Message Design

Messages have a wide array of configuration options, which are detailed below.

As you change the various message options, the preview message is automatically updated. To test the message box, use the preview facility (program and content information contains appropriate placeholders).

Once you configure the message options, you should configure the Message Text for the message, which includes full multi-lingual support.

Design Settings

Message Header Settings

Header Style: Select the type of header, which can be No header, Endpoint Privilege Management, Warning, Question, or Error.
Show Title Text: Determines whether to show the title text.
Text Color: Select the color for the title text (the automatic color is based on the Header Style).
Background Type: Set the background of the header, which can be Solid background, Gradient background, or Custom image (the default Background Type is Custom Image, making the Color 1 and Color 2 options initially unavailable).
Color 1: Select the color for a Solid background or the first color for a Gradient background (the automatic color is based on the Header Style).
Color 2: Select the second color for a Gradient background (the automatic color is based on the selected Header Style).
Custom Image: Select the image for a Custom image background. This option is only enabled if you have selected Custom Image for the Background Type. Click the ellipsis (…) button to import, export, modify, or delete images using the Image Manager.

Image Manager

The Image Manager associated with message creation allows you to Add, Modify, Export, and Delete images that are referenced in message headers. All images are stored inside the Workstyles as compressed and encoded images.

We recommend you delete any unused images to minimize the size of the policies, as Endpoint Privilege Management for Windows does not automatically delete unreferenced images.

The Image Manager is accessible from the Message Design tab. Click the Manage Images button next to the Custom Image dropdown menu.

To upload an image:

Click Upload Image. The Import Image status dialog box appears. Click Choose file and browse to the location of the file.
Select the image and enter an Image Description. Click OK.
The image is uploaded into Image Manager.

Images must be *.png format. The recommended size is 450x50.

To edit an image:

In the Custom Image field, select Manage Images.
Select the image in the list and click Edit.
The Image Properties dialog box appears.
Alter the description and click OK.

To delete an image:

Select the image in the list and click Delete.
When prompted, click Yes to delete the image.

If an image is referenced by any messages, you are not allowed to delete it.

Message Body Settings

The Message Body Settings display specific information about the program or content. These can be configured on the Message Text tab; they can display Automatic default values or Custom values. The Automatic default values are:

Show Line One: The Program Name or the Content Name.
Show Line Two: The Program Publisher or the Content Owner.
Show Line Three: The Program Path or the Content Program.

Custom values are configured on the Message Text tab.

Show reference Hyperlink: This option determines whether to show a hyperlink in the message below the body settings (the hyperlink is configured on the Message Text tab).

Authentication and Authorization Settings

For more information about using authentication and authorization settings, see Authentication and Authorization Groupings in Endpoint Privilege Management.

Step 1a - User Authentication

Authentication Type: Set this option to User must authenticate to force the user to reauthenticate before proceeding. If you want to use this option for over the shoulder administration, then set this option to Designated user must authenticate.
Password or Smart Card: Set this option to Any to allow authentication using any method available to the user. If you want to enforce a specific authentication method, then set to either Password only or Smart card only.
Windows Hello: Set this option to Yes to allow authentication using the Windows Hello service. For this service to work, Windows Hello must first be set up on the user's endpoint.
- Windows Hello is not supported with the Designated User option.
- Set Authentication to the Password or Smartcard or Password only option.
- Windows Hello is unavailable when using Secure Desktop.

If you select a method that is not available to the user, then the user cannot authenticate the message.

Designated Users: If the Authentication Type is set to Designated user must authenticate, then click the ellipsis (…) button to add one or more user accounts or groups of users that are allowed to authenticate the message. A designated user can be selected from a local account, Active Directory domain, or Microsoft Entra ID (groups only). Entra ID is only supported on the EPM platform.
Run application as Authenticating User: If the Authentication Type is set to Designated user must authenticate, then this option determines whether the application runs in the context of the logged on user or in the context of the authenticating user. The default is to run in the context of the logged on user as opposed to the authenticating user.

When Run application as Authenticating User is set to Yes, Endpoint Privilege Management for Windows attempts to match a Workstyle of the same type (Application Rule or on-demand rule) for the authenticating user. If no Workstyle is matched, Endpoint Privilege Management for Windows falls back to the original user Workstyle.

Designated User Must Authenticate

When this option is enabled, a designated user, such as a system administrator, can authorize the elevation in place of (or in addition to) a Challenge Response code.

