EPM (Endpoint Privilege Management) Windows execution works by intercepting application launch requests and applying real-time policy decisions to control program execution on endpoints. When a user attempts to run an application, the EPM agent evaluates the request against predefined access policies and specific parameters. Based on this evaluation, the system can allow execution with current privileges, temporarily elevate privileges for legitimate administrative tasks without exposing admin credentials, or block unauthorized applications entirely. This creates a zero-trust execution environment where applications must be explicitly approved and users can perform necessary administrative functions without permanent elevated access, while maintaining comprehensive audit logs of all execution attempts.
Execution types
EPM Windows supports multiple execution types. Here are all the execution types supported:
| Type | Interface | Description |
|---|---|---|
| Execute with EPM | Context menu | Executes the application with the current user, with elevation or not according to the access policy and global parameters. |
| Execute network shared applications | Context menu | Executes an application shared over the network, with elevation or not according to the access policy and global parameters. |
| Execute | EPM | Executes the application with the current user, with elevation or not according to the access policy and global parameters. |
| Execute as impersonated user | EPM | Executes the application as another user, with elevation or not according to the access policy and global parameters. The password used by the impersonated user does not need to match the current Windows user password because it is not used for impersonation. |
| Execute as user (runas) | EPM | Executes the application as another user, with elevation or not according to the access policy and global parameters. The password used by the impersonated user does need to match the current Windows user password because it is used for impersonation. |
| Execute as user not elevated (runas) | EPM | Executes the application as another user but without elevation. The credentials’ username and password must match the Windows’ user and password. |
| Double-click | N/A | Executes the application with the current user, with elevation or not according to the access policy and global parameters. |