Deny, Deny, Deny! A Look at EPM’s Newest Superpower

Intune EPM deny rules

In today’s ever-evolving threat landscape…
Just kidding. I’ve always wanted to start a blog post like that. Now that we’ve got the dramatic intro out of the way, let’s talk about something actually exciting: Endpoint Privilege Management (EPM) just got a shiny new feature, Deny Rules!

Yes, you read that right. We can now block certain applications from being elevated, whether by hash, publisher, or even specific versions.

What Is EPM Again?

In simple terms, EPM lets standard users run certain apps with elevated privileges without making them local admins. This is great for anyone who’s worked in, say, a large hospital (guilty), where you find out doctors are local admins… because some obscure app from 2009 needs it to run. Those same machines? Almost always behind on patches and riddled with odd errors. Coincidence? I think not.

Quick Setup Recap: Getting EPM Running

Before you jump in, make sure you check off those prerequisites.

  • Licensing: EPM is an add-on feature to Intune (part of the Microsoft Intune Suite). Make sure your tenant has EPM licenses enabled, either via the Intune Suite or standalone EPM add-on.
  • Supported OS Versions: Endpoint Privilege Management requires recent Windows 10 or 11 builds with specific updates.
  • Device Join Status: Devices must be Entra ID (formerly Azure AD) joined or hybrid joined.
  • Administrative Roles: To configure EPM in Intune, your account needs appropriate permissions. Intune has a built-in role called Endpoint Privilege Manager (or you can use Endpoint Security Manager) which includes rights to create and assign EPM policies.

Turning on EPM

Head to Intune > Endpoint Security > Endpoint Privilege Management > Policies, then create a new one.

Pick Platform: Windows, and Profile: Elevation settings policy. Hit Create.

Key settings:

  • Enable EPM – This silently installs the EPM agent on the device (you’ll see it pop up in C:\Program Files\Microsoft EPM Agent).
  • Default elevation response – This setting is critical – it defines what happens when a user attempts to run any file with elevated access that doesn’t have a specific rule defined. In other words, it’s the default behavior for unmanaged elevation requests. You have a few choices here, but I prefer the Require Support Approval option. I’ll explain why in the next step.
  • Reporting – Keep this enabled to track who’s doing what. Because let’s face it, everyone loves logs.

Creating Elevation Rules (a.k.a. The Fun Part)

Now there are a few ways to create rules, and I’ll usually choose the easy way.

The “Lazy” Way – From the Request Panel

Let’s say a user tries to install VLC Player. Since they’re not an admin, they can right-click and choose Run with Elevated Access.

What this does is it gives us the option to request permissions.

From there, you get a request in Intune. You can:

  • Approve or Deny the request
  • Or, create a rule so it’s allowed in the future

Personally, I like setting these to User-confirmed so I get a little note from the user, “Installing VLC for medical… research.” This is also tracked in reporting.

The “Power User” Way – PowerShell Magic

Once the EPM agent is installed, you can break out PowerShell:

Import-Module 'C:\Program Files\Microsoft EPM Agent\EpmTools\EpmCmdlets.dll'
Get-FileAttributes -FilePath <Path to file> -CertOutPutPath <Output path>

This gives you all the ingredients to whip up a manual rule file hash, publisher cert, and more. Magical stuff.

Now… The Deny Rule

Finally, the moment I’ve been waiting for. Deny rules are here, and they are beautiful.

Here’s the scenario: A user requests elevation to run something sketchy. Your support team, bless them, just hits “Approve.” Now that sketchy app is running with admin rights and your stress level is running at 100%.

With deny rules, we can stop that from ever happening. Even if someone accidentally approves a bad app, you can have a Deny Rule in place that blocks that specific hash or version.

The approver could Analyze the hash with Security Copilot if that were being used. More on that in a later blog post.

Let’s take Notepad++ as an example. Maybe one version is okay, but another one has known vulnerabilities. You can create a rule to deny that specific version by hash.

Now if I attempt to elevate that file, with hash I get denied.

Wrap-Up: Less Admin Drama, More Control

This new deny rule feature is a game changer. It closes one of the last big gaps in EPM by letting you say “no” to known-bad software proactively. Reducing your attack surface.

Dustin Gullett
Dustin Gullett

Dustin Gullett is a Microsoft MVP focused on Microsoft Security, Intune, Entra ID, and Zero Trust architecture. He writes practical guides for admins deploying Microsoft security tools in the real world.

Articles: 38