Input	Outcome
Valid Challenge/Response code only is provided	Application runs as logged on user
Valid Challenge/Response code is provided and valid (but not required) credentials are provided	Application runs as logged on user
Invalid Challenge/Response code is provided but valid credentials are provided	Application runs as authorizing user
No Challenge/Response code is provided but valid credentials are provided	Application runs as authorizing user

In Endpoint Privilege Management for Windows 22.9 and later, when authenticating as a Designated User using Microsoft Entra ID credentials, use your UPN as the username: "user@example.com"

Step 1b - Multifactor Authentication

Identity Provider: To use an identity provider, select Idp - Yes from the list. If you have not already set up your global identity provider settings, then you are prompted to add these now.
Authentication Context Class References values (acr values): Enter the acr value. The value is optional and required only if your identity provider uses it.
Suppress Message when Authenticated for (Mins): Enter a value (maximum 720) to set the number of minutes that the authentication message will be suppressed. The message will not be shown again for the given number of minutes after a successful authentication.

The Suppress Message when Authenticated for (Mins) setting does not support messages that are configured to use multiple authentication types using the AND operator. For example, if the message requires "user authentication And MFA", then the message is not suppressed. However, if the message uses "user authentication Or MFA", then the message is suppressed.

For more information, see Add an Identity Provider.

Step 1c - Authentication Grouping

Requirements: Select a requirement from the list. You can combine authentication methods. The authentication grouping can be and/or logic. For example, you can require that your users provide both a user name and password and authenticate with an identity provider. In this case, the end user is required to successfully authenticate with user credentials and with the identity provider. In the "or" scenario, the user is required to authenticate using at least one of the authentication methods.

Step 2 - Authorization

Challenge Response (C/R): Set this option to Yes to present the user with a challenge code. For the user to proceed, they must enter a matching response code. You can click Edit Key to change the shared key for this message.

When this option is enabled for the first time, you are requested to enter a shared key.

Authorization Period (per-application): Set this option to determine the length of time a successfully returned challenge code is active for. Choose from:
- One use Only: A new challenge code is presented to the user on every attempt to run the application.
- Entire Session: A new challenge code is presented to the user on the first attempt to run the application. After a valid response code is entered, the user is not presented with a new challenge code for subsequent uses of that application until they next log on.
- As defined by helpdesk: A new challenge code is presented to the user on the first attempt to run the application. If this option is selected, the responsibility of selecting the authorization period is delegated to the helpdesk user at the time of generating the response code. The helpdesk user can select one of the three above authorization periods. After a valid response code is entered, the user does not receive a new challenge code for the duration of time specified by the helpdesks.
Suppress messages once authorized: If the Authorization Period is not set to One Use Only the Suppress messages once authorized option is enabled and configurable.
Show Information tip: This option determines whether to show an information tip in the challenge box.
Maximum Attempts: This option determines how many attempts the user has to enter a successful response code for each new challenge. Set this option to Three Attempts to restrict the user to three attempts, otherwise set this option to Unlimited.

After the third failure to enter a valid response code, the message is canceled and the challenge code is rejected. The next time the user attempts to run the application, they are presented with a new challenge code. Failed attempts are accumulated even if the user clicks Cancel between attempts.

For more information, see the following:

Challenge/Response Authorization
On how to configure the text of the information tip, Message Text

Step 3 - User Authentication & Authorization Grouping

Requirements: Select a grouping from the list. You can use authentication and authorization settings together, grouped by and/or logic. This always uses or logic when the Identity Provider (Idp) value is set to IdP - Yes.

Additonal Settings

Miscellaneous Settings

Show message on secure desktop: Select this option to show the message on the secure desktop. We recommend this if the message is being used to confirm the elevation of a process, for enhanced security. Secure desktop cannot be used with Identity Provider configurations; using Identity Provider for authentication requires opening the user's browser.

User Reason Settings

This option determines whether to prompt the end user to enter a reason before an application launches (Allow Execution message type) or to request a blocked application (Block Execution message type).

Show User Reason Prompt: Select between Text box and dropdown menu. The Text Box allows users to write a reason or request. The dropdown allows users to select a predefined reason or request from a dropdown menu. The predefined dropdown entries can be configured on the Message Text tab.
Remember User Reasons (per-application): Reasons are stored per-user in the registry.

Email Settings

The email settings are only enabled for blocking messages.

Allow user to email an application request: Select this option to allow the user to email a request to run an application (only available for the Block Execution message type).
Mail To: Email address to send the request to (separate multiple email addresses with semicolons).
Subject: Subject line for the email request.

The Mail To and Subject fields can include parameterized values, which can be used with email based automated helpdesk systems.

For information on using parameters, see Windows QuickStart Policy Summary.