The “Local Admin” Ghost in the VDI Machine
For years, VDI architects have faced a “Sophie’s Choice”: either grant users full Local Admin rights on their virtual sessions (a massive security risk) or drown the Helpdesk in tickets every time a developer needs to run a debugger or a designer needs a specialized font.
In the Zero-Trust world of 2026, standing privileges are the enemy. With the Microsoft Intune Service Update 2601 (February 2026), we finally have the solution: Endpoint Privilege Management (EPM) for Azure Virtual Desktop (AVD). We can now grant “Just-in-Time” elevation within a virtual session, providing the ultimate balance of security and scale.
Why This Matters for Scaling Your Organization
If you are managing 100 or 10,000 Cloud PCs, manually handling elevation requests is not sustainable. EPM allows you to:
- Reduce Helpdesk Overhead: Self-service elevation for approved apps.
- Strengthen Security Posture: Move toward a true “Least Privilege” model.
- Improve User Experience: No more “Access Denied” interruptions for legitimate work.
Step-by-Step: Enabling EPM on AVD & Windows 365
1. The Prerequisites
Before you begin, ensure your environment meets these 2026 standards:
- OS: Windows 11 (22H2 or later).
- Join Type: Entra joined or Hybrid Entra joined.
- Licensing: Microsoft Intune Suite or the EPM standalone add-on.
2. Activate the EPM Platform
You must first tell Intune to deploy the EPM “sidecar” agent to your virtual machines.
- Navigate to the Microsoft Intune admin center.
- Go to Endpoint security > Endpoint Privilege Management.
- On the Policies tab, select Create Policy and choose Windows elevation settings policy.
- Set “Microsoft Endpoint Privilege Management” to Enabled.
- Assign this to your AVD/Windows 365 Device Group.
3. Create Elevation Rules
Now, define what can be elevated.
- Create a new policy and select Elevation rule policy.
- Elevation Conditions: Upload the certificate or file hash of the application (e.g., Visual Studio or a specific VPN client).
- Validation type: Choose Business justification to require the user to explain why they are elevating.
The Deep Dive: “Elevate as Current User”
This is the technical breakthrough of early 2026. In virtual environments, standard elevation often uses a “Virtual Account.” However, in AVD, this can break FSLogix profiles and Mapped Network Drives because the elevated process runs in a different security context.
The new “Elevate as Current User” capability allows the process to run with elevated tokens while remaining inside the user’s profile.
Critical Troubleshooting: The “Azure Front Door” Gotcha
If your EPM policies are stuck in “Pending,” check your network. As of the 2026 Secure Future Initiative (SFI), Intune now uses Azure Front Door (AFD) for EPM communication.
| Requirement | Value |
| Port | 443 (HTTPS) |
| Service Tag | AzureFrontDoor.MicrosoftSecurity |
| Why? | The EPM sidecar agent uses this path to verify hashes and download new rules. |
Final Thoughts
Implementing EPM on AVD isn’t just about blocking cmd.exe. It’s about building a stateless, secure environment where users have the power they need without the risks they don’t. By leveraging the February 2026 updates, you are positioning your organization at the forefront of the Secure Productivity movement.