Endpoint Privilege Management:
Every EPM Change in 2026
Best Practices & Real-World Lab
Why EPM Matters More Than Ever in 2026
If you have spent any time in enterprise IT, you know the permanent local admin problem. A user needs to install an application. A developer needs to run a build tool. A field technician needs to update a driver. For years, the answer was the same: add them to the local Administrators group and hope for the best. That era is over.
Modern ransomware and credential-theft attacks almost universally rely on one precondition: the victim is running as a local administrator. Remove that privilege and 50–80% of successful endpoint compromises simply do not work. Microsoft Intune Endpoint Privilege Management (EPM) is the engine that makes least-privilege a practical reality — not a security aspiration written in a policy document that nobody follows.
2026 has been a transformational year for EPM. A licensing overhaul included EPM in M365 E5 for the first time. The product shipped support for Azure Virtual Desktop. Admin Tasks went GA. Scope tag RBAC reporting was fixed. A new elevation type was added to preserve user profiles during elevation. This post covers every significant change — and exactly how to configure them in your lab and production environment.
What Changed in EPM — 2026 Complete Timeline
New Elevation Type: Preserve Current Profile
EPM adds a new elevation option that elevates users while preserving their current profile — preventing the “two profile” problem that occurred with virtual account elevation in user-data-sensitive scenarios.
Admin Tasks Enters General Availability
The unified Admin Tasks queue under Tenant Administration reaches GA — centralizing EPM elevation requests, MDE security tasks, and Multi-Admin Approval workflows in a single prioritized view.
EPM Support for Azure Virtual Desktop (AVD)
EPM elevation policies can now be deployed to AVD single-session virtual machines — extending least-privilege to cloud-hosted desktop environments for the first time.
Support Approved Elevations — All Device Users
Previously, support-approved elevation requests only worked for the primary/enrolling user. Now any user of a shared device can submit elevation requests — critical for shared-workstation environments.
EPM Scope Tag RBAC Fix for Reports
EPM reports will respect the report viewer’s assigned scope tags — showing only devices and users they are authorized to see. Critical for delegated admin models in large enterprises.
⭐ EPM Included in Microsoft 365 E5
Pricing changes effective 1 July 2026. EPM, Cloud PKI, and Enterprise App Management are now included in the full Intune Suite bundled with M365 E5. Feature rollout begins October 2026.
AVD Single-Session Support
EPM policies now deploy to Azure Virtual Desktop single-session VMs — least-privilege for cloud desktops without infrastructure overhead.
Preserve Profile Elevation Type
New “Elevate as current user” option elevates with full admin context while keeping the user’s existing profile intact — no more split-profile issues.
Admin Tasks GA
Unified queue for EPM requests, MDE security tasks, and Multi-Admin Approvals. Located under Tenant Administration in the Intune admin center.
Shared Device Elevations
Support-approved elevations now work for ALL users on a device — not just the primary enrolling user. Unblocks frontline/shared device scenarios.
Scope Tag RBAC for Reports
EPM reports will enforce scope tag visibility. Admins who previously saw all devices in reports will only see devices within their assigned scope. Audit your RBAC before this ships.
E5 Bundle (Oct 2026)
M365 E5 includes the full Intune Suite — EPM, Cloud PKI, Enterprise App Management. Pricing changes effective 1 July 2026.
How EPM Works — Architecture & Core Concepts
Before diving into configuration, you need to understand exactly what EPM does at a technical level. Many deployments fail because administrators configure it without understanding the isolation model.
