I try to keep workstyles to a minimum, but see people who have 10-50+ and for sure not a recommendation I would make.

You have the latest option to create and Application Rule filter now. Which could be useful in your situation. the downside of Application rule filters is you can only see on the filter who it applies to, so if using it I would give the application groups name a hit of who is targeted.

Then consider what commands, can they causes a risk?
i see no issue in ipconfig /registerdns, net start / stop with more specific command lines for specific services etc. 

happy holidays.

Jens

Thank you so much ​@Jens Hansen I didn’t know about App Filter. (actually some time back I was thinking why there is no such option similar to firewall ACLs :-)

Regarding the commands , there is an application installer which later triggers a batch file which asks for password prompt. Unfortunately , this is riskier as it is not signed and has some common name like installer.bat  (script name may not be a good filter criteria though). I am still debating if I should keep it as is i.e. password prompt. Other one is very specific command . But yes overall this approach feels little bit sketchy

As mentioned, there are Application Rule filters available as of EPM-W 24.5 and EPM-M 24.7. Please refer to the KB How to use Workstyle and Application Rule filters for Endpoint Privilege Management policies for information and examples.