Endpoint Privilege Management (EPM) is an advanced Microsoft Intune feature that enables organizations to remove local administrator rights from endpoints while allowing users to perform elevated processes on a just-in-time basis, supporting the zero trust security model through the principle of least privilege; EPM requires full Intune enrollment (not device management only or Windows 365 Business), and can be configured with different elevation types including user confirmation with business justification, automatic approval, support approval, or elevated current user, with applications identified by file hash or certificate for rule creation.
Install our extension to search inside any video instantly.
Endpoint Privilege Management deep-dive - Intune Academy Office Hours
Added:[music] [music] [music] [music] [music] [music] [music] [music] [music] [music] [music] [music] [music] [music] [music] [music] >> Hi Hardik, good to see you. Much more muted intro that time, wasn't it?
>> Yeah, it was.
>> Feels a little bit of a easier intro than the one I usually spend the entire morning producing and then release.
>> With the grandpa music.
>> This one was one click. It's one click.
>> Yeah.
>> I think we've got a little guy down there. There he is.
>> There he is.
>> Um So, welcome everyone. Thank you for joining. This live webinar is all about the Intune Academy. It's one of the office hours that we've uh decided to do. We're going to do two a week actually for the next few weeks.
And the focus of this one, I think he's right in my way, isn't he? The focus I'm going to go over here.
The focus of this one is to uh cover a specific bit of Intune, specifically the Intune suite actually.
Uh it's an advanced feature of Intune called endpoint privilege management.
And uh it's for no other reason that I think it's pretty cool.
Uh I like endpoint privilege management.
I think it's a good idea. We don't have any relation to it within Rubberduck. It's the the Intune Academy is unrelated to Rubberduck other than the fact that part of the team in Rubberduck are uh responsible for kind of building the content. We have other people outside of Rubberduck that are building content for us.
So, it's not really about Rubberduck at all.
Um but one of the features we want to focus on today is the endpoint privilege management.
Tomorrow um just scheduled uh about an hour ago is Windows Autopilot versus Windows Autopilot V2 with the incredible Yuri.
>> Mhm.
>> Um so that That be fun as well. But this one, yeah, all about uh EPM.
We have a few people in chat already. So, we'll just introduce that. My mic is a bit low. Thanks, Dan.
I can either shout or I can bring it closer. I'm going to need to uh >> Uh sorry, it's not Dan, it's Daz. Sorry, I read that very quickly. Um I actually I cannot pronounce that at all. d a z d c f n z d Uh thank you very much anyway for letting me know.
Um I'll try and increase it actually. I have a little button.
I did that. Little button thing. Is that any better, Hadjit? I don't know if I feel louder.
>> Yeah, I can Wonderful. The button works and I moved it closer and I shouted. So, we're all there.
Um good. Confirmed on the stream as well. So, yeah, I mean this this is going to be very hopefully very interactive. If you have ever used EPM, please let me know.
And we're going to talk about it and uh other things. I'll just I'll share my screen in a minute. We haven't got much uh Dazed and Confused.
Very clever.
Very clever.
Um I understand it now.
>> with maybe explaining what EPM is uh for those that may or may not >> good idea. Yeah. Yeah. Yeah, it's a great idea.
Um would you like to do it or shall I?
>> Yeah, you know, it's basically it's a uh EPM Microsoft Endpoint Privilege Management. It's uh has been part of the Intune suite uh enable enables organizations to remove local admin uh rights, right? That's the whole uh goal of it uh while allowing users to perform an elevated like approved elevated uh processes. Uh that's the gist of it, I think.
>> [snorts] >> That [clears throat] is it. Yeah. There are third-party alternatives and until EPM came about, I was using one of those third-party alternatives. For some customers I still am because Intune Suite until now has been pretty expensive.
And still is actually time of time of recording this. It is still expensive.
It's an extra few maybe $10 per month depending on your on the skew that you manage to get from Microsoft.
>> Yeah.
And and then and also EPM supports, you know, the zero zero trust approach, right? By you know, using the principle of least privileges and stuff like that.
You know, I think some people like, you know, for us that we've been in the sysadmin world for a long time, you know, it's it's the equivalent of just-in-time admin, right? With PowerShell and things like that back in the several years.
>> Yeah, but as I say, I I still use an alternative for some of my customers because it's expensive and if you only want EPM, Intune Suite may not be worth it. There might not be enough value in that, but it really it depends on you and your customer and your your decision on that. Um soon that will all change. I'm not sure if sure if you've you've kept up-to-date, Harjit, but Intune Suite all the features of Intune Suite the advanced features of Intune Suite are going to be moved into Enterprise E3 and also Enterprise E5.
They're going to split. It's going to be four in one and and four in the other or five in the other.
>> Yeah.
>> And EPM lands into E5. So, if you have E5, then you [clears throat] get EPM.
Is that right? I hope that's right.
>> Yes, you're right. You're right.
>> I may be not be right.
>> No, EPM is in E5. It's not in E3. Remote remote uh remote help and it's in E3 and then yeah.
>> I did a I did a a live stream on this yes not a live stream a a recording on this yesterday. You would think I actually would remember just yesterday.
Um what is in That's it. You get um tunnel for mem you get remote help and you get advanced analytics in E3. And then really fun stuff is all in E5 for obvious reasons.
Um Anyway, so I did it yesterday.
>> Cloud PKI and all of that is in E5 I believe. Yeah.
>> Yeah.
>> Yeah.
>> So like like I said, I did a quick video yesterday on setting up EPM mainly because I was preparing for this and I thought it would be a good idea to at least check whether it works and I'm happy to say that I've learned a lot.
Um I don't think it works for Windows 365 business.
Um because I couldn't get it to work. It definitely doesn't work if you uh take a machine that is not enrolled and enroll it only in device management rather than doing the full Intune enrollment. Uh that also doesn't work.
