EPM and User Account Control issue

Hi community,

I'm trying to setup Endpoint privilege management for the organization for the first time with the goal of changing all our users from local admins to standard users on their Intune managed devices. However, I run into issues as soon as I remove the users local admin rights and assign them to an admin group.

I have my EPM Settings policy (Require support approval) and my Rules policies assigned to my test user group all setup and the setup works until I remove the local admin rights from my test user and assign them to the admins group (using the Account protection). After that the user is not able to send elevation requests for tasks that require elevation like managing Bitlocker or opening the Device manager as a UserAccess Control pop-up requires an admin to log in on the computer. It seems like the UAC is overriding EPM.

I would like the users to be able to ask for an elevation in these situations instead of having them all run to my office.

I also tried to create a rule for Bitlocker to allow users to confirm elevations themselves, but that does not work. The users till gets the UAC admin credentials pop up. Same with Device manager and some other tasks.

Obviously as an admin I do also need to be able to access all the settings on the laptops if I do troubleshooting on them.

How do organizations usually manage these or does anyone have personal experience of setting this kind of an environment? Am I missing something?

Licences: M365 Business Premium with Intune EPM add-on