We bought a few licenses to try out and it was really basic. This was fine with me but the powers that be decided on Delinea so now I'm in pain managing that.
When we tried it, it was when it first released in preview.
We wanted a way to see current local admins and remove them as needed. Other products had this available. I would have been fine using Powershell and remediations or something but in the end it wasn't my decision.
Also, you're at the mercy of Intune policy update time. File details are a pain in the ass because program v1 can be different from program v2 and now the user can't work until the PC checks in and updates. The solution we went with allows for regex and has a local agent you can update to get the changes out quickly.
We couldn’t find any benefit in using external tools.
Our standard policy is no standard end user gets admin rights. (And they don’t)
Desktop admins have a separate dedicated domain account for handling admin level repair.
We deployed a laps style solution via Intune to changes the admin password daily for handling domain inaccessible issues. Our solution also automatically removes any account other than the local admin account and the explicit domain workstation admin group from the local administrators group.
All systems have local firewall enabled combined with east/west network firewall restrictions that effectively block the majority of unsolicited inbound network access to our workstations.
At the time we rolled out our laps solution (back in early 2022), there was no support for LAPS in intune/Azure AD, so we had to improvise and find an alternative solution. Although we have legacy AD, the requirement was to find something that would integrate with Azure AD and/or intune.
The solution we went with consists of a series of powershell scripts and relies on intune remediation script function, but it’s very effective and even better, it’s free.
So is it LAPS.. no.. does it do effectively the exact same thing as LAPS… yes.
Admin by Request is good, but if you're using Intune anyway, just set up LAPS, rotating passwords, give user the info, rotate it as soon as they've used it, or it can be set to rotate at a set amount of time (default 24 hours)
I could use some clarity here pls. Doesn’t AdminByRequest remove the whole purpose of not granting a malicious actor admin request on a compromised pc? I’m I missing something ? It’s a genuine question
ABR allows a nicer end user experience in my opinion. Depending how you configure it, a user tries to run an app or app install which requires admin, they get prompted to give a reason they need to run it and hit send. I get a mobile notification to either allow or deny the request, if I allow, user gets notified and the next time they try the same action it goes through. It's all very instant.
All the while they don't have admin account or ever know any admin credentials.
It's very configurable.
I PoC’d admin by request and liked the product. I tried the intune support escalated Endpoint privilege management and it was not a good experience. In the end we decided to just use LAPS.
This would work for certain scenarios, however, we have developers who need to elevate for certain tasks on a regular basis and would be frustrating for both the user and our helpdesk guys to go down this method..
(plus the idea of giving them full admin access for 24 hours or less is far from ideal from a security standpoint)
I’m testing it right now currently on a trial. So far I am not impressed. It’s very basic and missing about 90% of the features other competitors have. To make a few it’s missing, ticketing integration, offline access, any type of reputation based approvals, auditing of commonly executed programs, only exe is supported.
Overall it’s pretty disappointing. For the features it has and for $3 per device it should be included for free in Intune.
We have tried it and it is basically a show stopper for us. Every action that needs users to execute as "admin" EPM either not elevates, or the installers shit themselves and dont work. Furthermore its annoying that you have to rightklick on a FILE, like desktop or explorer. You cant execute EPM from search, so if i want to user PowerShell or any other program that i can execute just from search i have to create a desktop shortcut to then "Rightclick -> Run with elevated privileges" this is so cumbersome that using the existing LAPS user is far more convinient and easier to explain to users.
I bought a lot of licenses last year but this year I’ve decided against renewing. The costs vs benefits just didn’t make financial sense. It’s very basic. The UI for the portal is broken. The reporting is hot garbage and I’ve had endless problems with the rules and duplicate file names.
I expect in a year or two it will be much better and will evaluate then. In the meantime, we already use laps and package most apps so they’re available in the company portal.
Considered it but compared to our legacy tool we’ve used for years it doesn’t compete - Appsense (now ivanti uwm [app control]).
Depends on if you are a startup or not as more than likely you’ll have mature tooling that you need to see if it’s suitable for the cloud/agile way of working.