If you use a DEP account, that doesn't work. Uh it really needs this um it needs a normal Intune enrollment through the traditional sense. Because it does uh as I found out from reading Rudy's blog that it does a a second enrollment a linked enrollment using MMPPC which we'll go into in a little while.
But that only works in specific enrollment types and so that's why >> co-management?
>> I didn't look at that. Um why not?
Yeah.
>> It should, right?
>> Um yeah, I guess so.
>> Yeah.
>> Uh maybe not actually thinking about it.
I don't know. That's a good one. I'm not going to test it now before we go live on this because we're already we're >> already 4 or 5 minutes in and it would be a good idea to get started with it. Um in the chat though, if you can let me know if you've had a go at using EPM or if you've tried it and hated it and tried it or or loved it, that would be great to know.
Um we do have uh some help in the chat for us as well, so that's wonderful.
And we'll dump jump, not dump, we'll jump straight in now.
Um let me share my screen and find the stuff that I want to talk about.
Mm oh, it's this one. I've got the button already done. There he is.
Um >> There we go.
>> We have a couple of things already set up, so I decided to get this in place a little bit early uh before the stream went live because I wanted to check that it actually worked and on what at least one machine it did work.
Uh so that's good. We have something to show. But we start in endpoint privilege management. And within EPM, I created this policy called E enable EPM because that's pretty much all you can do with the this elevation settings policy. So I did that and I'll go into it now. And one of the reasons I did it early is because it takes a little while, one error.
Honestly, you can't go anywhere, can you, without getting errors in Intune.
This is a brand new demo environment, two devices, and I got 50/50.
Um one of the reasons I did this early was because it it needs to do some setup on the endpoint. So it's not just that you create the policy in Intune and then it just works on endpoint. It needs to push a thing to the endpoint. I'm going to show you that in a few moments. Let's see how far this has failed though. Let's let click report and see it generate this report for me. Uh system account for Megan B.
I think this was the Windows 365 cloud PC, the business Cloud PC I was trying, which is why this has failed.
And this was the You can see the time on that. This was the "Oh god, I I need to get this working now" kind of enrollment that I just did just before we went live.
So, that's now applied there, which is good. So, we've enabled EPM.
I can show you that machine actually.
Uh if I just head to I've got so many windows cuz it was a little bit frantic right at the end there.
Uh here we have a a folder called Microsoft EPM agent which gets downloaded to the computer when you enable it.
And it has some stuff in it. So, all of this is like an agent that happens on the computer.
>> Mhm.
>> I'm going to head back to the policy itself and show you what it looks like when we configure it.
And I'll just scroll down to the configuration settings.
And here we go.
So, for the past 4 hours I haven't stopped for a drink or anything cuz I've been trying to get this ready to go. Um EPM is enabled. We are default denying all requests for the elevation response, and we are sending elevation data for reporting.
Uh yes, as opposed to no. And then we're also sending all endpoint elevations rather than just managed ones just to get as much data as possible into the report.
>> Right.
>> So, that's done, and that's applied at least on one machine now. So, then we can we can start using it.
Uh I do want to just call out though that because of my frantic configuration of this, this user actually already is admin.
So, I just need to let me move this around a bit so we can see it a bit better.
There we go.
Uh so, this user already is admin. So, if I was to take this user, so Megan, and just run as admin, actually they already are admin, yes.
>> Yeah.
>> Um but we're not going to be using that run as administrator thing during this demonstration. And maybe if we have time, we can remove admin from this user and then retry it.
But what we're going to be doing instead is using the elevation settings. Uh, let me just find uh app.
I didn't think I'd installed Notepad++.
So, that's >> [laughter] >> interesting.
Uh, okay. [snorts] Let's find an application.
I was I I built a cloud PC originally because it was I had a trial available. So, I thought I'd use a cloud PC for this. And right at the last second I had to fall back to this on-premises VM.
>> VM, yeah.
>> Which is why it's uh which is why it's a little bit sluggish.
Um, I also don't have any apps installed, which is probably not great.
Let me find Where's Notepad? It's in system, isn't it?
Windows Why can't I find Notepad? Anyone know where Notepad is?
There he is. See Windows.
>> See Windows, yeah.
>> So, right now we have run with elevated access and the default policy says deny all. So, when I run with elevated access, I hope it will deny it.
I hope it will deny it.
>> Come on.
>> Everything's so slow when it There you go.
>> There you go.
>> Your organization doesn't allow you to run this app as administrator.
Uh, good. So, that's what we're going to be doing. We're going to be changing that so it actually lets me run it as administrator. And just to um make it easier to get to in the future, I want to put it on the desktop.
Send to desktop.
>> There you go.
>> Yeah. So, we'll be using that in the future. [clears throat] I could have used Edge. I was just thinking about it, but Notepad is easier.
>> So back to Intune?
>> Back to Intune.
Um Yeah.
Let's go back to Intune. That's the wrong Intune.
Come on, Intune.
There he is.
>> Look at these just all your windows.
>> I [laughter] have I've got a few windows open right now.
All right, so let's go to endpoint security and down to EPM.
And we will go for create and we'll do a rules policy. Now, I went through this yesterday and I kind of had to gloss over a few things. I didn't have a Windows PC available to me, but I do have one now. [clears throat] I did actually have two, but I destroyed one while I was trying to get it working. Um We'll jump in and do this now. So, this is going to be elevate Notepad++.
Elevate Notepad ++.
And then we get this default rule which isn't configured and just you can't really do anything with it without um choosing edit instance and then you give it a name. So, we'll call this note Did I type ++?
>> Yeah, it should be just Notepad.
>> You should call me out when I make stupid mistakes. That's why you're here.
Literally why you're here.
>> Cuz I I had a feeling.
>> [laughter] >> I did Notepad++ yesterday.
So, this is going to be Notepad.
Um and then we get these options. So, the question really is how do you want this approval to go? Cuz when I chose run with elevated access, there were a few options. One was deny, right? Which was it just denied it.
The other option is that we get the user to confirm why they want to run it as admin and then it just runs as admin.
