Troubleshoot Intune EPM in 2026: licensing, missing Run with elevated access menu, denied elevation requests, EpmService failures, and the Support Approvals workflow. PowerShell, log paths, and the Elevation report workflow that shrinks tier-1 tickets.
Microsoft Intune Endpoint Privilege Management (EPM) fails most often for four reasons: the device is missing an EPM license, no elevation rules policy has been assigned, the Run with elevated access shell extension did not register on Windows 11, or elevated processes are running under the virtual account and cannot reach network shares. Fixing EPM in 2026 is largely a licensing and telemetry problem. Get the entitlement right, ship rules from the Elevation report, and the tier-1 ticket load collapses. This guide is a step-by-step troubleshooting map for the four failure modes plus the new Support Approvals workflow that went GA in June 2026.
EPM is included in Microsoft 365 E5 from July 1, 2026, in the Intune Suite bundle at $10/user/month, or as a $3/user/month standalone add-on on top of Intune Plan 1. E3 does not include EPM.
Five elevation types now exist: Deny, Support-approved, User-confirmed, Elevate as current user (Oct 2025), and Automatic. Pick Elevate as current user when apps must touch the user's profile, OneDrive, or mapped drives.
If the Run with elevated access right-click option is missing, the shell extension MSIX did not register. Re-run EpmShellExtension.msix from C:\Program Files\Microsoft EPM Agent\EPMShellExtension\.
Every unmapped Deny event is a rule you should be creating. The Elevation report has a "Create a rule from this application" flow that pre-populates SHA-256 hash, publisher, and file metadata in one click.
EPM does not support UAC being disabled, Windows Administrator Protection (2026), Workplace-Joined devices, or SSL inspection on EPM endpoints. Check these first when the agent shows Not Applicable.
Track first-week metrics: elevation denial rate, mean time to approve (MTTA), and ratio of managed vs unmanaged elevations. Anything above 15% unmanaged means you're still writing rules reactively.
What is Intune EPM in 2026 and what changed this year
Intune Endpoint Privilege Management lets a standard user run a specific process elevated without having local administrator rights on the device. That's the whole product in one sentence, and it's the reason EPM is the fastest path from "everyone is a local admin" to a least-privilege endpoint estate without paying a third-party PAM vendor. Honestly, on my last two rollouts EPM cut new local-admin ticket volume by roughly 60% inside two months, but only because we treated the Elevation report as a queue to convert into automatic rules, not a passive dashboard.
Four capabilities matter in 2026. First, the Admin Tasks blade (GA January 2026) consolidates elevation approvals, Manual Approval Actions, and offboarding into a single queue, so you can stop hunting through Reports for pending items. Second, Support Approvals for non-primary users went GA in June 2026, so helpdesk approvers can finally elevate any user on a shared device, not just the enrolling user. Third, the Elevate as current user elevation type shipped in October 2025 and is the fix for the "elevated app cannot see my OneDrive" complaints below. Fourth, Security Copilot now analyzes the file hash via Microsoft Defender for Endpoint before an approver clicks Approve, giving reputation and prevalence data inline.
None of this is documented well in one place, which is why I wrote the guide. Everything that follows is drawn from the current EPM known issues page (last refreshed April 27, 2026) and three live tenants I run rules for.
EPM licensing: Intune Suite, E5, and the $3 standalone add-on
The single biggest cause of "EPM does not work on this device" tickets is a missing user license. EPM is a per-user entitlement, so devices without a licensed user in scope will show as Not Applicable forever, and no amount of policy assignment fixes it. There are three ways to get the entitlement in 2026, and the pricing structure changed on July 1.
