It’s 2025. If your users still have local admin rights “just in case,” you’re not managing risk — you’re managing liability. Modern endpoint management has moved on, and your approach to admin rights needs to move with it.
Gone are the days when the only way to keep users productive was to give them local admin and hope for the best. With tools like Intune Endpoint Privilege Management (EPM), LAPS, and third-party options like BeyondTrust, you can now strip out excessive rights without creating a helpdesk nightmare.
Why Local Admin Rights Are Still a Thing (Unfortunately)
Let’s be real: users ask for admin rights because something doesn’t work. They want to install Zoom, update a printer driver, or run legacy software. And IT teams often give in because they don’t have the tools to offer a better experience.
But every local admin account is a security hole waiting to be exploited. Admin rights:
- Let users install unapproved software.
- Increase malware risk.
- Create compliance nightmares.
- Make zero trust enforcement nearly impossible.
- Enable privilege escalation from malware or untrusted software.
- Allow users to disable perts of the Endpoint security stack.
In short: they’re the low-hanging fruit that attackers love.
The Right Way to Manage Admin Rights in 2025
Here’s how smart organisations are doing it now:
1. Intune Endpoint Privilege Management (EPM)
Microsoft’s built-in EPM lets you elevate specific applications without giving users full admin rights. Users can request elevation when needed, and approvals are audited. It’s not perfect yet, but it’s getting better with each release. Elevations are policy-driven, and logged — and it integrates directly with Intune’s device management stack.
That said, Intune EPM has some fairly serious limitations. It only really makes sense if you’re already paying for the Intune Suite or plan to use multiple products from it. As a standalone value prop, it can be hard to justify for organisations that just need elevation for a few apps.
Security: Decent, assuming elevation policies are tightly scoped.
User Experience: Improving, but users may be confused by elevation prompts and inconsistent delays.
One important caveat: Intune EPM is limited to elevating .exe, .msi, and .ps1 files only. Elevation rules rely on static identifiers like file hashes, paths, and optional certificates, which can be problematic for apps that update frequently. If a file’s hash changes — say, after a patch or version update — the elevation rule breaks unless you manually update the policy. That makes it fragile for anything dynamic, like dev tools, self-updating apps, or scripts with changing content. Reusable certificate-based rules help a bit, but for fast-moving environments, this can be a real headache.
2. LAPS (Local Admin Password Solution)
Use LAPS to rotate unique, strong local admin passwords per device. This gives IT a secure break-glass option if elevation fails — without leaving backdoors open. The new Intune-integrated LAPS makes password recovery seamless for authorised support teams while eliminating the shared password problem.
Security: Excellent for emergency access; passwords are rotated and logged.
User Experience: Not user-facing — strictly for IT use.
3. BeyondTrust EPM or CyberArk EPM
Let’s be blunt: Entra PIM won’t save you here. It’s too slow to sync and isn’t designed for endpoint-level privilege. If you need fast, responsive, local elevation with full logging and policy control, these enterprise-grade tools are the gold standard. They also offer automated workflows, policy-based approvals, and better user experience than the current Microsoft stack.
Security: Top-tier. Granular policy control, full audit trails, real-time logging.
User Experience: Excellent. Slick, responsive UI with clear prompts and low friction.
4. Stop Needing Elevation in the First Place
Half the time users want admin access, it’s to install or update something. Fix that:
- Use Patch My PC or Chocolatey to automate application deployment.
- Keep your app catalogue fresh with ongoing lifecycle management.
- Package apps as Win32 in Intune and use supersedence to manage updates.
- Ensure all devices follow a consistent deployment baseline through Autopilot.
Making apps available through the Company Portal avoids users even thinking about admin access. Fewer helpdesk calls, fewer breaches, and far fewer frustrated sighs.
Security: Excellent — no admin rights required.
User Experience: Seamless if application packaging is up to date.
Product Comparison Table
| Solution | Security Rating | UX Rating | Best Use Case | Limitations |
|---|---|---|---|---|
| Intune EPM | Moderate | Moderate | General users, basic app elevation | Requires Intune Suite, limited standalone value |
| LAPS (w/ Intune integration) | High | N/A | IT break-glass local access | No user-facing capability |
| BeyondTrust/CyberArk EPM | High | High | Developers, power users, secure elevation | Cost, deployment overhead |
| Patch My PC/Chocolatey | High | High | App management without elevation | Limited to app ecosystem |
| Entra PIM | Moderate | Low | Cloud role elevation | Not suitable for endpoint elevation |
The Big Use Cases: Support Teams and Developers
Let’s not ignore the usual suspects:
- Support technicians often ask for local admin to run diagnostics or install drivers in the field. Instead, equip them with escalation tools like EPM or provide a secure break-glass admin login managed through LAPS.
- Developers are notorious for wanting admin rights to compile code, install packages, or tweak system settings. Instead of blanket elevation, create containerised dev environments or use role-based elevation tools that grant permissions only when needed. If you need to, give them a dedicated dev VM with full access — not unrestricted access to their day-to-day laptop.
Both groups can function securely without standing admin rights. It just requires a bit of design thinking and the right tools.
Bad Practices That Still Need Killing
- Giving temporary local admin via GPO and forgetting to remove it.
- Letting devs or contractors have permanent elevation “for convenience.”
- Assuming Conditional Access policies protect devices with full admin.
- Using shared local admin accounts across machines.
These aren’t just outdated; they’re dangerous.
What About Admins Themselves?
Your IT team shouldn’t be excluded from this conversation:
- Use Privileged Access Workstations (PAWs) with no standing access.
- Use Entra PIM for elevating to tenant-wide roles like Global Admin — but not for local rights.
- Keep the principle of least privilege everywhere.
- Review access regularly and tie all admin access to MFA and logging.
Even your sysadmins shouldn’t be above policy.
Final Thought – The Productivity Myth
Some argue admin rights boost productivity. In reality, they create inconsistency, downtime, and rework when machines drift from the baseline. By automating app installs and reducing the need for intervention, you make users faster and IT more scalable. With devices now out in the wild connected via home Wi-Fi, Starlink, or mobile tethering you can’t rely on traditional network security perimeters. That makes endpoint security critical. And admin rights are the soft underbelly.
Stripping them out reduces lateral movement, kills off common malware vectors, and forces you to build a better, automated management experience that scales.
It also means that when devices are compromised, the blast radius is smaller — no local admin, no domain escalation. Removing admin rights isn’t about making life harder for users — it’s about giving them a better, safer experience without the risk. The tooling is here. The excuses aren’t.
Just remember: in 2025, default admin is a default fail. Choose tools that match your user base, automate what you can, and ditch the habit of treating every laptop like a domain controller in disguise.