That's the user confirmed with validation, so you can offer to ask them to provide business justification, and also Windows note Windows authentication. So, then we can see that they definitely are the right person.
Uh and if we do that, then that's what happened. The user is prompted for that, and then they get access to it.
The alternative in the elevation type is automatic, so then it would just automatically approve it, which would or deny, which is the default, so we don't need to create an explicit rule for that. We have support approved, which [clears throat] I will probably struggle to demonstrate now because uh I think we're going to run out of time before we get to that one.
>> like support tickets, right? It creates a support ticket or something like that, right?
Yeah.
>> Yes, so rather than just kind of elevating it, it will it will create an action for the >> Yeah, it's an >> engine to approve that.
Um and then the other one is elevated current user, which is very new. It wasn't in any in any of the documentation that I saw until recently, and it is a way of um keeping the same identity, the same actual user, and just give them permission to run this as admin, which is different to how all the other ones work because the other ones um create a new virtual user with the admin, and then use that account.
>> Right.
>> And I guess this one's been created because if you have if if you have specific things that that user has access to, then there might be some reason that you need to elevate as that user rather than just elevate as a user.
Um good. So, let's do user confirmed first.
We'll do business justification. Now, child process behavior, this is important to think about because if I was to run notepad, or let's say more obvious, if I was to run uh terminal command prompt if this app spawns a child process, should it also be admin or should it not?
And we can either require rule, we can allow all trial processes to be elevated, or we can deny all, or we can leave the default. I don't know what the default does, >> [clears throat] >> but we can leave it as that.
>> [snorts] >> Um I think require rule is probably the most obviously secure.
Well, the >> I think you're right. This is really important, especially when it comes to developer tools, right? They always have trial things that processes and uh for for the tools that they use.
>> Yeah.
Uh I'm just while while for a moment, I just want to check something cuz I recently was told that we can reply to people on LinkedIn.
And I didn't test it yet. I want to test that.
And I'm just replying to Steven.
Um hopefully >> [clears throat] >> you get that. If you do get that, please please say hi back just because that will clear some things up for me.
Um In the meantime, we can choose the file name. Now, that notice this isn't required.
The only thing that is required at the moment is certificate and certificate type. We can also change that to uh where is it?
File hash. Um and file hash is easier but not easier. It's different uh to to using a cert.
But, it also is um less persistent. So, if there's ever a change to that file, then the file hash will change, and so the file hash won't be relevant anymore.
Um we'll do file hash, and I've just realized that I'm running this on a Mac and I won't be able to grab the file hash from my Mac. So, I'm going to get it from the VM and hope that I can somehow go back somehow get it across into Intune. Let's do that. That'll be fun, won't it?
>> Oh boy, from a VM? Oh, no.
>> It's fine. It's fine. It's fine. We'll do it.
Um So, here's the rule and I'm going to just fail at doing this um very quickly.
I don't think it lets me put anything in here. Needs to be 64 characters long.
Uh let's I bought that.
>> [laughter] >> I didn't get a reply on LinkedIn, which is sad.
Um We're going to bowl all that. We're going [clears throat] to do this from this handy VM here.
Won't that be fun? Doing Intune from a tiny little screen like this. And this is why I spun up that Windows 365 VM.
>> Yeah.
>> But, you know, it wasn't to be.
Uh because stuff is never meant to work.
Is it? That's uh it's just never going to work.
Any uh I don't know if are you a movie fan, Hodget?
>> Movie fan, yeah. Some of it, yeah.
>> You heard of any idea where Cyberdyne came from?
>> No.
>> Anyone in the chat want to want to um Ah, there you go. So, yeah, I I sent a a hello LinkedIn message to all. That was what That's all I can do. I can only send to all.
Um so, thanks, Stephen, for confirming.
But, until today, we weren't able to reply to anyone on LinkedIn.
Um doing any posting to LinkedIn at all. Uh anyone in the chat fancy if they if you have any movie knowledge at all, any recollection of what Cyber Cyberdyne is from.
I needed to think of a name for an MSP.
Um there you go. Terminator. Yeah.
Yeah, that's the it's it's the organization in Terminator that I think, you know, AI and Anthropic and um uh OpenAI will eventually become.
>> [sighs and gasps] [laughter] >> Okay.
We are in a Windows machine with access to Intune. Look at that. We're making progress.
>> You're making progress.
Yeah.
>> We are in endpoint security. So, all I do is go back to EPM.
And you know, one of the um other reasons for doing these live streams is to is to really focus on some of the features that we're covering in the academy courses. This is the more of the advanced course that we're we're going through. Um the topics in the advanced course are including these things.
And >> You're going to break >> them in much more depth and the demos actually work because you're not trying to do them live while also talking to Haja and an audience. Uh but they um yeah, this is what am I doing? Notepad.
>> Yeah, notepad. Yeah.
There we go.
>> All right. So, we're back here.
And we're going to call it notepad.
And go for business justification and we'll do not configurable, do file hash for now and then I remember this from a little while ago when I did it.
Uh I think it's C.
Is it >> Yeah, it was C Windows.
Yeah.
>> Well, you know, you know, I thought it was.
But my tab isn't completing.
There it is. Okay.
>> There it is. Yeah.
>> That's the button you use when you are using a Windows machine. That is what the button you use when you're using a Mac. Bear with me a second while I scroll.
Uh so, I'm also just going to do get {dash} file hash.
And there's the hash. And this is I think just can just copy this. It's 64 characters.
>> you just right click here.
>> And that's that. Okay.
>> Beautiful.
>> So, that's the most basic rule you can use. Let me also just put the file name in here cuz when you're not using search, you do need to use the the file name.
>> notepad.exe >>.exe, thank you.
And you can specify a restricted file path as well under here. So, if you want to make sure that they're just running any file with that file hash somewhere else in the operating system, then you can also restrict the file path.
Uh okay. So, that's pretty much that configured. And we'll do save. And that's the rule. And then we all we do is assign that to all devices or the specific users if you want. And create.
