It is installed as a kernel mode driver which is even higher privileges than a user mode admin. It isn't quite standard for EDR agents as there are a lot of solutions whose agents only use usermode hooking for their detections.