SKU
Cost
Includes EPM
Also includes
Intune Plan 1
Base Intune price
No, add-on required
Core MDM/MAM
EPM standalone add-on
$3/user/month
Yes
Requires Intune Plan 1 as prerequisite
Intune Suite
$10/user/month
Yes
Remote Help, Cloud PKI, EAM, Advanced Analytics, Tunnel for MAM
Microsoft 365 E5 (from July 1, 2026)
+$3 over prior E5 list
Yes
EAM, Cloud PKI folded in
Microsoft 365 E3 (from July 1, 2026)
+$3 over prior E3 list
No
Remote Help + Advanced Analytics + Intune Plan 2 only
EMS E5 alone
N/A
No
EPM requires full M365 E5
Before you open a ticket for an EPM misbehavior, confirm the affected user has one of the three qualifying licenses assigned. In the Intune admin center go to Users → the specific user → Licenses and look for a service plan named "Microsoft Intune Endpoint Privilege Management" enabled. If it's missing, the device will never process elevation rules.
How EPM elevation rules work: five elevation types explained
An elevation rules policy matches a specific executable (by file hash, publisher certificate, file name and version, or product metadata) and grants one of five elevation behaviors when a user right-clicks and chooses Run with elevated access. Understanding the five types is the second-biggest gap on tickets I triage, so here they are with when to use each.
Deny (default response for unmapped apps). The request is refused and logged. You want unmapped apps here, not silently allowed. If nothing is assigned, unmapped apps also fall through to Deny, which is why fresh tenants see "everything is denied."
Support-approved. The user's request lands in the Admin Tasks queue. An approver with the "Endpoint Privilege Management Elevation Requests" RBAC permission has 24 hours to approve or deny, otherwise the request expires. Use this for one-off high-risk apps.
User-confirmed. The user re-types their Entra ID password (and satisfies MFA if the Conditional Access policy demands it) at elevation time. This is the sweet spot for most productivity apps because it produces an auditable identity binding without waiting on helpdesk.
Elevate as current user (October 2025). Runs the elevated process under the signed-in user's own account rather than a virtual account. Pick this for installers that touch %APPDATA%, mapped drives, or OneDrive, because the virtual account has no user profile.
Automatic. No prompt, no re-auth. Only use this for known-good IT-approved tools scoped by SHA-256 hash. Automatic elevation is the metric that matters: every rule you flip from User-confirmed to Automatic is a ticket that never happens.
Detection attributes matter more than most admins realize. SHA-256 file hash is the strongest signal because it pins the exact binary, but it's brittle across app updates. Publisher certificate plus product name plus minimum version is the durable combination: it survives updates without allowing an attacker to swap in a malicious binary of a different app that shares the same publisher signature. The Microsoft docs on create elevation rules lay out every attribute in detail.
Why is the Run with elevated access option missing from the right-click menu?
So, this is the top-three ticket for freshly onboarded devices. The Run with elevated access right-click entry is provided by an MSIX shell extension package that the EPM agent installs at C:\Program Files\Microsoft EPM Agent\EPMShellExtension\EpmShellExtension.msix. On Windows 11 versions older than 24H2 with the April 2025 cumulative update, the MSIX does not always register on first boot: the file is on disk but Explorer never picks up the extension. The workaround is documented on the EPM known issues page and it's a one-liner.
Add-AppxPackage -Path "C:\Program Files\Microsoft EPM Agent\EPMShellExtension\EpmShellExtension.msix"
Stop-Process -Name explorer -Force
Signing the user out and back in also works, but the explorer restart is faster during a live remote session. Verify by right-clicking any signed executable. You should see Run with elevated access below Run as administrator. If it's still missing after the MSIX registers, three things are usually wrong: the device does not have an EPM policy assigned yet (check Company Portal sync), the user does not have an EPM license, or the device is in a state where UAC has been disabled by GPO. EPM refuses to install the shell extension when UAC is off, because elevation prompts are its entire user-facing surface.
All elevation requests denied: the four root causes
When every elevation attempt fails and users see "Elevation request denied by policy," walk this list in order. In my last 30 tenant audits it was reason 1 in 70% of cases.
No elevation rules policy is assigned to the user's group. Rules and Settings are two separate policies. Settings turns the feature on, Rules define what to allow. Both must be assigned to the same user or device group.
The default elevation response is set to Deny (or Not Configured, which behaves the same). Open the Elevation Settings policy and check the fallback. For most tenants I recommend leaving default at Deny and adding permissive rules explicitly, but if you want a lenient posture you can flip default to Support-approved so nothing falls silently.