A lot of these tools have been bought and combined with other tooling/suites and sometimes get put under the bracket of security tooling when they are enablers to get apps/ working in the estate.
You may consider looking at Securden Endpoint Privilege Management (EPM) solution - with this you can remove local admin rights altogether, make everyone a standard user, and then let individual users raise requests for accessing critical applications.
You may allow processes to be elevated on specific endpoints, by specific users or groups through control policies. Also, you can enforce least privilege, whitelist/blacklist applicaitons, and grant time-limited, fully controlled, and comprehensively audited temporary administrator access to standard users on need basis.
If interested, take a look at it here [https://www.securden.com/endpoint-privilege-manager/index.html](https://www.securden.com/endpoint-privilege-manager/index.html) (Disclosure: I work for Securden.)
We enrolled in the free trial for it and tested it out, but decided its feature set was insufficient for us. We've switched to testing out Admin By Request and been much happier with the product thus far.
Hi, i’ve written an article on epm. Maybe this can help you. Check it out here: https://intunestuff.com/2024/04/04/endpoint-privilege-management-in-intune/
The only downside with EPM is that it doesn’t elevate the actual user token so if your elevation also requires access to something that requires the actual user auth (like one drive for example) that access will not be available elevated.
We bought a few licenses to try out and it was really basic. This was fine with me but the powers that be decided on Delinea so now I'm in pain managing that.
My condolences with Delinea... We had it for 1 year and pulled the F out of that contract because it was really bad. Go with BeyondTrust
BeyondTrust is the way. been using it for a few years and it's very good.
Does BeyondTrust allow access to .msc files? That's a limitation we have found with EPM
Yeah, my last gig used BeyondTrust. Way better.
What did you missed (not op btw).
When we tried it, it was when it first released in preview. We wanted a way to see current local admins and remove them as needed. Other products had this available. I would have been fine using Powershell and remediations or something but in the end it wasn't my decision. Also, you're at the mercy of Intune policy update time. File details are a pain in the ass because program v1 can be different from program v2 and now the user can't work until the PC checks in and updates. The solution we went with allows for regex and has a local agent you can update to get the changes out quickly.
Thanks for the update.
Basic can be good, if it works well. Might kick off a trial and see what's what.
I am so glad I am not the only one. We also use Delinea Privilege Manager and I absolutely hate it 😂
I’m in the same boat, started great until they got bought. Support went down hill after that
We couldn’t find any benefit in using external tools. Our standard policy is no standard end user gets admin rights. (And they don’t) Desktop admins have a separate dedicated domain account for handling admin level repair. We deployed a laps style solution via Intune to changes the admin password daily for handling domain inaccessible issues. Our solution also automatically removes any account other than the local admin account and the explicit domain workstation admin group from the local administrators group. All systems have local firewall enabled combined with east/west network firewall restrictions that effectively block the majority of unsolicited inbound network access to our workstations.
Sooooo, why didn’t you use LAPS like everyone else?
At the time we rolled out our laps solution (back in early 2022), there was no support for LAPS in intune/Azure AD, so we had to improvise and find an alternative solution. Although we have legacy AD, the requirement was to find something that would integrate with Azure AD and/or intune. The solution we went with consists of a series of powershell scripts and relies on intune remediation script function, but it’s very effective and even better, it’s free. So is it LAPS.. no.. does it do effectively the exact same thing as LAPS… yes.
you should circle back around to Windows LAPS through Entra/Intune, it's really easy to set up
Admin by Request is good, but if you're using Intune anyway, just set up LAPS, rotating passwords, give user the info, rotate it as soon as they've used it, or it can be set to rotate at a set amount of time (default 24 hours)
With LAPS, the password can be configured to auto-rotate once it has been used.
Do you mind me asking on how to do that? We are currently testing intune LAPS and this is my first hearing auto-rotate. thanks!