The EPM Architecture
When an Elevation Settings Policy is assigned to a device or user, Intune automatically installs the Microsoft EPM Agent at C:\Program Files\Microsoft EPM Agent. This agent runs as a Windows service called Microsoft EPM Agent Service and is the enforcement point for all elevation decisions.
| Component | What It Does | Location |
|---|---|---|
| EPM Agent Service | Receives elevation policies from Intune, evaluates elevation requests in real-time | C:\Program Files\Microsoft EPM Agent |
| Right-Click Context Menu | “Run with elevated access” option appears on all files when EPM is active | Windows Shell extension |
| Virtual Account | Isolated admin account used for most elevations — not added to local Admins group | Per-process, ephemeral |
| EpmTools PowerShell Module | Diagnostics, policy retrieval, file attribute extraction for rule building | C:\Program Files\Microsoft EPM Agent\EpmTools\EpmCmdlets.dll |
| Elevation Settings Policy | Master switch — enables EPM on device, sets default elevation behavior and reporting level | Intune Admin Center |
| Elevation Rules Policy | File-specific rules — defines WHAT can be elevated, HOW, and under what conditions | Intune Admin Center |
The Three Elevation Types (2026)
Automatic Elevation
File matches a rule → elevation happens silently without any user interaction. Best for known IT-approved applications deployed organization-wide.
User Confirmed
User right-clicks → “Run with elevated access” → confirms a business justification prompt. User can elevate without IT approval, but justification is logged.
Support Approved
User submits elevation request → IT admin reviews in Admin Tasks → approves or denies. Zero-trust model: no elevation without explicit approval per request.
Virtual Account Isolation (Why It Matters)
For all elevation types except “Elevate as current user,” EPM uses a virtual account to perform the elevation. This is the most important security concept in EPM. The elevated process runs as an isolated admin account that:
- Is NOT added to the local Administrators group (so it disappears after the process ends)
- Cannot access the logged-in user’s profile, AppData, or user registry hive
- Has no network identity — preventing elevated process from accessing network resources as admin
- Creates a hard boundary between the elevated process and the user session
The practical effect: even if a malicious binary tricks EPM into elevating it, it runs in an isolated context that cannot access the user’s credentials, browser cookies, or domain token. This is fundamentally different from traditional “Run as Administrator” which runs in the full user context.
Licensing — 2026 Changes Explained
The licensing model for EPM has been the single biggest blocker for adoption. Before July 2026, EPM required either a standalone Intune Suite add-on or an EMS E5 license. Most mid-market organizations on M365 E3 or E5 were paying for EPM separately — or simply not deploying it.
| License | EPM Available? | When | Notes |
|---|---|---|---|
| M365 E5 | ✅ Included | Oct 2026 (pricing Jul 2026) | Full Intune Suite bundled — EPM + Cloud PKI + EAM |
| M365 E3 | ❌ Not included | — | Intune Suite add-on required ($10/user/month) |
| Intune Suite Add-on | ✅ Included | Available now | Includes EPM, Remote Help, Advanced Analytics, Cloud PKI, EAM |
| M365 Business Premium | ❌ Not included | — | Intune Suite add-on required (max 300 users) |
| EMS E5 Standalone | ✅ Included | Available now | Legacy path — consider migrating to M365 E5 |
| EPM Standalone | Available | Available now | Per-device add-on — $3/device/month for Intune Plan 1 customers |
Best Practices — Senior Engineer Recommendations
1. Always Start with Audit Mode
Never deploy EPM in enforcement mode on day one. The EPM documentation itself recommends this, and every experienced engineer I know who skipped this step regretted it within two weeks. Audit mode deploys the EPM agent and logs every elevation event without blocking anything. This gives you a 2–4 week data baseline to understand what your users are actually elevating before you write a single rule.
- Deploy Elevation Settings Policy with Default Elevation set to Audit for 2–4 weeks
- Review the EPM Elevation Report: Intune Admin Center → Reports → Endpoint Privilege Management
- Identify the top 10–20 applications being elevated — these become your first elevation rules
- Sort by frequency: highest-frequency elevations are the highest user-impact rules to create first
2. Use File Hash Verification for Critical Elevation Rules
EPM supports multiple file detection methods: file path, file hash, certificate, and product name. File path alone is trivially exploitable — an attacker who knows your elevation rules can copy a malicious binary to the same path. Always use file hash + certificate signing in combination for any automatic elevation rule.
| Detection Method | Security Level | Maintenance Overhead | Recommended Use |
|---|---|---|---|
| File Path only | Low | Low | Never use alone — exploitable |
| Certificate (Publisher) only | Medium | Low | Good for vendor-signed apps that update frequently |
| File Hash only | High | High — update on every app version | Use for internal/unsigned tools |
| Certificate + File Hash | Highest | Medium | Recommended for all automatic elevations |
| Certificate + Product Name + Version | High | Low-Medium | Good for vendor apps with frequent updates |
3. Implement Child Process Controls
One of the most overlooked EPM capabilities is child process controls. When a process is elevated by EPM, you can control whether child processes it spawns inherit elevated privileges. Without this, a user could elevate a legitimate application and then launch a shell from within it — inheriting full admin rights.
