4.1 Endpoint Privilege Management and Enterprise App Catalog
Key Takeaways
- Endpoint Privilege Management is the Intune Suite capability to let standard users complete approved elevated tasks without granting standing local administrator rights.
- A Windows elevation settings policy enables EPM, defines the default response for unmatched elevation requests, and controls elevation reporting back to Intune.
- Use Deny all requests or Require support approval as the safest default response; broad user confirmation can allow unmatched files to elevate.
- Enterprise App Management provides the Enterprise App Catalog, a Microsoft-hosted catalog of prepared Win32 apps with prefilled install, uninstall, detection, and requirement settings.
- Enterprise App Catalog updates are not applied automatically; admins create a new app version and use supersedence when a catalog update should replace an older deployment.
Why this matters
The MD-102 exam tests Intune Suite as an operating model, not as a list of add-ons. You should be able to choose the feature that removes a support bottleneck without weakening endpoint security. Endpoint Privilege Management (EPM) and Enterprise App Management are the two Intune Suite features most likely to appear in least-privilege and app-lifecycle scenarios.
EPM is for controlled elevation. Enterprise App Management is for app discovery, deployment, and update maintenance from the Enterprise App Catalog. Neither feature replaces planning. EPM still needs tight rules and reporting. Enterprise App Catalog apps still need assignments, detection review, vendor licensing, and update control.
What to use when
| Operational need | Use | Admin action | Watch for |
|---|---|---|---|
| Users need one approved tool to run elevated | Endpoint Privilege Management | Enable EPM with a Windows elevation settings policy, then create an elevation rules policy for the file or script | Do not make the user a local administrator just to solve one installer or support tool |
| Unknown elevation requests need help desk review | EPM support-approved elevation | Set the default response to Require support approval or create support-approved rules | Scope the reviewer role and collect business justification where useful |
| A known trusted app must elevate without user prompts | EPM automatic elevation | Create a narrowly matched elevation rule with strong file evidence | Use rarely; weak matching can elevate the wrong binary |
| Admins need common third-party Win32 apps with less packaging work | Enterprise App Catalog | Add a catalog app, review prefilled install and detection settings, then assign it | Microsoft prepares catalog metadata, but the customer still owns app approval and licensing |
| A catalog app has a newer version | Enterprise App Management update workflow | Create a new app from the available update and configure supersedence | Updates are surfaced in Intune but are not automatically deployed |
Endpoint Privilege Management workflow
EPM starts with a Windows elevation settings policy. This policy turns EPM on for the target users or devices, defines how unmatched elevation requests behave, and determines what elevation data is reported. In the Intune admin center, this lives under Endpoint security > Endpoint Privilege Management > Policies.
After settings are in place, create elevation rules policies for specific files or scripts. A rule identifies what can run elevated and how that elevation happens. The exam often gives you a business need and asks which EPM behavior fits.
| EPM decision | Meaning | Best-fit scenario |
|---|---|---|
| Deny | Do not allow the matched file to elevate through EPM | Block a risky installer or unknown tool |
| Support approved | A helper or admin must approve the request before elevation | A rare tool is needed, but IT wants review before allowing it |
| User confirmed | The user confirms intent, optionally with business justification or Windows authentication | Low-risk self-service elevation with audit context |
| Automatic | The file runs elevated without a prompt | Highly trusted, business-critical software with strong rule matching |
A common exam trap is confusing EPM with Windows Local Administrator Password Solution (Windows LAPS). EPM grants temporary process elevation for standard users. Windows LAPS manages local administrator account passwords. Local group management controls who belongs to local groups. If the scenario says users should remain standard users while one approved process elevates, choose EPM.
Enterprise App Catalog workflow
The Enterprise App Catalog is a catalog of prepared Microsoft and non-Microsoft Win32 applications hosted for Intune deployment. When you add a catalog app, Intune prepopulates many fields that would normally require packaging effort, including install and uninstall commands, return codes, restart behavior, requirements, and detection rules.
Do not treat the catalog as an autopatch service for every app. For self-updating apps, Intune can evaluate that the detected version meets a minimum version while the vendor updater performs the update. For non-self-updating apps, Intune shows available updates, and the admin creates a new app version with a supersedence relationship.
Exam scenario pattern
When a question mentions local admin rights, approved elevation, or support review, think EPM. When it mentions a curated catalog of common Win32 apps, reduced packaging, prefilled detection rules, or catalog updates with supersedence, think Enterprise App Management. When it mentions app protection policies, Conditional Access, or mobile app data controls, that is the application-management domain, not the Enterprise App Catalog itself.
A line-of-business installer requires elevation once a month, but the security team does not want users to be local administrators. Which Intune Suite capability is the best fit?
Which statements correctly describe Endpoint Privilege Management planning?
Select all that apply
An app deployed from the Enterprise App Catalog has a newer catalog version available. What should an Intune admin do to deploy that update in a controlled way?