One of the biggest challenges faced by IT shops is balancing productivity with strong security controls. To make sure employees are productive and you aren’t overwhelmed by help desk calls, employees need some freedom to install applications, update drivers, and run troubleshooting tools.
This is usually achieved by giving users local admin rights. For many organizations, especially those seeking more mature endpoint management services, granting local admin rights creates a wide attack surface, increases the risk of malware infections, and makes compliance audits very difficult.
For years, organizations have had to choose between locking users down and dealing with frustrated helpdesk calls or loosening restrictions and accepting the security risks that come with that. Or paying a lot of money for a solution to manage admin rights for you.
Endpoint Privilege Management (EPM) in Microsoft Intune can help you get to the middle ground with local admin rights. EPM is designed specifically for Windows enterprise environments to give IT control over when and how users can elevate to admin. Instead of permanent admin rights, your users can remain in standard user accounts, while Intune policies dictate which applications or scripts can run with admin permissions. Admin elevations are temporary, logged, and executed under a different account rather than the user’s account. EPM allows end users to be productive and get their work done while protecting the larger environment.
It’s also worth noting that Microsoft has announced that in 2026, EPM will come as part of M365 E5 licenses.
How EPM Works
EPM is made up of two types of policies within Intune:
- Elevation settings policies: define how the EPM client behaves on the device. These policies dictate whether users can request elevation, whether those requests are automatically approved, and logging for the elevation event.
- Elevation rules policies: define which items can be elevated and under which conditions. Rules can be based on publisher certificates, file hashes, paths, and command-line arguments. These can be applied to specific users or groups, so the policies can be different for different parts of your org.
When a user attempts to run something that requires elevation, the EPM client checks the rules. If the request matches a rule, the process is elevated in a different account. If the request does not match a rule, the request is either flat-out denied or logged for review. This model allows you to be precise and intentional with admin privileges rather than having to grant blanket admin rights.
Real-World Scenarios
Here are three real-word examples of how EPM can be used:
- Self-service application installs/updates: users need to install and update applications such as Adobe Creative Cloud. You can create a rule in EPM that allows the Adobe installer to elevate to admin. Users stay in standard accounts, but they can still install and update their tools without needing help from IT.
- Driver updates: users need to update drivers on their computer. It’s increasingly important for drivers to be kept up to date, as out-of-date drivers are becoming a frequent target for bad actors. Instead of having to grant admin rights to keep drivers up to date, you can create a rule in EPM that permits those signed driver installers to elevate, including only during a specific time window. The environment is protected from vulnerable drivers, and the risk of permanent admins is minimized.
- Diagnostics for support staff: your help desk team may need to run certain troubleshooting utilities with elevated rights. EPM lets you define rules for those tools, ensuring they can do their jobs while every elevation is logged for audit purposes.
Deployment Approach
Rolling out EPM successfully requires a phased approach with robust communication with your users.
- Audit mode: enable elevation settings in audit mode. This will show you which apps your users are trying to elevate and can help you identify potential elevation rule policies.
- Craft policies securely: use strong indicators like publisher certificates or file hashes. Only use file paths or file names if absolutely necessary. This will help to reduce the risk of malicious elevation.
- Pilot with a small group: target a small subset of devices or users, validate the rules, and refine them before expanding org wide.
- Communicate with users: let your users know what to expect. EPM elevations may be automatic or require a prompt, and clear communication will reduce confusion, help desk calls, and user pushback.
- Monitor and adjust: use Intune’s reports to track elevation events. You can also forward logs to your SIEM if you need centralized visibility.
Security and Compliance Benefits
EPM can help significantly strengthen your security posture. By removing permanent admin rights, you reduce the attack surface for malware and insider threats. Every elevation is logged, which supports compliance audits and incident investigations. Even if security isn’t your primary focus for implementing EPM, these benefits come as part of the package.
Final Thoughts
EPM is one of those features that can fundamentally change how you manage your Windows devices. It gives you the ability to take away permanent admin rights without significantly impacting productivity. By starting small, building strong rules, and communicating clearly, you can roll it out smoothly in your organization.
Strengthen Your Security With Intune Endpoint Privilege Management
Remove permanent admin rights, reduce attack surface, and keep users productive with expert EPM deployment and elevation rule strategies.
Talk to Our Endpoint Experts
