Works standalone Perfect with Intune

Privilege
Manager

Privilege Manager removes standing local admin rights and replaces them with time-bound, policy-driven elevation. Users get access only for the exact task they need, for a defined window — with every event logged and exportable for audits.

Use it standalone. Or layer it on top of your existing Microsoft setup.

Request a Demo Start Free Trial

Privilege Manager

0standing admins

100%elevation logged

Chrome installer elevated · 5 min · auto-revoked

cmd.exe elevation blocked by policy

VPN client elevated · 2 min · auto-revoked

Printer driver elevated · 3 min · auto-revoked

Trusted by IT teams across the Nordics

NIRAS Global engineering consultancy

Lattec Agricultural technology

Holbæk Kommune Municipal government

Belfor Damage restoration services

Vordingborg Køkkenet Retail & manufacturing

Ishøj Kommune Municipal government

Dignity Financial services

NIRAS Global engineering consultancy

Lattec Agricultural technology

Holbæk Kommune Municipal government

Belfor Damage restoration services

Vordingborg Køkkenet Retail & manufacturing

Ishøj Kommune Municipal government

Dignity Financial services

Standing local admin was our biggest unresolved risk. CapaOne removed it fleet-wide in a single afternoon.

Holbæk Kommune Municipal IT · 600+ managed endpoints

What You Can Do

Least privilege — without stopping work

Privilege Manager removes standing local admin rights and replaces them with time-bound, auditable elevation. Users request (or receive) privileges only when needed, for the exact task or application, and only for a defined window of time — so work keeps moving while risk stays low.

Eliminate permanent local admin privileges while keeping users productive
Grant just-in-time elevation to users, apps, scripts, or commands — on a timer
Pre-approve apps based on executable name or app path
Enforce guardrails with allow/deny rules and evidence capture
Audit everything with immutable logs and exportable reports for change boards and audits

Key Capabilities

Built to eliminate excess privilege

Time-Bound Elevation

Grant admin privileges for minutes, not days — auto-revoke on expiry with no manual cleanup needed.

Scope-by-Design

Elevate a specific executable, installer, command, or task — never the entire session.

Session Elevation

Quiet, in-context prompts with configurable notifications and minimal disruption to the user's workflow.

Policy Engine

Define who can elevate what, where, and under which constraints — per user, group, device, or application.

Guardrails

Fully customisable controls for high-risk tools and sensitive actions — allow/deny rules with evidence capture.

Break-Glass Controls

Tightly scoped emergency elevation for critical, time-sensitive situations — without handing out standing admin.

Logs & Evidence

Who/what/when, endpoint, binary details, time, duration, and outcome — all exportable to CSV for audits and change boards.

User Experience Controls

Pre-approve apps by name or path, configure self-service prompts, and keep users moving without IT bottlenecks.

Best Together

How it fits with Intune

Already running Intune? Privilege Manager layers on top — your existing Intune setup stays intact while CapaOne handles the granular privilege controls Intune alone cannot provide.

See It Live

Keep Intune as your foundation. Privilege Manager complements your enrollment, compliance, and configuration baselines — no rip-and-replace.
Target with Entra ID groups and respect your existing group structure and RBAC.
Works alongside Defender and compliance signals to enforce elevation policies consistently.

Security & Compliance

Least privilege is the new baseline

Local admin rights on every device is the single biggest privilege misconfiguration in most Windows environments. Privilege Manager closes it — for good.

Reduce the attack surface: remove persistent admin rights and stop lateral movement via local admin.
Prove control: show auditors standardised elevation workflows, logs, and short-lived access patterns.
Support the principle of least privilege and separation of duties across IT and support functions.
Align with NIS2 and CIS practices: strong access governance, traceability, and rapid revocation.

Operational Benefits

Outcomes your team will notice

Fewer tickets

Users complete routine tasks with self-service, within policy — no helpdesk call needed.

Faster fixes

Support can grant scoped elevation quickly without handing out full admin credentials.

Lower risk, less rework

Strong guardrails reduce misconfiguration and malware exposure from excess privilege.

Happier users

No more waiting hours for simple installs — done safely in minutes, within policy.

Typical Rollout Pattern

Live in four steps

Most teams remove standing local admin the same day they start.

Baseline & Remove

Remove standing local admin from target groups and establish a clean privilege baseline across the fleet.

Define Policies

Set elevation policies for standard tasks — approved installers, printers, VPN clients, developer tools.

Pilot & Tune

Roll out with short durations and strict guardrails. Review logs, tweak policies, confirm user experience.

Operationalise

Scale to departments with scheduled policy reviews, periodic access recertification, and exportable evidence.

One Platform

Explore the rest of the lineup

Application Manager

Packaging and deployment, automated.

Provision Manager

Cloud-native OS deployment. No imaging.

Mobile Manager

Every mobile endpoint, one console.

Experience Monitor

See what your users actually experience.

Security Monitor

Continuous vulnerability and drift visibility.

FAQ

Questions, answered

Have more? Talk to our team →

How does elevation work in practice?

Users trigger elevation for a specific executable. Policies decide whether to auto-approve or require confirmation. Admin privileges apply only to that scope and auto-expire — no manual cleanup.

Can we block risky tools by default?

Yes. Create deny rules for shells or unsigned installers and require explicit policy exceptions for controlled use — so dangerous tools can never be silently elevated.

Do we need to keep some users as local admins?

Best practice is no standing admin. Use policies for routine tasks and break-glass elevation for rare exceptions. Almost all real-world scenarios can be handled without permanent admin.

What's captured for audits?

User, endpoint, binary details (executable name, app path), time, duration, and outcome — all exportable to CSV for audits, change boards, and cyber insurance requirements.

How do we prevent elevation from lasting too long?

Set a short duration on each policy rule. Elevation auto-revokes on expiry with no admin action required.

Does this integrate with Intune and Entra ID groups?

Yes. Target policies via Entra ID groups, respect existing group structure, and run alongside your Intune compliance and configuration profiles.

What happens offline?

Policies can allow cached decisions for low-risk tasks with strict durations, and queue logs for sync when the endpoint is back online.

Can support staff grant elevation without sharing admin credentials?

Yes. Support can authorise a scoped, time-bound elevation without exposing local admin accounts — keeping credentials off the wire.

How quickly can we roll this out?

Typically within the same day. Remove standing local admin privileges, apply standard policies to test endpoints, then scale to departments with measured guardrails and reporting.

Privilege
Manager

Least privilege — without stopping work