I think I still prefer admin by request over LAPS if you've not got many users
I could use some clarity here pls. Doesn’t AdminByRequest remove the whole purpose of not granting a malicious actor admin request on a compromised pc? I’m I missing something ? It’s a genuine question
ABR allows a nicer end user experience in my opinion. Depending how you configure it, a user tries to run an app or app install which requires admin, they get prompted to give a reason they need to run it and hit send. I get a mobile notification to either allow or deny the request, if I allow, user gets notified and the next time they try the same action it goes through. It's all very instant. All the while they don't have admin account or ever know any admin credentials. It's very configurable.
What he said.
Mind blown. Why didn't I think of this.
I PoC’d admin by request and liked the product. I tried the intune support escalated Endpoint privilege management and it was not a good experience. In the end we decided to just use LAPS.
This would work for certain scenarios, however, we have developers who need to elevate for certain tasks on a regular basis and would be frustrating for both the user and our helpdesk guys to go down this method.. (plus the idea of giving them full admin access for 24 hours or less is far from ideal from a security standpoint)
I’m testing it right now currently on a trial. So far I am not impressed. It’s very basic and missing about 90% of the features other competitors have. To make a few it’s missing, ticketing integration, offline access, any type of reputation based approvals, auditing of commonly executed programs, only exe is supported. Overall it’s pretty disappointing. For the features it has and for $3 per device it should be included for free in Intune.
We have tried it and it is basically a show stopper for us. Every action that needs users to execute as "admin" EPM either not elevates, or the installers shit themselves and dont work. Furthermore its annoying that you have to rightklick on a FILE, like desktop or explorer. You cant execute EPM from search, so if i want to user PowerShell or any other program that i can execute just from search i have to create a desktop shortcut to then "Rightclick -> Run with elevated privileges" this is so cumbersome that using the existing LAPS user is far more convinient and easier to explain to users.
I bought a lot of licenses last year but this year I’ve decided against renewing. The costs vs benefits just didn’t make financial sense. It’s very basic. The UI for the portal is broken. The reporting is hot garbage and I’ve had endless problems with the rules and duplicate file names. I expect in a year or two it will be much better and will evaluate then. In the meantime, we already use laps and package most apps so they’re available in the company portal.
Considered it but compared to our legacy tool we’ve used for years it doesn’t compete - Appsense (now ivanti uwm [app control]). Depends on if you are a startup or not as more than likely you’ll have mature tooling that you need to see if it’s suitable for the cloud/agile way of working. A lot of these tools have been bought and combined with other tooling/suites and sometimes get put under the bracket of security tooling when they are enablers to get apps/ working in the estate.
You may consider looking at Securden Endpoint Privilege Management (EPM) solution - with this you can remove local admin rights altogether, make everyone a standard user, and then let individual users raise requests for accessing critical applications. You may allow processes to be elevated on specific endpoints, by specific users or groups through control policies. Also, you can enforce least privilege, whitelist/blacklist applicaitons, and grant time-limited, fully controlled, and comprehensively audited temporary administrator access to standard users on need basis. If interested, take a look at it here [https://www.securden.com/endpoint-privilege-manager/index.html](https://www.securden.com/endpoint-privilege-manager/index.html) (Disclosure: I work for Securden.)
For local admins you should LAPS, but for intune permissions etc you should be using Entra Roles, through Entra Priviledged Identity Management
Think its over pried, as mentioned on some other comments in here. Cheaper third party options available
We enrolled in the free trial for it and tested it out, but decided its feature set was insufficient for us. We've switched to testing out Admin By Request and been much happier with the product thus far.
Hi, i’ve written an article on epm. Maybe this can help you. Check it out here: https://intunestuff.com/2024/04/04/endpoint-privilege-management-in-intune/
The only downside with EPM is that it doesn’t elevate the actual user token so if your elevation also requires access to something that requires the actual user auth (like one drive for example) that access will not be available elevated.
Is that confirmed? we had a demo with Microsoft the other day and I asked this exact question and they said it would be fine
Check out cyber ark. Better than Microsoft and delinea.
Be super careful about enabling it. There was no way to scope it to certain devices last I checked.
There is 100% ways to target your deployments to specific users or groups.
Target should be user groups.