For a long time, the advice here has been some version of the same thing: get standing local admin rights off your Windows endpoints. The usual objection is cost — a proper privilege-management tool is another vendor, another contract, another line item. On July 1, 2026, that objection gets a lot weaker.
Microsoft is folding several Intune Suite capabilities into Microsoft 365 E3 and E5, and for E5 customers that includes Endpoint Privilege Management (EPM) — the feature that lets you remove local admin and still let users do the handful of things that used to need it. If you have an E5 tenant, a capable least-privilege tool is about to appear in your licensing at no extra cost. Here is how to actually use it.
What changes on July 1
According to Microsoft and write-ups from Security Risk Advisors and Petri, eligible tenants are provisioned with the new capabilities automatically:
- Microsoft 365 E3 gains Remote Help, Advanced Analytics, and Intune Plan 2 features.
- Microsoft 365 E5 gains all of the above plus Endpoint Privilege Management, Enterprise App Management, and Microsoft Cloud PKI.
Microsoft says eligible organisations will get a Microsoft 365 admin center notification roughly 30 days before the change takes effect. Watch for it — it is your cue that EPM is live in the tenant and ready to configure.
What EPM actually does
Endpoint Privilege Management is built around a simple idea: the user stays a standard user, but specific actions can be elevated on demand. Instead of granting someone permanent admin rights so they can occasionally install an approved app or a printer driver, EPM lets you:
- Define elevation rules for known, trusted files so they run elevated automatically or with one click.
- Require support-approved elevation for everything else, with a request-and-approve workflow.
- Audit every elevation — who elevated what, when, and on which device.
The result is just-in-time, time-bound elevation for the specific tasks that need it, instead of standing administrator accounts that an attacker can ride from initial access straight to SYSTEM. Microsoft’s own materials cite large reductions in permanent admin assignments where EPM is deployed properly.
What EPM does not do
Set expectations before you pitch this internally. EPM elevates actions on managed Windows endpoints. It is not a full privileged-access management platform for servers, domain admin, or break-glass accounts, and it will not magically know which of your apps are safe to elevate — you build that ruleset. Treat it as the endpoint piece of least privilege, not the whole programme.
How this fits the work you have already done
If you have worked through the local admin retirement questions — which apps genuinely need elevation, what the recurring “admin moments” are, how the help desk handles them — you have already done EPM’s hardest prep. The inventory of why people hold admin rights maps almost directly onto EPM elevation rules. The teams that struggle with EPM are the ones that switch it on without ever answering those questions.
What to do now
- Confirm your eligibility and licensing. Check whether your tenant is E5 (full EPM) or E3, and watch the Microsoft 365 admin center for the 30-day enablement notice.
- Inventory standing local admin. Pull the list of who currently holds permanent admin rights on endpoints and, crucially, why. That “why” is your elevation backlog.
- Catalogue the recurring elevation cases. Approved software installs, driver updates, a legacy line-of-business app — group them into “known good” (reusable rules) and “long tail” (support-approved).
- Start in audit mode. Deploy elevation policies in report-only first so you can see real elevation behaviour before you enforce and pull rights.
- Wire the logs into your SIEM. Much of EPM’s value is the audit trail. Make sure elevation events flow somewhere your security team actually reviews.
- Remove the standing rights. This is the step that matters. EPM only reduces risk if you actually take admin away once the elevation rules are working — otherwise you have added a tool and kept the exposure.
The licensing change does not remove local admin for you. But it removes the last easy excuse not to start. If you are already on E5, the tool you have been putting off buying is about to be sitting in your tenant — use it.
