Sign in Subscribe

Enable Temporary Admin Privileges for Controlled Folder Access via Intune EPM

Prerequisites

  • Licensing: Ensure your tenant has the Intune Endpoint Privilege Management (EPM) add-on license (Intune Suite). EPM isn’t included in the basic Intune Plan 1; it requires a paid add-onlearn.microsoft.com.
  • Platform: Devices must be Windows 10/11 (with required updates) and enrolled in Intune.
  • Controlled Folder Access (CFA): Typically CFA (ransomware protection) is already enabled via Intune’s Attack Surface Reduction (ASR) policy. If not, create an ASR policy in Intune to turn on CFA (or Audit mode) and configure protected folders.

1. Configure Intune Attack Surface Reduction policy (Optional)

If CFA is not yet enabled via Intune, create an ASR policy:

  1. In the Intune admin center, go to Endpoint security > Attack surface reduction and click Create policy. This opens the profile creation wizard for ASR rules.
  2. In Configuration settings, set Enable Controlled Folder Access = Enabled (or Audit mode for testing). Add any extra folders to protect if needed. Under Controlled Folder Access Allowed Applications, click Add apps and browse to include any applications you want pre-approvedlearn.microsoft.com. This pre-populates trusted apps so users don’t have to add them manually. Finish the wizard to deploy the policy.

In the Basics page, set Platform = Windows 10 and later, Profile = Attack Surface Reduction Rules, and click Create

(The above steps enforce CFA via Intune. If CFA is already on, you can skip straight to EPM configuration.)

2. Enable Endpoint Privilege Management (EPM) in Intune

  1. In the Intune admin center, go to Endpoint security > Endpoint Privilege Management > Policies and click Create Policy.
    • Set Platform = Windows, Profile = Windows elevation settings policy. Give it a descriptive name (e.g., CFA Elevation Settings).
  2. In the Configuration settings of the elevation settings policy:
    • Endpoint Privilege Management: Set to Enabled. This turns on EPM on the devicelearn.microsoft.com.
    • Default elevation response: Choose one of:
      • Require user confirmation: The user will get a simple UAC-like prompt when requesting elevation. You can optionally add Business justification or Windows authentication requirements to the promptlearn.microsoft.com.
      • Require support approval: The user is prompted to submit a request to IT when an unmatched app is elevatedlearn.microsoft.com. An admin must approve it in Intune before elevation proceeds.
        For example, setting Require user confirmation lets the user self-elevate (with a prompt/justification) without immediate admin review. Setting Require support approval forces an approval workflowlearn.microsoft.comtechcommunity.microsoft.com.
  3. Configure Reporting scope as desired (e.g. “Diagnostic data and all endpoint elevations”).
  4. Assign this policy to the user or device groups containing the target machines. Click Review + create to save the policy.

3. (Optional) Create Windows Elevation Rules

You can create specific EPM elevation rules for known executables to allow them elevated access without extra prompts:

  1. In Endpoint Privilege Management > Policies, create a new policy with Profile = Windows elevation rules policy.
  2. Add a rule for the executable you want to elevate. For example:
    • Name: “PowerShell Elevation”
    • File name: e.g. powershell.exe (full path or certificate)
    • Elevation type: User confirmed (or Automatic if fully trusted)learn.microsoft.com.
    • (Optional) Add the file hash or publisher certificate to tightly identify the app.
  3. Assign this policy to the same user/device group.Example: Creating a rule for PowerShell (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) with elevation type User confirmed means users can right-click PowerShell and elevate without requiring an admin approval every time. Similarly, you could target the Windows Security/Defender UI (though as a UWP app it’s harder to target by filename).

