Microsoft Intune’s Endpoint Privilege Management (EPM) just got more powerful and secure with two major updates that matter for modern Windows endpoint management:

🔹 “Elevate as current user” option — better compatibility for apps and installers
🔹 Scope tag enforcement for elevation requests — stricter admin visibility control

Both changes started rolling out in late 2025 and are now part of general Intune service updates in early 2026.

🔐 Elevate Under the User’s Own Identity

Traditionally, Intune’s EPM elevated applications using a virtual account on the device. While this strengthens isolation, it often broke installers and tools that needed access to:
• User profile paths
• Environment variables
• Registry settings (HKCU)
• Authenticated network resources (Kerberos tickets)

The new “Elevate as current user” option changes that. It lets the elevated process run under the signed‑in user’s account, preserving profile context so applications just work without special workarounds. This matters especially for installers and scripts that depend on user‑specific resources or settings.

📌 Security note: Because this mode uses the user’s identity instead of a virtual account, it increases exposure to user‑specific data — so use it only when needed (e.g., compatibility cases). 

Enforcing Scope Tags on Elevation Requests

In the November 2025 Intune update, Microsoft added scope tag enforcement for EPM elevation requests — a big win for security and delegate admin scenarios:
• Admins can now only view and act on elevation requests for devices and users that fall within their assigned scope tags
• Helps keep least‑privilege admin access aligned with Zero Trust principles
• Reduces risk of accidental or inappropriate access across broader tenant resources 

This change especially benefits larger organizations or managed service environments where different teams must operate independently and only see what they should see.