I get this question in almost every Modern Workplace engagement, usually about twenty minutes after we agree that standing local admin rights have to go: “Don’t we already have something for that in our Microsoft licence?” For years the honest answer was “almost — it’s an add-on.” From July 2026, the answer changes, and it’s worth a blog post, because the gap between Microsoft’s Endpoint Privilege Management (EPM) and the established specialist tools is smaller than those vendors will tell you — and larger than Microsoft’s pre-sales decks suggest.
Let’s set the scene properly first.
What EPM actually is — and what it costs from July 2026#
Endpoint Privilege Management is Microsoft’s Intune-native answer to the local-admin problem: users run as standard users, and individual applications elevate based on policy — automatically, after user confirmation, or after support approval. Every elevation is logged centrally. The mechanics live in the Intune admin centre under Endpoint security, split into two policy types: an elevation settings policy that provisions the agent and sets the default behaviour, and elevation rules policies that define which binaries may elevate and on what signal (file hash, publisher certificate, or file metadata).
Until now, EPM required Intune Plan 1 plus either the standalone EPM add-on or the Intune Suite bundle — it was in no Microsoft 365 plan, not even E5. That changes with Microsoft’s July 2026 licensing update: Intune Suite capabilities are being folded into the core enterprise plans. M365 E3 picks up Remote Help, Advanced Analytics, and Intune Plan 2; M365 E5 additionally gets Endpoint Privilege Management, Enterprise Application Management, and Cloud PKI.¹ Note the asymmetry: EPM lands in E5, not E3. If your estate runs on E3, you are still in add-on territory.
So is it “free”? From a capex and procurement perspective, for an E5 organisation: effectively yes. There is no new budget line, no vendor evaluation, no contract to negotiate, no second agent vendor to onboard through your supplier risk process — which, for a FINMA-regulated institution, is a non-trivial saving in itself. Two honest caveats belong next to that statement. First, Microsoft raised E5 list pricing alongside the change (from USD 57 to USD 60 per user per month at list), so “free” means “absorbed into a price increase you’re paying anyway”.² Second, while the pricing change is effective 1 July 2026, the global backend rollout across enterprise tenants is a phased deployment that Microsoft notes will scale through the third quarter of calendar year 2026.³ Verify the entitlement and feature state in your tenant under Tenant administration → Intune add-ons before you build a single policy.
That commercial picture is the real advantage, and it has three parts.
First Consideration: the platform argument#
EPM is not a product bolted onto your environment; it is a feature of the management plane you already run. Policies are assigned through the same groups, filters, and scope tags as everything else in Intune. Reporting lands in the same console your endpoint team already watches. Conditional Access, compliance policies, and Defender for Endpoint signals live next door. For an IT manager who has spent the last three years consolidating onto the Microsoft stack, adding a second agent with its own cloud backend just to manage UAC prompts is a hard sell — operationally and in front of the architecture board.
There is also a governance benefit that gets underestimated: one audit trail, one RBAC model, one set of admin identities to protect. Every additional management plane is an additional attack surface, and your auditors know it.
Second Consideration: “free” licence, paid-for operations#
Here is where I push back on my own framing. Zero licence cost does not mean zero cost. EPM’s operational model demands more of your team than the polished specialist tools do, in ways that only show up after deployment:
You build and curate the elevation rules yourself. There is no vendor-maintained application catalogue doing that work for you — you run an audit phase, read the elevation reports, and write rules keyed to publisher certificates and file paths (never certificate alone⁴). EPM’s reporting pipeline processes data on a roughly 24-hour cycle, which is fine in steady state and frustrating during the rule-building phase. The support-approved flow works, but there is no native mobile approval app and no real-time approval experience to speak of. And the deployment itself needs discipline: audit ring first, pilot ring second, production third — and then the step everyone skips, actually removing standing local admin from the user population. EPM without that last step is theatre. A recent CIAOPS write-up on making EPM deployments stick makes the same point from the trenches, along with a warning I will second from experience: TLS inspection on your proxy will silently break EPM telemetry, and the error messages will not help you.⁵
Picture Adele Vance, a relationship manager at a mid-sized financial institution. She needs to update a market-data plugin every quarter, and the vendor — in time-honoured fashion — requires admin rights for the installer. With a properly built EPM rule, that installer elevates, the event is logged, and Adele never sees a credential prompt. EPM handles this bread-and-butter scenario well. The question is how much engineering time you spent getting there, and whether your helpdesk can live with the workflow on the day something isn’t covered by a rule.
Third Consideration: what the specialists say — and where they’re right#
The established vendors have, predictably, published their own comparisons against Microsoft’s EPM, and they are worth reading with the usual filter applied: these are marketing documents written by people with quota. That said, the substantive claims hold up.