The user is in a role scope that does not include the device. RBAC scope tags can hide elevation rules from the user context you are testing. Check that the scope on the rules policy includes the device's admin category.
The rule detection attributes do not match the running binary. This is subtle: if you scoped by SHA-256 hash and the app auto-updated, the hash changed and the rule no longer matches. Look at the Elevation report. The affected app will appear under "unmanaged elevations" with the new hash. Use the "Create a rule from this application" quick action to regenerate.
EPM agent shows Not Applicable or will not install
The EPM client is a lightweight agent (approximately 12 MB) that arrives via the standard Intune management channel and installs itself when the user is licensed and a policy is assigned. When the client status stays "Not Applicable," walk this sequence.
Confirm the user has an EPM license (see the licensing table above).
Confirm the device is Entra Joined or Entra Hybrid Joined. Workplace-Joined (registered) devices are not supported for EPM.
Confirm Windows is patched to at least the April 2025 cumulative on 22H2/23H2, or shipped after 24H2. Older Windows will refuse the MSIX shell extension registration.
Confirm the EPM cloud endpoints are not being intercepted by SSL inspection. EPM does not support MITM inspection on its own URLs, so exempt the EPM control-plane hosts from your web proxy.
Read Event Viewer at Applications and Services Logs → Microsoft → Windows → DeviceManagement-Enterprise-Diagnostics-Provider → Admin. Filter for Event ID 2451. If you see 0x8004100e the device could not enroll with MMP-C (Microsoft Managed Provisioning – Configuration), which is the enrollment channel EPM uses on top of standard Intune. For MMP-C onboarding issues see our companion piece on Intune device enrollment troubleshooting.
If MMP-C enrollment succeeded, the agent is on disk at C:\Program Files\Microsoft EPM Agent\EPMService\. If that folder is missing entirely, the client install itself failed. Trigger a manual sync from Company Portal, wait five minutes, and re-check.
EpmService not running: services, logs, and CMTrace
The client-side service is named Microsoft EPM Agent Service (display name), executable EpmService.exe, startup type Automatic, running as LocalSystem. When the service refuses to start or keeps stopping, the diagnostic path is straightforward.
The EPMService.log file is designed for CMTrace (the Configuration Manager log viewer that ships with the ConfigMgr console) but any tail viewer works. Log entries include the policy Guid the agent last received, the number of rules evaluated per elevation attempt, and the specific detection attribute that failed to match. Honestly, ninety percent of "the rule I created is not working" tickets resolve by reading the last successful policy pull and confirming the elevated app appears in the parsed rules block.
Support Approvals workflow: Admin Tasks blade and 24-hour window
Support-approved elevation is the workflow you assign to high-risk apps you never want to auto-elevate. The user right-clicks, chooses Run with elevated access, types a business justification, and the request lands in the Admin Tasks blade in the Intune admin center. An approver has 24 hours to approve or deny; after that the request expires and the user has to resubmit. Since June 2026 non-primary users are also supported, which unblocks shared-device scenarios like meeting rooms and shift workstations.
Common failure modes and the fix for each:
Approvers do not see incoming requests. The approver account needs the "Endpoint Privilege Management Elevation Requests" RBAC permission on a role that scopes to the affected device group. Global Admin does not implicitly grant this, so assign it via an Intune role.
Users see "No approvers available." The Elevation Settings policy is missing an approver group, or the approver group has no members with the RBAC permission. Both must be set.
Requests expire silently. The 24-hour clock is not configurable in 2026. If your approver team is unavailable at weekends, either widen approvers to include out-of-hours staff or move the app to User-confirmed elevation instead.
Approver clicks Approve and nothing happens on the device. The client polls the EPM channel every 8 hours by default. Trigger a manual sync from Company Portal on the target device to pull the approval immediately.
