The End of Local Admin Rights: Endpoint Privilege Management Is Already in Your E5
The Problem Every IT Team Knows About
Local administrator rights are one of the oldest unresolved security problems in enterprise IT. Users with local admin can install anything, disable protections, and modify the system at will. Attackers know this. In most ransomware incidents, local admin rights are what turn a single compromised endpoint into a network-wide event, enabling credential dumping, security tool tampering, and lateral movement. Auditors flag standing admin rights, cyber insurance questionnaires ask about them, and frameworks from CIS to Zero Trust all point the same direction: users should run with least privilege.
Every IT leader knows this. So why do broad local admin rights still exist in so many environments? Because removing them has always been painful, and the pain lands on the helpdesk.
The Legacy Approaches, and Why They Fall Short
Organizations have historically dealt with this problem in one of a few ways, none of them satisfying.
The most common approach is simply living with the risk. Users keep local admin because a driver update, a legacy application, or a piece of lab equipment software needs elevation, and nobody wants to field the tickets that come with taking it away. The risk is acknowledged, documented, and accepted, year after year.
The second approach is removing admin rights and routing everything through the helpdesk. This improves security but degrades everything else. Users wait for a technician to remote in and type credentials every time they need to update a driver or install an approved tool. Technicians burn hours on trivial elevations, and in some environments the workaround becomes a shared local admin password, which is arguably worse than the original problem.
The third approach is buying a third-party privilege management product. These tools work, but they bring another agent to deploy, another console to manage, another vendor contract to renew, and per-user costs that make broad deployment expensive. For many mid-sized organizations, the business case never quite closed, and admin rights stayed.
A Better Way: Endpoint Privilege Management
Endpoint Privilege Management (EPM) in Microsoft Intune takes a different approach. Users run as standard users all the time. When a task legitimately needs elevation, EPM elevates that specific application or script based on policy, not the person. The user never becomes an administrator, and nothing is added to the local administrators group. Elevation runs through an isolated virtual account, and every elevation is logged with full metadata.
The policy model maps cleanly onto real support scenarios. Automatic elevation runs known safe applications elevated with no user interaction, suitable for trusted tools like a printer installer or a VPN client update. User confirmed elevation gives users a right-click “Run with elevated access” option and can require Windows authentication, a typed business justification, or both. Support approved elevation routes the request to IT, and the user proceeds once an administrator approves it from the Intune admin center. Deny rules block specific files from ever running elevated. Rules can match on publisher certificate, file hash, path, or file name, and can control child processes spawned by an elevated application.
The result is the balance that legacy approaches never achieved. Users get what they need in seconds instead of waiting on a ticket. IT defines what can elevate, under what conditions, with a full audit trail. And because EPM is part of Intune, there is no extra agent to package, no separate console, and no new vendor. Policies deploy through the same admin center you already use for compliance and configuration.
If You Have E5, You Are Ready to Go
Here is the part that changes the business case entirely. As of July 1, 2026, Endpoint Privilege Management is included in Microsoft 365 E5 at no additional cost, with eligible tenants provisioned automatically. If your organization is on E5, EPM is already in your tenant today. The tool you may have been evaluating third-party products to buy is now part of the subscription you already pay for.
For E5 organizations this means two things. First, the barrier to finally removing standing admin rights is gone. Second, if you are paying separately for a third-party privilege management product, that spend should be reviewed now.
If you are on Microsoft 365 E3, EPM is not included in the base license. The E3 tier gained Remote Help and Advanced Analytics in the same packaging change, but EPM requires the Intune Suite add-on or the standalone EPM add-on. Microsoft offers a 90 day trial for up to 250 users, which is a practical way to run a pilot and see your own elevation data before spending anything.
One scope note: EPM applies to Windows endpoints. If you have a significant macOS fleet, those devices need a separate approach.
How to Remove Admin Rights Without the Pain
The organizations that succeed with EPM do not start by removing admin rights. They start by watching.
Begin with an audit phase. Deploy an elevation settings policy in reporting mode to a pilot group. EPM logs both managed elevations and unmanaged ones, meaning every time a user with existing admin rights uses “Run as administrator” on their own. Within a few weeks you have a real inventory of what actually gets elevated in your environment, which is almost always shorter and stranger than anyone predicted.
Next, build rules from that data. Common first rules cover driver and printer utilities, line of business application updaters, and the tools your helpdesk elevates daily. Prefer publisher certificate rules over file hashes where possible, since hash rules break every time a vendor ships an update, and be conservative with automatic elevation.
Then remove admin rights from the pilot group and let EPM handle elevation. Expect a short spike in support approved requests, and treat each one as input for a new rule rather than a failure. When the pilot is stable, expand in waves. Communicate clearly throughout: users who have had admin rights for years need to know what is changing, why, and exactly what to do when they see an elevation prompt.
Finally, keep monitoring. EPM reporting shows every elevation, and the unmanaged elevation report tells you which admin accounts you have not converted yet. Treat the rule set as a living configuration with an owner, because applications change and new tools arrive.
What to Do Next
If you are on Microsoft 365 E5, the question is no longer whether to invest in privilege management. The capability is already in your tenant. The question is how quickly you can retire standing admin rights, and possibly a third-party product along with them. If you are on E3, the 90 day trial lets you run the audit phase at no cost and build the case with your own data.
Steeves works with organizations across Canada to plan and deploy Intune, from baseline configuration through advanced capabilities like EPM. We can help you run the audit, design the rule set, and sequence the removal of admin rights so your users barely notice the change.
Get in touch with the Steeves team to talk through your endpoint privilege posture and find out what your Microsoft 365 subscription can already do.