And go.
Um Umbrella Corporation, fantastic. Good idea. We should use Umbrella Corporation for the next one. Now, would Umbrella Corporation cuz the idea is that we're creating the MSP model for the um for the demonstrations we're using to figure out how an MSP would manage their customers.
And Cyberdyne felt right. But I think Umbrella I guess they're kind of >> It does sound right. Cuz it's like a you know >> As a customer of Cyberdyne, do you think Umbrella would be a customer of Cyberdyne? Do you think that could ever happen?
>> It could.
>> [laughter] >> Mm. Okay.
Uh right. So, I'm waiting for this policy to apply now. I'm going to head over to the machine, which ah, I'm on it. Fantastic news. I just need to um [laughter] go to accounts. I'm just going to sync this machine locally.
Mhm.
Anyone in the chat happen to have had the pleasure of attending Experts Live UK recently? Cuz we had the live In-Tune Academy. Um Love watching the chat. Everybody will be a customer of Cyber Drain.
Very good.
Um >> Could be a merger.
>> [laughter] >> Could be a Imagine a merger between those two.
Um okay. So, yeah, we had the Experts Live UK conference last week, and I'm still kind of tired from it cuz it was a lot of work, but it was great. Um And we had the In-Tune Academy workshop, a whole day workshop covering everything around In-Tune. And again, nothing to do with Roubaix Pack. Roubaix Pack did sponsor it and and provide the you know, essentially the day went ahead, but >> [clears throat] >> really it was the team, Lewis, James, Steve, and Andrew who really made that happen. So, thank you to them >> Yeah.
>> for creating the content and for running the entire show while I was in and out, running around, trying to um trying to get the the day moving along as well.
Uh but the point was that it just could covered all of In-Tune, all the different bits of In-Tune that you can possibly cover, and anyone could shout out and say, "Hey, can we talk about this?" It was pretty good.
This is syncing now. So, what we see is that the enforcement for In-Tune management extension completed.
This was needed in order to deploy the EPM agent, so that was already done in the past. We have security and device health monitoring. They haven't changed.
So, nothing here shows us that there's any rules been applied. I'm going to give this a few more seconds and then I will choose Notepad and see if it runs.
Um Let's have a look at the chat. The broken Neo. Oh god, I need to ship that Neo. Yes. Um we we we gave away a a MacBook Neo and it broke. I mean, it I don't think it was my fault. It wasn't even my tenant. I blame Andrew Taylor. I might just bill it to his uh to his department in Rubble Pack.
We um yeah, [snorts] we broke it and uh someone won it, which was sad. So, we're going to have to get a new one and ship that to them, which would be good.
>> I thought it was being I thought you were fixing it while we were uh drinking that beer.
>> It didn't work. It didn't fix.
>> Ah, okay.
>> Um So, yeah, I need to return it and Pete, no, I didn't um I didn't return it yet. I pretty much haven't left the house since I got back because I drove all the way from London back to Hexham and then unloaded the van into my office and it's just here.
I can see it all still. I haven't had a chance to go through the 13 TVs and and 15 booths.
Um So, soon when the team get here cuz the rest of the team are coming up to help.
Um Anyway, no, I haven't returned it yet, but thank you for the reminder. I will definitely do that.
Uh okay.
We are probably ready to give this a go and run elevated and see what it does. And I genuinely don't remember how fast this is meant to be at uh applying policies and that kind of thing. So, I'm just going to right click on it and uh, run with elevated access and it either denies or it asks for, yeah, it denies.
Um, >> Yeah, I saw that earlier.
>> Question in the chat while we wait.
Practical, let me put this on the screen so I can see it.
Practical wise, don't apps like Notepad update regularly?
So, it's best just for apps that don't automatically update for the hash. Yes, you're right, definitely.
Uh, using the hash isn't going to last very long.
Um, the hash will change very often. So, don't use the hash unless you uh, expect to update the hash frequently.
>> Yeah.
>> Um, the alternative, which I should go through now while we wait because waiting is fun, would be to use the certificate. Um, so, let's go through how do you edit a policy?
>> You went over that before. You went over that earlier.
>> yeah, sorry. Yeah.
Would be to use the certificate.
And that you configure by changing the certificate source or signature source to, uh, certificate that you've put in reusable settings, which means you can reuse it between Defender app control and also uh, other bit, uh, firewall and that kind of thing. So, there's loads of different places where you can reuse these reusable settings. Um, you can use one of those or you can upload a certificate file here. Now, we'll go into that. I want to keep this policy as it is for now while we're just waiting for this to actually apply, otherwise we could be um, here a while.
We got some message. Let me see what this is saying.
The PowerShell module to get the file info for EPM. Yes. So, when you look through the docs Uh let me take this one off the screen.
When you look through the docs of EPM, there's a lot more information than there used to be. And now there's a a new um PowerShell tool that allows you to get the file attributes and and do that kind of thing. And we will go through that if we have time in a few moments once this actually works. But let's In fact, while we're waiting, let's grab that cuz we have nothing else to do.
Uh >> [sighs] >> Raj, you just um entertain the crowd while we uh while I do some typing.
>> [laughter] >> You know at this point Steve Winer would would absolutely relish that op- opportunity.
>> He loves it. Yeah.
>> to um >> He's talking about his Dunkin' Donuts.
>> Anything.
>> We were with him in London. It was hilarious. Oh my god.
>> He >> I see Vince now in the crowd.
>> [gasps] >> Yeah, you do? Oh, yeah. Of course, right at the top. Yeah.
Uh EPM >> [clears throat] >> EPM Come on.
That's not there.
>> So, how many people are confused about EPM versus Windows LAPS?
>> [clears throat] >> Oh.
>> That's another >> Go on. Explain to me what Windows LAPS is.
>> What is that?
>> Explain to me what Windows LAPS is.
>> Well, Windows LAPS is uh it uh it provides admin access to the machine.