4. Use Support Approved Elevation as the Default for Unknowns
Configure your Elevation Settings Policy default to Deny with Support Approved rather than flat Deny. This means when a user tries to elevate something that has no matching rule, instead of getting a silent block with no recourse, they get a support request workflow — the request lands in your Admin Tasks queue for review.
5. Build Detection Rules with EpmTools — Not Manually
Do not manually look up file hashes and certificate details. The EpmTools PowerShell module can extract all detection attributes directly from any file, formatted ready to paste into your elevation rule.
6. Separate Elevation Rules Policies by User Group
Do not create one monolithic elevation rules policy and assign it to all devices. Create separate policies per business unit or persona (Developers, Finance, HR, IT). This gives you:
- Granular audit visibility — you see which GROUP is elevating which applications
- Scope isolation — a Finance elevation rule breach does not expose Developer elevated tools
- Easier rollback — if a rule causes issues in IT, you disable the IT policy without touching Finance
- Compliance reporting — demonstrate least-privilege by business unit for auditors
7. Review Admin Tasks Daily — Not Weekly
The new Admin Tasks queue in Intune (GA January 2026) centralizes support-approved elevation requests. If you are running Support Approved as your default for unknowns, the queue will fill quickly in the first two weeks. An unanswered elevation request blocks a user from completing their work. Set a service level target: review and respond within 4 business hours. Stale requests destroy user confidence in EPM and lead to workarounds (users finding ways to get local admin back).
Real-World Session — Enterprise Deployment Lessons
The “Everything Breaks on Day 1” Problem
Deployed EPM in enforcement mode without audit phase. Within 6 hours of rollout: 47 helpdesk tickets from traders who couldn’t run Bloomberg Terminal (unsigned helper DLL), finance team blocked from year-end Excel add-in install, and one VP who “fixed” the problem by getting IT to re-add him to local admins — permanently defeating the purpose.
Fix: Rolled back to audit mode for 3 weeks. Audit data showed 94% of elevation events came from just 12 applications. Created rules for those 12. Re-deployed enforcement. Zero helpdesk tickets from EPM after second rollout.
The February 2026 AVD Support Win
Clinical staff on Azure Virtual Desktop were the last major group that needed local admin rights — specifically for medical device integration software that required elevated driver installs. Before February 2026 EPM update, this was an unsupported scenario and the org maintained a legacy OU of AVD machines with local admin enabled.
Post-Feb 2026: Deployed EPM elevation rules to AVD single-session VMs targeting the medical device installer. Clinical staff can now elevate that specific installer — and only that installer — without any admin rights on their AVD session. The legacy local admin OU was retired. Compliance score improved by 14 Secure Score points.
Before and After: All-Users Elevation Requests (March 2026)
Manufacturing floor used shared Windows kiosks enrolled under a service account. Multiple operators (shift workers) used the same devices. Before March 2026, only the enrolled user (service account — never logging in interactively) could submit elevation requests. All shift workers were stuck with no escalation path.
Post-March 2026 update: All users of the device can now submit support-approved elevation requests. Line operators can request elevation for the calibration software they need during their shift. Supervisor reviews in Admin Tasks and approves in under 2 minutes. Zero operators added to local Admins since rollout.
The Spawned Shell Attack
During a red team engagement, the attacker had standard user rights. They identified that an IT tool (Remote Desktop Connection Manager) was configured with an automatic EPM elevation rule and no child process controls. They launched RDCMan elevated, then used its “Open command prompt” feature to spawn cmd.exe — which inherited admin privileges from the EPM-elevated parent process.
