When I first started with Intune, this series was what I began watching to kick it off. This specific video marks a first, though. I am actually on top of the feature (EPM / Intune Suite) that you cover prior to the video coming out! It only took 13 months hehe.
Was glad to hear about TS edit / read only :D haha. Gave EPM a test drive already, but could not get user groups assigned to say a set of apps I wanted to elevate for them e.g regedit, taskmgt, etc, for service desk or field staff. For their regular user account these could run elveated, but all rulles say - ALL USERS on the device...
PLEASE PLEASE PLEASE give us an option on the base setting rule to allow for a business justification that does not auto elevate after a justification has been put in. Then throw those requests into a separate pane in EPM that us admins can review & create rules to allow once we've vetted the software. Another wish is to have an option when setting up a rule to post a toast notification saying the app has elevated. Keep up the good work.
Congrats on the promotion Adam, finally a job where no one knows what you do 😉. And where's the poll that Matt was going to put up, because I do agree, the default should be cancel when viewing from a security point of view! It certainly is an interesting tool and we are just in the process of looking for a tool like this as we want to start removing local admin. At least we now have a tool that can tell us how many people run something with their local admin account and how often. We can finally get an objective picture of how big our challenge will be. 😀 Also curious about what 8 seconds got removed from the video 😇
Tested this feature, it's very nice and welcome. The only thing I see at this moment is that it has no relation with WDAC policies, so we have also to do whitelisting on WDAC, because it's blocked in our WDAC policy. Or it's maybe exactly what WDAC does :-)
Question, when the business justification is entered, where do you set who that justification goes to and where is it presented? Email or in Intune? EPM should also have Elevated Uninstall Access,. I've discovered that If you have Device Monitoring Deployed, you will need to exclude your EPM device from Device Monitoring or you would get an error in "Allow Device Monitoring" within your elevation policy.
Thanks guys. Great presentation. One question for Matt: on Assignment would it be better "Assigned to users groups or Devices groups"? or what difference does it have between assigned to users or devices group?
This is very good, question not sure if someone asked or not. When a request will be sent to support for application approval. Will we have approval window for support? like if they respond in 2 hours then ok otherwise request will be expire.
There is no filtering so no capability to use a USER group if you also have BYOD in your enterprise and only want this policy to affect Corporate devices....or does EPM simply not run on BYOD enrolled devices?
When I first started with Intune, this series was what I began watching to kick it off. This specific video marks a first, though. I am actually on top of the feature (EPM / Intune Suite) that you cover prior to the video coming out! It only took 13 months hehe.
Great stuff. Very detailed video. Thank you. Great job everyone.
good video, when kept to the technical aspects.
I am really looking forward to this, it will be a big help.
Was glad to hear about TS edit / read only :D haha. Gave EPM a test drive already, but could not get user groups assigned to say a set of apps I wanted to elevate for them e.g regedit, taskmgt, etc, for service desk or field staff. For their regular user account these could run elveated, but all rulles say - ALL USERS on the device...
PLEASE PLEASE PLEASE give us an option on the base setting rule to allow for a business justification that does not auto elevate after a justification has been put in. Then throw those requests into a separate pane in EPM that us admins can review & create rules to allow once we've vetted the software. Another wish is to have an option when setting up a rule to post a toast notification saying the app has elevated. Keep up the good work.
Congrats on the promotion Adam, finally a job where no one knows what you do 😉. And where's the poll that Matt was going to put up, because I do agree, the default should be cancel when viewing from a security point of view!
It certainly is an interesting tool and we are just in the process of looking for a tool like this as we want to start removing local admin. At least we now have a tool that can tell us how many people run something with their local admin account and how often. We can finally get an objective picture of how big our challenge will be. 😀
Also curious about what 8 seconds got removed from the video 😇
Tested this feature, it's very nice and welcome. The only thing I see at this moment is that it has no relation with WDAC policies, so we have also to do whitelisting on WDAC, because it's blocked in our WDAC policy. Or it's maybe exactly what WDAC does :-)
🔥🔥🔥
Question, when the business justification is entered, where do you set who that justification goes to and where is it presented? Email or in Intune? EPM should also have Elevated Uninstall Access,. I've discovered that If you have Device Monitoring Deployed, you will need to exclude your EPM device from Device Monitoring or you would get an error in "Allow Device Monitoring" within your elevation policy.
Haven't played around with it yet, but I would assume, from what I've seen, that it would go in the reporting in the EPM blade. Is that not the case?
Thanks guys. Great presentation. One question for Matt: on Assignment would it be better "Assigned to users groups or Devices groups"? or what difference does it have between assigned to users or devices group?
Signatures are really cool. Cries in 3CX and d3dcompiler_47.dll
Is Microsoft planning to include MacOS devices for their EPM at some point?
This is very good, question not sure if someone asked or not. When a request will be sent to support for application approval. Will we have approval window for support? like if they respond in 2 hours then ok otherwise request will be expire.
Does anyone know how User vs Device based context will work? If i assign Users, will it apply to any enrolled device device the user signs into?
There is no filtering so no capability to use a USER group if you also have BYOD in your enterprise and only want this policy to affect Corporate devices....or does EPM simply not run on BYOD enrolled devices?
EPM is only supported on HAADJ or AADJ enrolled devices. WPJ is not supported which i'd assume your BYOD devices are.
Does Windows Authentication work with Windows Hello for Business?
Yes it does
Is there a particular sku that we ask for if we want EPM licensing only?
Options are listed here: www.microsoft.com/en-us/security/business/microsoft-intune-pricing
@@IntuneTraining Its to expensive, 10$ pr user pr month is nuts, thats on top of the E5 license, at least thats what we have been told.
Hi @ADAM
Stick to the content and stay on point - there is too much deviation from the main topic - its really tiring to follow the side banter