Uh but it resets the the uh the the passwords periodically. So, when you use one, it changes it on the fly. So, the built-in admin admin accounts Yeah, they are completely different, yes, absolutely.
>> All right, that worked. Need to run as admin in order to get to it.
And then get No, that's not >> Where you at?
>> module first, right? Then get dash file attributes.
Not by plane, file path.
And then See if it works from being right here.
Ooh, it does a lot of stuff.
>> Yep.
>> That's cool.
Um Okay.
One search chain found, which is good.
And it has exported it to this location here.
Certificate chain Microsoft Windows PCA.
Good.
Uh Exported to here. That's Is that I don't even know where that is.
Uh Yuri's in the chat.
>> Oh, yeah.
>> Wonderful.
>> [clears throat] >> Wonderful. Um Jigsaw, interested in seeing the virtual users within MDE.
Uh I don't know if you can see them, but that's an interesting point.
I don't know if you can see them at all.
Where did it say it put it? See Windows 32. I don't think it would have put it there, but it guess it could.
System 32 Uh I I I mean it can't, can't it?
Oh, yes.
That's interesting. It's created a thing there.
Uh, so, it has put the root there as well. So, we've got these.
Now, that's cool.
Right, so, I don't know which one we should use, to be honest. We have the publisher cert is [clears throat] cert index. Is that right?
>> Yeah.
Export it to >> PCA 2011 and the root CA. So, I don't think we want the root CA.
Probably Windows cert.
Um, we'll try that.
I guess any cert would work cuz it's not it's not going to actually >> Trial and error, yeah.
>> get to the point where we can test it because it takes far too long for stuff to actually roll through onto Windows devices these days. So, yeah, we'll just scroll down and go to signature source upload and put in the file from >> system 32.
>> Notepad, and then we'll do this one here.
See if that works.
That so far has worked, and it is uh, >> Is it a CA or a publisher?
>> Don't know.
Any idea?
In chat?
>> Does it say the uh, >> We could open it, I guess.
>> Doesn't it show in the gray box that's in there?
>> Well, that's the Microsoft Windows production PCA >> Sounds like a CA.
>> It does, but it also seems like a P.
Anyone any idea? I would find out if this is a publisher cert or a CA cert.
No one in the chat.
>> No one yet.
>> [clears throat] >> I like the fact that it's delayed.
>> Publisher would make sense.
>> I mean, it doesn't I don't think it'll be a CA cuz we have the root CA there. Um Okay, we'll go with publisher.
And I'll take that out the file hash in case I got it wrong, and then we'll do save and save. And save. Okay, good.
So, in the meantime, this is probably >> Uh >> been syncing, and maybe I can run this app as elevated now.
>> Try it.
>> Yay.
Enterprise certification because it's um >> You did ask for that, right?
>> Uh yeah.
>> Wasn't >> Yeah, so this was the original policy that I had, so you would Please.
Please.
I can't type.
Please.
>> [laughter] >> The keyboard's delayed on this, all right? It's I'm not an idiot. Well, I am an idiot, but also the keyboard is delayed.
>> Continue.
>> Continue. And that will allow you to run it as admin, and we can check if it's admin you know, by going into various places, but one of the other ways we can check is to go into uh some restricted place like that, for example. Uh no, not that. Um where was I?
Uh >> What are you trying to do?
>> I was I was Yeah, it's running as admin.
It's fine.
Um Good. So, that worked. And that was because it was the uh the previous policy which used the file hash.
>> Yeah, so business justification, you know, whatever you put in there, it it it gives you access pretty much right away. Um So, it doesn't it doesn't send to an admin or or back end to say you know, is there something we can see in the back here? Yeah.
>> Yeah, it d- it doesn't send it to an admin. It will the whole point of the policy, if you recall, >> Is audited.
>> the elevation type was user confirmed. So, we just need the user to confirm that they want to do it.
>> Right.
>> And they don't even need to run uh to put in a business justification, I don't think.
Uh it's just there for auditing because at the end of this, we can run a report and see who's been elevating stuff.
Um Now, the other way you can get this information is to actually run the elevation report. I don't think it will work work quickly enough for me to show it on this live, you know, reporting is deliberately delayed.
Um But, that's the way you normally get that information about the file hash and the certificates because it will be reported in the elevation report whether it was denied or approved. And so, you can essentially gather all the information as to who wants to run things because the elevation requests are denied.
Um the other way you can do it is to default allow elevation requests with user confirmed um justification and gather the auditing logs that way.
>> Yeah.
>> And then use that as a to plan your deployment of EPM in the future.
>> Mhm. Um So, you said it's shown in the command in the module.
Okay.
Um Well, luckily, as you can clearly see, I haven't done a lot of research into EPM since the first time I looked at it probably 6 months ago.
Uh and I haven't started recording that element of the course yet. So, when it comes to that element of the course, it will have all of the detail that we need.
Uh yeah.
But, for now, that's pretty much how you configure EPM.
Uh some people have told me that it's got some limitations and isn't quite as friendly to use as uh some of the alternatives.
I could name alternatives, but I'm not going to They're not sponsoring this. But, neither is Microsoft, actually. But, yeah. This is This is focused on EPM.
Um They're all alternatives allowing you to um elevate to admin context on a request basis. You could almost call it admin by request, couldn't you?
Um but, I'm not going to name any of those products.
No. No, several are there, yeah.
Yeah. Um Okay. So, the next thing we're going to be covering I In fact, I'll I'll kind of pause for any questions and while I wait for questions and wait for stuff to come along in the chat.
The other thing we're going to be covering next is uh Windows Autopilot versus Windows Autopilot Device Prep.
Mhm. And hopefully, we'll be able to do a demo of that. You'll be pleased to know that it's not me running the demo.
Um it is the incredible Yuri. So, Yuri, um I'll just put you on the chat there just so people can see your happy smiley face.
Um it's uh it's your job tomorrow to do the demo.
So, this should be fun.
Um >> Is he doing a demo of both, right?