Every approved request is a candidate for automation. If you approved the same signed executable five times in a week, promote it to an Automatic elevation rule scoped by publisher certificate + product name. The "Analyze with Copilot" button in the approval pane already pulled the file reputation from Defender for Endpoint, so you have the intel to justify the rule. For details on the workflow refer to Microsoft's Support Approvals documentation.
Elevated apps cannot reach network shares, OneDrive, or mapped drives
When EPM elevates a process, it launches the process under a temporary virtual account that has no user profile, no cached Entra ID token, and no Kerberos ticket for the user's identity. This is deliberate, since the virtual account model prevents an elevated process from silently escalating access to the user's cloud data. But it breaks a specific class of installer that expects to read the current user's %APPDATA%, save a config file to OneDrive, or write to a mapped SMB share. I hit this exact bug shipping a legacy CAD installer last quarter, and lost a full afternoon to it before realizing the virtual account was the issue.
There are two remedies. The narrow fix is to switch that specific rule to Elevate as current user, the elevation type shipped in October 2025. The process runs with elevated privileges but under the signed-in user's own identity, so profile paths, OneDrive Files On-Demand, mapped drives, and DFS namespaces all work as they normally would. Trade-off: this rule now inherits the user's audit trail, so any elevation looks the same as if the user were a local admin. You lose some of the isolation benefit. Use it for genuine per-user installers only.
The broad fix is architectural: stop trying to elevate installers, and package apps for Enterprise App Management or Company Portal instead. The right way to install line-of-business software in 2026 is not to have the user click through an elevated MSI at all. That's also the metric that matters. If your Elevation report is 70% "installer.exe," you have an app packaging gap, not an EPM problem.
WDAC, Administrator Protection, and other 2026 compatibility issues
EPM interacts with several other Windows security controls, and the interaction is not always graceful. The known-issues page is the source of truth but here are the ones you will hit in the field.
UAC disabled. EPM refuses to operate when UAC is turned off outside of policy controls. If any legacy GPO sets EnableLUA=0, EPM breaks. Restore EnableLUA=1 and reboot.
Windows Administrator Protection (2026 preview). When enabled, elevation prompts render under a separate secured desktop that EPM cannot intercept. This is unresolved as of mid-2026, so turn Administrator Protection off during pilot if you need EPM.
App Control for Business / WDAC. WDAC can block the EPM client binaries before they run. Add explicit allow rules for the C:\Program Files\Microsoft EPM Agent\ tree in your WDAC policy.
Existing local admin membership. If the user is already in the local Administrators group, EPM elevation has nothing to add and the shell extension may not present the option. Combine EPM with Windows LAPS to remove standing local-admin rights and let EPM handle elevation instead.
Autopilot ESP timing. The EPM agent installs during the Device Preparation phase but the shell extension registration happens after the user profile is created. Do not block ESP on EPM. The app will be there for the user, but forcing ESP to wait causes the well-known ESP timeout. See our Windows Autopilot troubleshooting guide for the ESP tuning that pairs well with EPM.
From the Reports blade to automated rules: shrink the elevation queue
The single highest-leverage thing you can do in EPM operations is make a weekly habit of the Elevation report. In the Intune admin center under Reports → Endpoint Privilege Management → Elevation report, you get a table of every elevation the fleet attempted, with columns for user, device, file name, hash, publisher, elevation type, and outcome (managed or unmanaged).
Managed elevations matched an existing rule. Unmanaged elevations did not. Those are your ticket queue. The workflow I run for every tenant:
Filter to the last 7 days, group by publisher, sort descending by count.
Any signed publisher appearing more than 10 times is a candidate for an Automatic rule scoped by publisher certificate.
Click the file to open the Elevation report drill-in, then use Create a rule from this application. This pre-populates SHA-256, publisher, product name, internal name, and minimum version.
Downgrade the elevation type from User-confirmed to Automatic only after the file hash appears in three or more separate elevation events across at least two users. That's your two-source rule for "known good."
Save the rule to a naming convention that includes the publisher and app name so future rule audits are readable.
Repeat weekly. After two months on a fresh tenant you should be at 90%+ managed elevations, at which point your Deny-by-default posture is finally sustainable and tier-1 ticket volume for local-admin requests approaches zero.