Admin By Request published a direct comparison in March 2026 arguing that Intune EPM works exclusively on Windows endpoints with no macOS support, while their product covers Windows, macOS, and Linux from a single platform with the same policies, approval workflows, and audit trail — and they emphasise real-time operations and built-in malware scanning of binaries before elevation is granted.⁶ The platform-coverage point is simply true. If you have a Mac population in the front office or Linux machines that need privilege governance, EPM does not play in that league, and you will be running a second tool anyway. The real-time point is also fair: ABR’s approval experience, including the mobile app, is the thing they built their reputation on, and it is the area where EPM feels most austere.
BeyondTrust has been making the “picking up where Microsoft leaves off” argument since before Microsoft’s EPM existed, and their current product positioning centres on two things EPM does not do.⁷ The first is depth across platforms — Windows, macOS, and Linux including server estates under one policy model. The second is post-elevation control: their Trusted Application Protection restricts attack-chain tooling such as PowerShell and script hosts spawned from everyday applications like Office and browsers, addressing the living-off-the-land pattern directly.⁸ Microsoft EPM decides whether something elevates; it does not constrain what an elevated process may then do. The closest Microsoft answer is combining EPM with App Control for Business — a separate and considerably heavier deployment exercise.
ThreatLocker positions its Elevation Control as one module of a zero-trust allowlisting platform: elevation is assigned at the application level rather than the user level, users never type admin credentials on the endpoint, policies can be time-bound, and approvals happen in real time from a console or mobile app.⁹ Their distinctive piece is ringfencing — once an application is elevated, it can be prevented from touching other applications, the network, or arbitrary file paths.¹⁰ That post-elevation containment has no EPM equivalent today.
Notice the pattern across all three: nobody seriously disputes that Microsoft EPM covers the core Windows use case. The differentiation arguments have retreated to platform breadth, workflow polish, and post-elevation containment. That retreat is itself informative — it tells you where the baseline now sits.
Where that leaves you#
My working rule, updated for July 2026: if you are an E5 shop with a Windows client estate under Intune, and your users’ elevation needs are installer-and-driver shaped, deploy the EPM you are now paying for anyway — and invest the procurement savings in the operational side: rule curation, ring discipline, and actually removing local admin. If you have a mixed-OS estate, servers in scope, regulatory pressure for post-elevation containment, or a helpdesk that needs real-time approval workflows, the specialist tools earn their price — in the areas Microsoft has not reached, not in the basics.
The basics, from July, come with the licence. The operations never did.
Et voilà.
Footnotes
¹ Summarised across several licensing analyses of Microsoft’s announcement, e.g. Petri, “Microsoft Adds Intune Suite Features to Microsoft 365 E3/E5 Plans” (Dec 2025), and Phoenix Software, “What’s changing with Microsoft 365” (Dec 2025).
² Sourcepass MCOE, “What Changes in Microsoft 365 E5 on July 1, 2026?” — E5 list moves from USD 57 to USD 60 per user/month. Swiss EA pricing will differ; check your price list. Note that this 5.3% list price change lands alongside Microsoft’s structural removal of Enterprise Agreement (EA) volume discounts globally, compounding the real cost impact for large enterprises.
³ Codify, “Microsoft 365 E3 and E5 Licensing Changes” (Feb 2026). While some secondary analyses highlighted an October timeline, official tenant communications clarify that feature rollouts begin in CY26 Q3 with a targeted completion window scaling through the summer, preceded by a standard 30-day Admin Message Center notification.
⁴ A certificate-only rule elevates anything signed by that publisher. Some vendors sign their entire product catalogue — including the remote-access tool you definitely did not intend to elevate — with one certificate.
⁵ blog.ciaops.com, “Endpoint Privilege Management in Intune: a deployment that actually sticks”, May 2026.
⁶ adminbyrequest.com, “Admin By Request EPM vs Microsoft Intune EPM: A Detailed Comparison”, March 2026.
⁷ beyondtrust.com, “Picking up Where Microsoft Leaves off with Modern Management”. Written in the Windows 10 era, but the thesis hasn’t changed — only the Microsoft feature set it argues against has grown.
⁸ beyondtrust.com, Endpoint Privilege Management for Windows and Mac product page (Trusted Application Protection).
⁹ threatlocker.com, Elevation Control platform page.
¹⁰ A QuickBooks-style example from ThreatLocker’s own material: a monthly updater gets a standing elevation policy scoped to that one process, instead of a monthly helpdesk ticket — and ringfencing keeps the elevated process from reaching anything else.