Uh >> Sorry, say again?
>> The V1 V1 and V2.
>> Which Don't call it V2 and V1. That's not the name.
>> I know. I loved I love to do that.
>> [laughter] >> Uh Yeah, it's V1 versus V2.
>> Yeah.
>> Yeah.
W- W- I'm not going to I'm going to leave the commentary until um >> tomorrow.
>> Until tomorrow because there's a there's a there's a whole hour where we can talk about the pros and cons of each. Um >> S- So, >> come back to your question, Chris, in a second, but the Pete has spoken and um it seems mighty complicated in comparison to the alternatives. This is true. The alternatives uh seem pretty simple. They need an agent, but then so does this.
>> Yeah.
>> I think one of the huge reasons to use this would be that it is included in your license and therefore you should probably make use of it if you can.
>> Right.
>> Anything that allows us to get rid of local admins is a good thing.
Uh LAPS obviously helps, but is a bit of a sledgehammer approach. This is much more fine- grained and potentially uh more useful if you can get it working.
But, yes, I appreciate Um Yuri, I'm terrified because you said I'm not. I hope that doesn't mean that you're not doing a demo because then it's on me and then I have to do a I'll be up all night creating a demo for APDP.
>> So, I think he meant he's not doing both.
>> He's not what?
>> He's not doing both of them.
The uh >> I I hope he's playing cuz I really would like you to do the demo.
Um and then we have a question from uh Chris.
Did you encounter the error code when applying the policy?
Um I got some error code.
I don't remember exactly which. We can look actually cuz it's in I reset the PC. Let's go back and take a look at the policy that I did.
Cuz it might show the error code.
It is in report.
>> Oh yeah, there it is.
>> No, no, that one.
>> No, error code.
>> That's fine.
Uh no, I didn't. Let me check here.
Um here we are.
>> Uh he's asking for a specific uh 214.
>> Yeah.
Um Let me find the error code cuz I put it in my notes.
Um No, I got Let me put it in the chat.
In the chat. Do I have chat? I have chat. I got this specific error code. Uh failed to enroll MMPC for dual enrollment mode. And that was because I was using Windows 365 Business and also because I was using enroll in device management only. And so I got that.
Uh we are running E5 and we'll do a complete review of all the additional services if we should use them. And that's probably the best approach, you know.
>> Yeah.
>> Test it out. See if it's what you need.
I [snorts] as I say, I I didn't buy Intune Suite for some of my customers because it's it was an additional cost and for the additional cost stuff you have to justify it. And it might be the easy path to use this because it's included in your license.
>> Yeah, up to until July 1, it's what, $10 per user per month. So, it's pretty expensive, I think.
>> Yeah.
Yeah. And so, on July 1st, it will the pricing will change so that it's then included for anyone who buys an E3 or an E5 license. If it's E5, they will get EPM.
But, the features won't actually roll out to the tenants necessarily until the end of the month. So, the timeline is um it's not unknown. It is known that it will take around a month for the engineering teams to roll it out across the entire world, across all tenants.
Um So, yeah, that's happening. And in chat, we have a couple more things. So, Dazed and Confused, mighty complicated indeed. This project could take weeks to properly configure. It could. And maybe if you got reusable settings configured, maybe that would be better. If you're already using WDAC, then maybe you can reuse those certs. Uh if you've got those certs already in place, um then maybe it would be easier to configure. And maybe if you use the default allow, then it will be easier to configure. There's many ways to make it less complicated than doing it properly.
Um And then also from the Pete, we have Cloud PKI. Yeah.
We're we're going to do Cloud PKI um next week. So, I mentioned we're doing two live streams per week. This week is EPM and Autopilot V2 versus V1.
I didn't mean to call it that. APDP versus Autopilot.
Um And then next week, we are sneaking Cloud PKI in there. So, that's going to be a full rundown of why you should consider Cloud PKI.
And I guess one of the reasons that we're including this is because it's now included in this week in in the in the core engine product which most customers will have.
And that's better than having to buy it as an Intune suite. So, it's more involved in the course that we're creating.
>> Yeah.
>> So, yeah.
Uh good point. Yeah, thank you for doing that. I haven't scheduled the live stream yet. So, do wait until that actually um appears.
Logistics question. Thank you. Is it always Tuesdays and Wednesdays on the live streams? It is this week. Um >> It's usually Wednesdays.
>> But pretty pretty much. Uh yeah, this week and next week is definitely that. Uh and in fact the week after, yeah, the 30th of June is also a a Tuesday live stream.
>> Mhm.
>> And if we can get the co-host alongside me and Harjit, then we will have a one on Wednesday, the uh 1st of July as well.
>> Hey, Canada Day.
>> Sorry?
>> Canada Day.
>> Is that Canada Day?
>> Yeah, July 1st.
>> Uh I mean I I love the idea of Canada with its in I'm ready to selfishly take an entire day.
>> [laughter] >> The UK have never taken an entire day, I don't think.
>> Maybe we should do a an episode about soccer. World Cup soccer.
>> [laughter] >> World Cup soccer.
Oh, you mean football. Sorry, yeah, that took me a while.
>> Football.
>> Yeah.
>> Um you see I have to differentiate that here, you know.
>> Right.
>> On this side of the pond cuz people get confused.
>> Yeah. [laughter] Uh so, yeah, Tuesdays and Wednesdays uh we're going to try and focus on that. We probably will, as we release the courses uh on the Intune Academy, we will be kind of restricting one of those to people who are actually taking the courses because we're running live streams for for the candidates there. Thank you, Danny. Uh we have the Intune Academy sign up QR code um on the screen as well. So, please do take a look at that. You can still sign up. We haven't released the first cohort yet. The first course will be going live this week. And uh it's essentially a very basic course. And it's probably if you have any I think pretty much everyone in the chat I've I can see so far has a good enough knowledge of Intune to not need to take the first course and they probably learn nothing from it. It really just is there as a way to get uh a nice ease [clears throat] into how to use the platform. And then the next course is all about the advanced stuff that we're running including this when I've really given it a good run through and got some more information.
