Support for user account context in Endpoint Privilege Management Elevation Rules

Week of October 20, 2025 (Service release 2510)

Microsoft Intune Suite
Support for user account context in Endpoint Privilege Management Elevation Rules
Endpoint Privilege Management (EPM) has a new option for elevation rules that runs the elevated file using the user’s context instead of a virtual account. The option is Elevate as current user.

With the Elevate as current user elevation type, files or processes that are elevated run under the signed-in user's own account, rather than a virtual account. This preserves the user's profile paths, environment variables, and personalized settings, helping to ensure that installers and tools that rely on the active user profile function correctly. Because the elevated process maintains the same user identity before and after elevation, audit trails remain consistent and accurate. Prior to elevation, the user is required to enter their credentials for Windows Authentication. This process supports multifactor authentication (MFA) for enhanced security.

Endpoint Privilege Management Dashboard for user readiness and elevation trends
You can now use an Endpoint Privilege Management (EPM) dashboard that presents insights about file elevations and trends in your organization and help identify users that might be ready to be moved to run as standard users in place of running with local admin permissions.

Insights provided by the dashboard include:

• Users who have only unmanaged file elevations
• Users who have both managed and unmanaged file elevations
• User with only managed elevations
• Frequently unmanaged elevations
• Frequently approved by support
• Frequently denied elevations

Endpoint Privilege Management Dashboard for user readiness and elevation trends
You can now use an Endpoint Privilege Management (EPM) dashboard that presents insights about file elevations and trends in your organization and help identify users that might be ready to be moved to run as standard users in place of running with local admin permissions.

Insights provided by the dashboard include:

• Users who have only unmanaged file elevations
• Users who have both managed and unmanaged file elevations
• User with only managed elevations
• Frequently unmanaged elevations
• Frequently approved by support
• Frequently denied elevations

Device configuration
System Info property available in properties catalog for device inventory
You can create a properties catalog policy that lets you collect and view hardware properties from your managed Windows devices. There's a System Info category that shows system-level device insights, like OS version, hardware details, and configuration state.

Applies to:

• Windows

New settings available in the Android Enterprise settings catalog
There are new settings in the Android settings catalog. To create a new settings catalog policy and see these settings in the Intune admin center, go to Devices>Manage devices>Configuration>Create>New policy>Android Enterprise for platform>Settings catalog for profile type.

• Wi-Fi Direct
  General>Block Wi-Fi Direct: If True, this setting blocks Wi-Fi Direct. Wi-Fi Direct is a direct, peer-to-peer connection between devices using Wi-Fi frequencies. If False, Intune doesn't change or update this setting. By default, the OS might allow Wi-Fi Direct.

Applies to:

• Android Enterprise corporate-owned devices with a work profile (COPE)
• Android Enterprise corporate owned fully managed (COBO)
• Android Enterprise corporate owned dedicated devices (COSU)
• Hide organization name
  The General >Hide organization name setting supports corporate owned single use dedicated devices. Previously, this setting was only supported on corporate-owned devices with a work profile and corporate owned fully managed devices.
• Some settings that were only available in Templates are available in the settings catalog.

General:

• Allow copy and paste between work and personal profiles
• Allow network escape hatch
• Allow USB storage
• Block access to status bar
• Block date and time changes
• Block location
• Block microphone adjustment
• Block mounting of external media
• Block notification windows
• Block screen capture (work profile-level)
• Block Wi-Fi setting changes

The settings catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring settings catalog profiles in Intune, see Create a policy using settings catalog.

Applies to:

• Android Enterprise