Fix: Add child process controls to all automatic elevation rules. Set to “Deny all child processes” for tools that don’t legitimately need to spawn child processes. For IDEs and developer tools that DO spawn child processes, set to “Allow child processes” but add those child processes to their own separate elevation rules with tighter file detection.
Lab Configuration Guide — Step by Step
Phase 1: Create the Elevation Settings Policy (Enable EPM)
- Sign in to intune.microsoft.com → Navigate to Endpoint Security → Endpoint Privilege Management
- Select Policies tab → Click Create Policy → Platform: Windows 10 and later → Profile: Elevation settings policy
- Name:
EPM-Settings-Audit-Phase→ Click Next - Configure settings:
- Endpoint Privilege Management: Enabled
- Default Elevation Response: Deny Elevation — for audit phase, set to Audit (Allow with review)
- Send Elevation Requests to IT Support: Enabled
- Reporting Scope: Diagnostic data — All elevation events
- Elevation Control: Enabled (allows right-click “Run with elevated access”)
- Assignments: Assign to a test device group (not all devices yet) → Review + Create
- Verify deployment: On test device, right-click any .exe → confirm “Run with elevated access” appears in context menu (may take 30 minutes to sync)
Phase 2: Use EpmTools to Extract File Attributes for Rule Building
- On the enrolled test device, open PowerShell as standard user
- Import the EpmTools module:
Import-Module 'C:\Program Files\Microsoft EPM Agent\EpmTools\EpmCmdlets.dll' - Point to your test application:
Get-ElevationRuleAttributes -FilePath "C:\path\to\yourapp.exe" - Copy the output: FileName, FileHash (SHA-256), Publisher (certificate), ProductName, ProductVersion
- Keep this output open — you will paste these values into the elevation rule in the next phase
- Also run:
Get-EPMStatus— verify Agent State: Running, Policy State: Applied
Phase 3: Create an Elevation Rules Policy
- In Intune → Endpoint Security → Endpoint Privilege Management → Policies → Create Policy
- Profile: Elevation rules policy → Name:
EPM-Rules-[TeamName]-v1 - Click Add to create a new rule → Fill in:
- Rule Name: Notepad++ Installer Elevation (or your app name)
- Elevation Type: User confirmed (for testing) — change to Automatic for production if trusted
- Child Process Behavior: Deny all child processes (safer default)
- Elevation Condition: Add file condition → File hash (paste SHA-256 from EpmTools output)
- Add second condition → Certificate (paste Publisher CN from EpmTools output)
- Save rule → Review + Create → Assign to same test device group as Settings policy
- Allow 30 minutes for policy sync → On test device, run:
Get-Policies -PolicyType "ElevationRules"to verify rule appears
Phase 4: Test Elevation and Verify Audit Log
- On test device as standard user: navigate to your test application .exe
- Right-click → Run with elevated access → You should see: elevation confirmation prompt (for User Confirmed type)
- Enter business justification text → Click Confirm → Application should install/run with elevated rights
- Back in Intune: Navigate to Reports → Endpoint Privilege Management → Elevation Report
- Confirm your elevation event appears — verify: User, Device, File, Elevation Type, Result (Managed), Timestamp
- Test denial: Try running a .exe that has NO rule → should prompt for Support Approved request if you enabled that, or show denial message
Phase 5: Configure Admin Tasks for Support Approved Workflow
- In Intune Admin Center → Tenant Administration → Admin Tasks
- You should see any pending elevation requests submitted by users who encountered “Support Approved” prompts
- Click on a request → Review: User, Device, File being requested, Business justification provided by user
- Options: Approve (creates a one-time or reusable rule) or Deny
- If you Approve and select “Create reusable rule” → a new elevation rule is automatically added to an assigned policy
- Best practice: Review Admin Tasks at least twice per day during the first 30 days of enforcement-mode deployment
Phase 6: Switch from Audit to Enforcement Mode
- After 2–4 weeks of audit data collection, review the EPM Elevation Report → identify top elevating applications
- Create elevation rules for all high-frequency legitimate elevations before switching
- Update EPM Settings Policy: Default Elevation Response → Deny with Support Approved
- Stage the rollout: Start with IT team (most technically capable, can troubleshoot) → Expand to each business unit in 1-week waves
- Monitor Admin Tasks queue after each wave — a spike in requests means missed applications in that group
- Target: fewer than 5 new elevation requests per 100 users per week after stabilization (4–6 weeks post-enforcement)
Common Mistakes & How to Avoid Them
New: EPM on Azure Virtual Desktop (AVD)
The February 2026 EPM update adds support for Azure Virtual Desktop single-session VMs. This is a significant addition for organizations that host cloud desktops — previously the only option for elevating applications in AVD was to grant full local admin rights to the entire session.