And I guess one of the differences between a live stream which is you have to talk and you have to interact and you have to uh think about various things while running a live demonstration. Very different to running a course because with a course and the module in a course you can kind of focus a clip on a particular thing and a clip can be anywhere between 5 and 10 minutes long and you can focus on that and then if you if I for example if I needed to figure out how to do the certificate which certificate I would be able to pause that recording, figure it out, come back with the knowledge and then make it much more um easy to listen to and this easy to watch as a learning module. This is much more interactive.
>> Well, a live stream is like like doing a live demo at a session, you know, at a conference, right? You It's it may work, it may not work, but you know, the idea is there.
>> It It is. It It's It's like that in every way apart from the audience because with the audience you can you can kind [clears throat] of interact with them in real time. Whereas this, I appreciate people are speaking to us. It's fantastic to have the the chat going on, but it is about 15 to 20 seconds delayed. So, you can't have that backwards and forwards, which is slightly different to being on stage.
I appreciate, thank you uh for the kind >> Oh, nice it is. Thank you.
>> kind comments. Big kudos to the duo for tirelessly giving time and effort to the community. Thank you very much.
Um we will uh have a question just before I move on to the >> I create the rule from the >> Very weird. There's a noise behind me.
Very weird noise behind me. Sorry about that.
Uh we when you use support approval, then you can create the rule from the request at the top. It's more easy. Ah.
That's a good idea.
>> That's the ticketing system.
>> Yeah, so let's do that. I'm not going to go have a chance to go into it too much, but let me just jump in to see [clears throat] what you're talking about cuz I think that sounds good. Um >> I'll share a screen.
>> [laughter] >> Good shout. Thanks, Ash.
Um just typing away on my hidden screen [laughter] there.
Um let's try this. Uh just going to pick a new one and going to go with uh oh, no.
I didn't create a new one.
Delete that.
Edit.
So, support approval.
Which >> That one there. Okay.
>> We need the file name, but we still need this.
We still need the file hash. So, you can create the rule from the request at the top.
Oh, maybe if the ah, I see what you might be saying. I'm going to I'm going to preempt that you'll come back to me and and tell me what I got wrong just then. If we enable EPM and use the default as support approved, then maybe that will create that opportunity.
So, [snorts] require support approval.
>> Okay.
>> Yeah. And so, what that will do, I haven't got a specific rule, which means that anything that gets gets requested will come through to the support approval flow. And then I can maybe create the rule. That sounds like a great way to migrate to EPM from a different product.
You essentially give everyone the opportunity to um to use this and use support approve. That's a great That's a great idea. Thank you very much for that. Um come back on the screen just to see you have a a shout out of your name. Very clever. Thank you for your um help.
Um And we only have a couple of minutes left.
Uh yes, you did Yeah, thank you. I I caught up. Uh you meant on the settings at the beginning. Thank you. I was being a little bit stupid and realized. Um so, we have this elevation request setting uh button here, which will where the It will show where the >> Where the request will come in, right?
>> Ryan find a way to do this. I doubt it will have refreshed the settings just yet because in tune I'm not going to say it. In tune is designed as a massively scalable cloud service, so can't be instant.
Um it is not slow.
I would get fired as an MVP, I think, if [laughter] I called it slow.
In tune is not slow. It In tune is scalable and and right-sized for every for every uh, every task it performs.
Um I think we'd run with elevated access and see where it goes.
Okay.
Request >> the key is also right. Okay, it's accepted.
>> verify your identity. Okay.
>> It's accepted.
All right, sent.
>> Now the default behavior before was deny request. This is support approval. So, it has been sent.
>> there it goes.
>> So, we head over to here and hope.
>> There it is.
>> And then from here, >> What does it say?
Does it say please?
>> settings.
>> Where's the please button?
>> that the Microsoft Corporation but thank you for joining, whoever you are.
You're a >> [laughter] >> You're a nice person. You've just fundamentally changed how I'm going to talk about this in the course.
Um, >> Oh, there it is.
>> This gives you all the information from that user and essentially lets you build up this uh, repository of um, of reusable settings. Let's add that. I don't know how long it'll take.
So, it has been added as a reusable setting and I will, if I allow it, then they'll be allowed to do it once.
But if >> click on approve right there?
>> I could click approve, but that would only allow it once and by adding it to the reusable settings, that hasn't necessarily created a rule. So, everyone can do it. You would still need to go in and do that. So, I'm going to ignore this request. In fact, I'll deny it.
And that means it won't run.
>> Right.
>> But I do want to create a policy and in that policy we'll use the reusable setting.
So, um, that's a good point.
Kevin, they do need some Rub a Dub swag.
You are being a wingman for them. Well done.
Yeah, they they need some swag. We'll sort that out.
Thank you, Danny. Can you make a note of that?
Um We will create this and call it Edge, I think it was.
>> Was it Edge? Okay.
>> And in here, we'll call it Edge.
And it is Let's do all automatic and I think it's MS Edge, isn't it?
>> You said not in the reusable way.
Uh not the create rule.
>> he's he's I think they're about 15 seconds behind us. Um Jigsaw, the S in In-Sync stands for speed. Exactly my point. Exactly. Yes, it does.
Um So, while we wait Pete, don't know if this would be good.
The user would tell IT what to implement. Hope that makes sense. Um I It could be good.
>> I think it's not more about, you know, what they tell IT. I think what they need. So, they'll just say, "Hey, I'm using these applications. I need to use them."
Something like that, right? So, then admin will have to add all of those rules and things like that in place.
>> [clears throat] >> All right, I'm going to grab this from the usable settings.
Find the setting here. And this is a publisher cert, I assume. We're not using a file hash.
I think it's MS Edge, isn't it?
I should probably check, otherwise it's not going to work.
>> High in the top then reusable, use the plus sign.
>> High in the top then reusable.