4. Adjust Defender and Tamper Settings for Local Changes

  • Local admin merge: In an Intune Defender policy (Endpoint security > Antivirus), ensure Defender local admin merge (DisableLocalAdminMerge) is set to Not configured or Nolearn.microsoft.com. This allows unique items added by a local admin to merge into the effective policy. By default (Not configured/No), any allowed apps added locally will be included in addition to the Intune-defined listlearn.microsoft.com. (If you set DisableLocalAdminMerge = Yes, local changes are ignored.)
  • Tamper Protection: If Tamper Protection is enabled in Defender, it will block local changes to CFA settings. You may need to disable Tamper on the device or use the Defender “Troubleshooting mode” during the change. Microsoft notes: “When tamper protection is turned on, tamper-protected settings can’t be changed… we recommend using [Troubleshooting mode] to temporarily disable tamper protection on the device. After the troubleshooting mode ends, any changes made… are reverted”learn.microsoft.com. In practice, if Tamper is on tenant-wide, you could exclude the target device from Tamper or briefly disable it so the user’s addition takes effect.

5. User Procedure: Elevate to Add Allowed Apps

With the above configured, a standard user can request elevation and add an allowed app:

  1. Run with elevated access: The user locates the application to allow (for example, C:\Program Files\MyApp\app.exe), right-clicks it, and chooses Run with elevated access. (Alternatively, they can right-click PowerShell or Command Prompt in the Start menu and select More > Run with elevated access.) This EPM context-menu action prompts the elevation flowtechcommunity.microsoft.com.
  2. Approve elevation: Depending on your EPM default settings:
    • If Require user confirmation was chosen, the user will see a prompt (optionally requiring justification or Windows login) and can approve the elevation immediately.
    • If Require support approval was chosen, the user will enter a justification and submit a request. An Intune administrator will receive the request and must approve it in the Intune Elevation requests panetechcommunity.microsoft.com. Upon approval, the process runs elevated.
  3. Add the allowed app: Once elevated, the app or PowerShell can now modify CFA. For example, if in PowerShell, run:powershellCopyEditAdd-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\MyApp\app.exe"
    This cmdlet appends the app to the CFA allowed listlearn.microsoft.com. (If using a UI, the user can open Windows Security > Virus & threat protection > Manage ransomware protection > Allow an app through Controlled folder access, and add the executable.)Now the app is trusted by CFA. The elevation lasts for that session (and any child processes) as if the user were a local administrator. After use, the user can simply close the elevated window. If you used support-approved elevation, Intune will automatically revoke the temporary admin access after 24 hours unless re-approvedtechcommunity.microsoft.com.

6. Alternative: Intune Script for Allowed Apps

If you prefer not to involve the user, an administrator can pre-assign allowed apps via Intune or script:

  • Intune script: Deploy a PowerShell script (as System) that runs Add-MpPreference -ControlledFolderAccessAllowedApplications "<path>" for the needed executableslearn.microsoft.com. The script would need to run with admin rights (EPM could elevate it, or Intune can run it as System).
  • MDM CSP: Use the Policy CSP ./Vendor/MSFT/Policy/Config/Defender/ControlledFolderAccessAllowedApplications to add allowed apps via Intune’s Settings Catalog or custom OMA-URIlearn.microsoft.com. This is essentially the same as the ASR policy “Allowed Applications” setting.

7. Caveats, Risks & Best Practices

  • Least privilege: Granting any elevation (even temporarily) raises risk. Only use EPM for users/tasks you trust. Monitor EPM logs (in Intune) to review who is elevating which apps. Consider setting Default elevation response to User confirmation for lower friction, or Support approval for more control.
  • Tamper and merge: Be aware that disabling Tamper Protection or enabling local merging deviates from Microsoft’s recommended security posturelearn.microsoft.comlearn.microsoft.com. It may expose settings to tampering or inconsistency. If you must re-enable Tamper/protecting lists afterwards, plan for it.
  • Time limits: By design, approved elevations expire. The Intune admin dashboard shows pending and approved requests, and you can convert frequent requests into permanent rules if needed. For example, if a user repeatedly needs one app elevated, create a permanent EPM rule for it (this still requires admin creation)techcommunity.microsoft.com.
  • Documentation: For more on EPM configuration, see Microsoft’s Intune docs on EPM policies and Elevation rules (Microsoft Intune documentation). For CFA details, see Customize Controlled Folder Access (PowerShell, CSP, UI options) and Enable CFA via MDM.

Comments ()