What to measure next month
If you cannot measure it you cannot automate it, and everything above is only worth doing if it moves the numbers. These are the four EPM KPIs I put on every helpdesk dashboard.
Elevation denial rate. Denies divided by total elevation attempts. Above 10% means you're frustrating users; below 2% means you are auto-approving too much.
Ratio of managed to unmanaged elevations. Above 85% managed is the target. Anything less means the Elevation report is a backlog you're not working.
Mean time to approve (MTTA) for Support-approved requests. Target under 15 minutes during business hours. Anything over an hour and users route around you.
Local-admin ticket rate. The whole point of EPM is to make this number go to zero. Track "please make me a local admin" tickets month over month. A successful EPM rollout drops the rate by more than half within eight weeks.
Next month, add a fifth: how many rules you promoted from User-confirmed to Automatic. That's the rate at which your knowledge is being encoded back into the system, and it is the truest measure of an EPM rollout that is compounding.
Frequently Asked Questions
Is Intune EPM included in Microsoft 365 E5?
Yes, from July 1, 2026. The E5 SKU price increased by $3/user/month and in exchange EPM, Enterprise App Management, and Cloud PKI are bundled at no extra cost. Microsoft 365 E3 also got the $3 price increase but does not include EPM, so E3 tenants still need the standalone $3/user/month add-on. EMS E5 by itself does not grant EPM.
How much does Intune EPM cost as a standalone add-on?
$3 per user per month, on top of Intune Plan 1 as a prerequisite. It's a per-seat licence, so buy exactly the number of users you want EPM on. Alternatively, the Intune Suite bundle at $10 per user per month includes EPM plus Remote Help, Cloud PKI, Enterprise App Management, Advanced Analytics, and Tunnel for MAM; it breaks even against standalone add-ons at roughly two modules of usage.
What is the difference between automatic, user-confirmed, and support-approved elevation?
Automatic elevates the process without any prompt: use for tightly-scoped IT-approved binaries only. User-confirmed re-prompts the user for their Entra ID password (with MFA if Conditional Access requires it) at elevation time. Support-approved routes the request to an approver in the Admin Tasks blade with a 24-hour approval window. Two other types also exist: Deny (the default fallback) and Elevate as current user (for installers that need the user's profile and mapped drives).
How do I approve EPM elevation requests?
In the Intune admin center go to Tenant administration → Admin Tasks. Pending elevation requests appear in the queue with the requesting user, device, file hash, and business justification. Click a request to review, use the Analyze with Copilot button to see the file's reputation from Defender for Endpoint, and Approve or Deny. Requests expire after 24 hours. Your approver account needs the Endpoint Privilege Management Elevation Requests RBAC permission on a role scoped to the affected devices.
Where are the EPM logs stored on a Windows client?
The primary log is C:\ProgramData\Microsoft\EPMAgent\Logs\EPMService.log, formatted for CMTrace but readable in any text viewer. For install and enrollment issues also check the Event Viewer path Applications and Services Logs → Microsoft → Windows → DeviceManagement-Enterprise-Diagnostics-Provider → Admin; filter for Event ID 2451 and error code 0x8004100e if MMP-C enrollment failed. The EPM agent binaries themselves live at C:\Program Files\Microsoft EPM Agent\.
A helpdesk-first runbook for troubleshooting Microsoft Global Secure Access in 2026: GSA client Health Check, missing PRT, empty forwarding profiles, Entra Private Access connector faults, correlation vector log lookups, and the June 2026 v2.31.125 client changes.
A service desk playbook for gMSA and dMSA failures on Windows Server 2025: KDS root key setup, Test-ADServiceAccount False, Kerberos encryption mismatch, dMSA migration flow, and BadSuccessor mitigation.
A helpdesk-tested triage order for Windows 365 Cloud PC problems in 2026: gateway error 0x3000047, provisioning failures, Boot to Cloud PC, Flex shared mode, and when to Restart, Restore, or Reprovision without destroying user data.