>> Open the request and by the plus sign, you said.
>> MSH actually, yes it is.
Okay. So, I'm going to carry on as I'm going, but I I appreciate that Michael's trying to help.
Um I just don't know where Let me go out of this and apply this to all devices.
So, at least we get one thing happening in the background. But, you're saying in Open the request.
>> Yeah.
>> Open the request. The request, yeah.
Ah, create a rule.
>> Ah, there it is.
>> Just listen to the man. Just >> I know, right?
>> Create a rule with these file details.
That's even better, isn't it? There's a blinking button for it.
Um yeah, thank you for that. Good shout.
Um I think we get this guy on to do the to do the demonstration next time.
>> [laughter] >> Yeah.
I'll handle the chat stuff. Me and Harjit can do the talking. You can just do the demo.
>> That's awesome.
>> All right, we will uh do sync and give us a few seconds.
>> Are we over time?
>> scan the uh the Intune the Intune Academy thing. Thank you for that.
Um please uh sign up. We'll be releasing the courses very soon.
>> [sighs and gasps] >> Um synced. Okay.
Let's try running Edge as admin. And I think I did it as automatic approval.
Mm, this is probably going to go in the information we sent to your IT admin.
So, that's not quite ready yet.
Um Okay.
Jumping around a little bit because we have to keep the flow going while we're waiting for Microsoft's speedy um >> How much time do we have?
>> stuff. How much time do we have? I've got all day.
>> [laughter] >> Um >> That's a good one.
>> [laughter] [snorts] >> Yeah. Uh you know, these are scheduled for anywhere between 15 minutes and uh and and 6 hours, I guess.
So.
>> Yeah, I'm trying to think of all the admin admin account type of things that Microsoft has come up with. Obviously, I I brought up Windows LAPS and we got, you know, EPM here and stuff like that. But, there was one other one, wasn't there? Uh maybe a couple of years ago.
Uh admin protection.
Does anyone recall that?
It worked a little differently, but I can't just pinpoint what it was.
>> Admin protection.
>> I believe it was admin protection.
Uh >> Windows admin >> If I type admin protection in Google, I'm not going to get a result that is helpful. So, what kind of admin protection? In-Tune admin protection?
>> It wasn't In-Tune admin protection. It was definitely for Windows. Uh >> Is it still there?
Cuz we have account security.
Uh account protection.
>> Is that it?
>> Uh No, that's where LAPS is. No.
>> I think it's account protection. Click on that. Yeah.
>> No, that's Credential Guard and that kind of thing.
Um >> Yeah.
>> Did you know you can do that? I didn't know you can do that on this new settings thing.
It says skip past name. in the previous iteration of the configuration profile >> You couldn't.
>> uh interface. You had to put a name before you could move on. And I just accidentally clicked configure settings before typing a temporary name. You could do that. That's actually a good idea.
um No, I don't know what you're talking about, Arjit. Uh thank you for the for for the question, but I don't know what you're talking about.
>> Yeah.
>> We'll find out for the course.
Uh and Pete, you mentioned that you could do something. Let me go back to your original comment, which was um you could implement this by running your normal user, Pete, and then request it um from your admin user. So, you can essentially take a machine that you have and run uh run an elevate request elevation for all the apps you want to put into your reusable settings, and just request them all, and then use that to build up the policy. That's a good idea, rather than crowdsourcing it from your users.
Um and then you say that you kind of confirm that. That's a good idea.
I think that's a pretty neat way to use it.
um >> Yeah.
>> I think that's pretty neat.
>> So, what to do?
>> Uh well, this was fun.
I've learned a lot.
Uh >> Yeah, me, too.
>> It's uh I wonder if we got the I keep >> But, you know, you you got this done pretty nicely, though, because you know, it's like a new [clears throat] admin or whatever is trying to do this, trying to figure out EPM, and you kind of basically showed the steps right there. And I think it was brilliant, actually, that you went into the VM itself >> [laughter] >> to get the hash and stuff. It's >> Yeah, I it's um doing all this stuff from a Mac is actually pretty pretty difficult, which is why I try to run that cloud PC because most of the time when I'm admining admining?
>> Admining.
>> I guess admining is a word.
Administrating um an environment I will be using a cloud PC for the customer environment rather than my own Mac.
It's just when I do a demonstration or use the lab environments I'm on my own my own Mac. So it's um it's different, but you do need a a Windows PC in order to use all the tools. But uh I I would yeah, massive shoutout to all the people who have helped through this.
Uh Michael and then there was one at the top.
>> Yeah, that was the Dez.
>> Uh no, it was Michael again. Honestly, that he he was the one who mentioned the um get file attributes. You're a legend.
Thank you very much.
Um okay.
Let's close this here. Thank you so much to everyone for paying attention. We'll be doing the same again, maybe less hectic because maybe the demo would have worked for you Yuri first time, but crucially I'm not going to be involved. So >> [laughter] >> we'll see that tomorrow.
Uh thanks everyone for joining and we'll see you >> later.
>> Cheers.
>> Bye-bye.
Related Videos
LBF101 Creating an XML Changelog
liquibase7511
3K views•2026-06-15
Alta Labs Cloud Dashboard Real time Network & Xnet Insights!
ShinyTechThings
158 views•2026-06-17
Wait... Group Policy Not Applying? Check This First!
keeplearning_iT
144 views•2026-06-15
Leetcode Weekly Contest 506 | Life's boring these days
Pudeesht
2K views•2026-06-14
microJAM: MAKING A MICRO GAME FOR A GAME JAM IN CLOJURESCRIPT AND TOTALLY NOT C
janetacarr
156 views•2026-06-18
Partitioning vs Bucketing vs Clustering: How to Make Queries 100x Faster
thedataandaiguy
194 views•2026-06-16
Design Claude Code Like a Senior Engineer
hayk.simonyan
344 views•2026-06-19
Linus Torvalds: AI Won’t Replace Understanding Code
SavvyNik
140 views•2026-06-19
