πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided MD-102 Domain 2
Domain 2 β€” Module 7 of 10 70%
14 of 27 overall

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization
Domain 2: Manage and Maintain Devices Premium ⏱ ~10 min read

Control Admin Rights with EPM

Endpoint Privilege Management lets standard users run specific apps with elevated permissions β€” without giving them permanent local admin rights. Zero Trust for the desktop.

What is Endpoint Privilege Management?

β˜• Simple explanation

Think of EPM like a bouncer who checks your ID before letting you into the VIP section.

Normally, standard users can’t install software or change system settings β€” they don’t have the β€œVIP pass” (local admin rights). But sometimes they genuinely need to run a specific app that requires admin permissions β€” like a printer driver or a development tool.

EPM lets them request temporary elevation for that specific app. Depending on your policy, it either auto-approves (the bouncer recognises them), asks for a business justification (the bouncer checks the list), or requires a manager’s approval (the bouncer calls upstairs). Once done, they’re back to standard user β€” no permanent admin rights.

Endpoint Privilege Management (EPM) is part of the Microsoft Intune Suite. It allows organisations to remove permanent local admin rights from users while still letting them elevate specific applications when needed. EPM supports three elevation types: automatic, user-confirmed (with justification), and support-approved (requires IT approval).

EPM implements the principle of least privilege by default and provides just-in-time elevation for approved scenarios β€” aligning with Zero Trust principles.

The three elevation types

EPM Elevation Types
FeatureAutomaticUser-ConfirmedSupport-Approved
How it worksApp elevates silently β€” no user interactionUser provides a business justification before elevationUser requests elevation, IT admin approves or denies
User experienceSeamless β€” like having admin rights for that appPrompt appears asking why they need itRequest submitted β†’ wait for approval β†’ then run
IT involvementNone (policy-driven)None (justification logged but not reviewed)Yes β€” admin reviews and approves each request
Best forKnown-safe apps that always need elevationApps that sometimes need elevation β€” audit trail neededSensitive apps where IT must explicitly approve each use
ExamplePrinter driver installerDeveloper tool that occasionally needs adminSoftware that modifies system settings
Security levelLowest (most permissive)MediumHighest (most restrictive)

How EPM works

Step 1: Remove local admin rights

Use Intune’s Account Protection policy (from Module 7) to remove users from the local Administrators group. Now they’re standard users.

Step 2: Create elevation rules

In Intune admin center β†’ Endpoint security β†’ Endpoint Privilege Management:

Rule SettingWhat It Controls
File nameWhich executable can be elevated (e.g., setup.exe)
File pathWhere the file lives (e.g., C:\Tools\)
File hashSHA-256 hash of the specific file version
CertificatePublisher certificate that signed the file
Elevation typeAutomatic, user-confirmed, or support-approved
Child process behaviourWhether child processes also run elevated

Step 3: Assign to groups

Target the elevation policy to device or user groups β€” just like any other Intune policy.

Real-world example: Chen Wei at Meridian Bank

AppElevation TypeWhy
Approved printer driversAutomaticIT has verified these drivers β€” safe to auto-elevate
Visual Studio (developer team)User-confirmedDevelopers need it daily, but log the justification for audit
Legacy banking app installerSupport-approvedOnly IT should approve installs of this sensitive financial software
Unknown/unsigned executablesBlocked (default behaviour)Standard users can’t elevate anything not in the EPM policy
πŸ’‘ Exam tip: EPM requires Intune Suite

EPM is part of the Microsoft Intune Suite β€” it’s an add-on licence, not included in standard Intune. The exam may test this:

  • Intune Plan 1 (included in M365 E3/E5) β†’ standard Intune features
  • Intune Suite (add-on) β†’ EPM, Remote Help, Advanced Analytics, Tunnel for MAM, Cloud PKI, Enterprise App Catalog

If a question asks β€œwhat licence is needed for EPM?” β€” the answer is Intune Suite (or Intune Plan 2, which includes the Suite).

ℹ️ Deep dive: EPM reporting and audit

Every elevation event is logged and reportable:

  • Who elevated (user account)
  • What was elevated (file name, hash, path)
  • When the elevation occurred
  • Why (business justification for user-confirmed elevations)
  • Approval details (for support-approved elevations)

Chen Wei uses these reports for compliance audits β€” the banking regulator wants evidence that admin rights are controlled and justified. EPM’s built-in reporting provides this without additional tools.

🎬 Video walkthrough

🎬 Video coming soon

Control Admin Rights with EPM β€” MD-102 Module 14

Control Admin Rights with EPM β€” MD-102 Module 14

~10 min

Flashcards

Question

What are the three EPM elevation types?

Click or press Enter to reveal answer

Answer

1. Automatic β€” app elevates silently, no user interaction. 2. User-confirmed β€” user provides a business justification before elevation. 3. Support-approved β€” user requests, IT admin must approve before elevation occurs.

Click to flip back
Question

What licence is required for Endpoint Privilege Management?

Click or press Enter to reveal answer

Answer

EPM requires the Microsoft Intune Suite add-on licence (or Intune Plan 2). It's not included in standard Intune Plan 1 that comes with M365 E3/E5.

Click to flip back
Question

How does EPM identify which apps can be elevated?

Click or press Enter to reveal answer

Answer

EPM rules can match apps by file name, file path, SHA-256 hash, or publisher certificate. Multiple criteria can be combined for precise targeting. File hash is the most specific; certificate is the broadest.

Click to flip back

Knowledge Check

Knowledge Check

Chen Wei removed all users from the local Administrators group at Meridian Bank. Now a developer can't install Visual Studio updates β€” they require admin rights. The developer needs this daily. What's the best EPM approach?
Knowledge Check

A user at Meridian Bank tries to run an unsigned executable they downloaded from the internet. EPM is configured but there's no rule for this file. What happens?

Next up: Intune Suite: Apps, Analytics & Remote Help β€” the Enterprise App Catalog, Advanced Analytics, and Remote Help capabilities.

← Previous

Config Profiles: Android, iOS & macOS

Next β†’

Intune Suite: Apps, Analytics & Remote Help

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.