate to **Tenant admin** > **Intune add-ons**. |
| 42 | + 1. Select **Endpoint Privilege Management**. |
| 43 | + |
| 44 | +1. Configure Intune admin role for EPM administration: |
| 45 | + |
| 46 | + 1. In the Intune admin center, go to **Users**, and select the user you want to assign the role to. |
| 47 | + 1. Select **Add assignments** and assign the **Global Administrator** role, and the **Intune Administrator** role. |
| 48 | + |
| 49 | +1. Apply the EPM license in Microsoft 365: |
| 50 | + |
| 51 | + 1. In the [Microsoft 365 admin center](https://admin.microsoft.com/Adminportal/Home?#/catalog), go to **Billing** > **Purchase services** > **Endpoint Privilege Management**, and then select your EPM license. |
| 52 | + |
| 53 | +1. Assign E5 and EPM licenses to target user in Microsoft Entra ID: |
| 54 | + |
| 55 | + 1. In the Intune admin center, go to **Users**, and select the user you want to assign the E5 and EPM licenses to. |
| 56 | + 1. Select **Assignments** and assign the licenses. |
| 57 | + |
| 58 | +## Create Intune group |
| 59 | + |
| 60 | +In this section, you create a dev box and an Intune group that you use to test the EPM policy configuration. |
| 61 | + |
| 62 | +EPM supports the following operating systems: |
| 63 | +- Windows 11 (versions 23H2, 22H2, and 21H2) |
| 64 | +- Windows 10 (versions 22H2, 21H2, and 20H2) |
| 65 | + |
| 66 | +1. Create a Dev Box Definition |
| 67 | + |
| 68 | + 1. In the Azure portal, create a [Dev Box Definition](how-to-manage-dev-box-definitions.md). Specify a supported OS, like *Windows 11, version 22H2*. |
| 69 | + |
| 70 | + 1. In your project, create a [dev box pool](how-to-manage-dev-box-pools.md) that uses the new dev box definition. |
| 71 | + |
| 72 | + 1. Assign [Dev Box User](how-to-dev-box-user.md) role to the target user. |
| 73 | + |
| 74 | +1. Create Dev Box for the target user |
| 75 | + |
| 76 | + 1. Sign in to the [developer portal](https://aka.ms/devbox-portal). |
| 77 | + |
| 78 | + 1. Create a dev box using the dev box pool you created in the previous step. |
| 79 | + |
| 80 | + 1. Determine the dev box hostname. You'll use this hostname add the dev box to and Intune group in the next step. |
| 81 | + |
| 82 | +1. Create an Intune group |
| 83 | + |
| 84 | + 1. Open the [Microsoft Intune admin center](https://intune.microsoft.com), select **Groups** > **New group**. |
| 85 | + |
| 86 | + 1. In the **Group type** dropdown box, select **Security**. |
| 87 | + |
| 88 | + 1. In the **Group name** field, enter the name for the new group (for example, Contoso Testers). |
| 89 | + |
| 90 | + 1. Add a **Group description** for the group. |
| 91 | + |
| 92 | + 1. Set the **Membership type** to **Assigned**. |
| 93 | + |
| 94 | + 1. Under **Members**, select the dev box you created. |
| 95 | + |
| 96 | +## Create EPM policy and assign policy to Dev Box |
| 97 | + |
| 98 | +In this section, you create an EPM policy and assign the policy to the group you created earlier. |
| 99 | + |
| 100 | +1. In the Microsoft Intune admin center, select **Endpoint security** > **Endpoint Privilege Management** > **Create Policy**. |
| 101 | + |
| 102 | +1. In the **Create a profile** pane, select the following settings: |
| 103 | + - **Platform**: Windows 10 and later |
| 104 | + - **Profile type**: Elevation settings policy |
| 105 | + |
| 106 | +1. On the **Basics** tab, enter a name for the policy. |
| 107 | + |
| 108 | +1. On the **Configuration settings** tab, in **Default elevation response**, select **Deny all elevation request**. |
| 109 | + |
| 110 | +1. On the **Assignments** tab, select **Add groups**, add the group you created earlier, and then select **Create**. |
| 111 | + |
| 112 | + |
| 113 | +## Validate Dev Box |
| 114 | + |
| 115 | +In this section, you validate that the policy is applied to the dev box and that the Microsoft EPM Agent is installed. |
| 116 | + |
| 117 | +1. Verify that the policy is applied to the dev box: |
| 118 | + |
| 119 | + 1. In the Microsoft Intune admin center, select **Devices**, locate the dev box you created earlier, and then select **Device configuration**. |
| 120 | + 1. Select the **Elevation settings** policy you created earlier. |
| 121 | + 1. Wait until all the settings report as **Succeeded**. |
| 122 | + |
| 123 | +1. Verify that the Microsoft EPM Agent is installed on the dev box: |
| 124 | + |
| 125 | + 1. Sign in to the dev box you created earlier. |
| 126 | + 1. Navigate to *c:\Program Files*, and verify that a folder named **Microsoft EPM Agent** exists. |
| 127 | + |
| 128 | +1. Attempt to run an application with administrative privileges. |
| 129 | + |
| 130 | + 1. On your dev box, right-click an application and select **Run with elevated access**. You receive a message that the installation is blocked. |
| 131 | + |
| 132 | +## Related content |
| 133 | + |
| 134 | +* For more information, see [Use Intune Suite add-on capabilities](/em/intune/fundamentals/intune-add-ons). |
0 commit comments