Intune – Additional permissions for the Endpoint Security Manager role

As you know, you can delegate permissions to allow certain administrative or management tasks using RBAC (Role Based Access Control) on Intune/Endpoint Configuration Manager.

Well, new permissions have been added to the Endpoint Security Manager role:

  • Initiate Configuration Manager action
  • Microsoft Defender ATP
  • Reboot now
  • Remote lock
  • Rotate BitLockerKeys (preview)
  • Rotate FileVault key
  • Shut down
  • Sync devices

If you are using the built-in Endpoint Security Manager role, you have nothing to do, except maybe some communication to the delegates.

If you are using custom role to delegate permissions, you may have to update your custom role to reflect these new permissions.


Benoit Hamet
Benoit Hamet
Benoit is working on Microsoft collaborative technologies He has been awarded as MVP for more than 12 years Currently MVP on Office 365 after being awarded on SharePoint (2011-2012) and Windows client & server (2002-2007) Speaker at various Microsoft events (TechDays, TechNet seminars) and Quest Software He works on on-premises (Active Directory, RADIUS/NPS, Exchange, Skype for Business, SharePoint, SQL, Terminal Server, Windows client and Windows Server) or online (Azure, Intune, Office 365, Exchange Online, SharePoint Online, Skype for Business Online, Teams) technologies