Requirements for AVD EPM Deployment
- AVD single-session virtual machines only — pooled/multi-session not supported
- VMs must be enrolled in Intune (Entra joined or Hybrid Entra joined)
- Intune Suite add-on (or M365 E5 post-October 2026)
- Windows 11 22H2 or later on the session host VMs
- EPM policies assigned to the device or user groups that map to the AVD session hosts
AVD Lab Setup
- In Azure portal: Ensure your AVD session host VMs are Entra-joined and show as enrolled in Intune (Intune Admin Center → Devices → All Devices)
- Create a device group in Entra ID containing your AVD session host VMs (filter by device name pattern or tag)
- Create EPM Settings Policy → Assign to the AVD device group (same steps as Phase 1 above)
- Create EPM Rules Policy with elevation rules for AVD-specific applications → Assign to same AVD device group
- Test: Log into an AVD session as a standard user → Right-click target application → “Run with elevated access” → Confirm elevation works
- Verify audit log: EPM Elevation Report should show elevations tagged to the AVD session host device name
Monitoring & Reporting
Key Reports in Intune (2026)
| Report | Location | What It Shows | Cadence |
|---|---|---|---|
| Elevation Report | Reports → EPM → Elevation report | All elevation events: user, device, file, type, result, timestamp | Daily review |
| Summary Dashboard | Reports → EPM → Summary | Total elevations, breakdown by type (auto/user/support), top elevated files | Weekly review |
| Admin Tasks Queue | Tenant Administration → Admin Tasks | Pending support-approved elevation requests needing IT action | Daily — 2x per day during rollout |
| Device Elevation Details | Devices → [device] → EPM tab | Per-device elevation history, applied rules, agent health | On-demand investigation |
| Managed vs Unmanaged | Reports → EPM → Elevation by type | Ratio of policy-matched (managed) vs unmatched (unmanaged) elevations | Weekly — aim for 95%+ managed |
KQL Query — Elevation Events in Defender Advanced Hunting
EPM elevation events also appear in Microsoft Defender XDR Advanced Hunting via the DeviceEvents table:
Final Thoughts — EPM in Your Zero Trust Strategy
EPM is not an optional add-on to a mature security program. It is a foundational control that should be deployed alongside, or shortly after, Microsoft Defender for Endpoint. The threat model is simple: remove permanent local admin rights and you eliminate the single most common precondition for successful endpoint compromise.
- Start with audit mode — always. 2–4 weeks of data before enforcement
- Child process controls are non-negotiable — every automatic elevation rule must define child process behavior
- Certificate + hash detection for automatic elevation rules — never file path alone
- The Admin Tasks queue is a service level commitment, not a to-do list — respond within 4 business hours
- Staged rollout: IT → Power Users → Finance → Standard users — each group one week apart
- 2026 licensing change: If you’re on E5, EPM arrives in your tenant October 2026 — start planning now
The organizations that have successfully removed permanent local admin from their user population share one common trait: they treated EPM as a user experience project, not just a security project. When users can accomplish their work without admin rights — because IT has built good elevation rules — they stop trying to get admin rights back.
Next in This Series
Watch the Lab on YouTube
The full EPM lab configuration walkthrough — from first policy to enforcement mode — is available as a step-by-step screen recording. No camera. No filler. Just configuration.