Reference: Creating Rules in AutoElevate

AutoElevate enables you to create rules that automate elevation requests based on specific software vendors, publisher certificates, file hashes, or other criteria. These rules can be applied at various levels, including individual computers, groups of computers (Locations), grouped Locations (Company), or globally (All Companies/Tenant). Click here to find our more informaiton about the AutoElevate Hierarchy.

A rule consists of three main components:

Identification Criteria: Defines conditions for when the rule applies.
Approval Type: Specifies if the file should be approved, denied, or ignored, along with the elevation type.
Scope: Defines the rule’s level of application.

Identification Criteria

File Identification Criteria:

Product Name: Specified by the software publisher, embedded in the binary, and may be blank if version information is absent.
File Path: Full path to the file on the local machine, including the file name. Windows environment variables are expanded when processed.
File Name: Extracted from the path.
Original File Name: Original file creation name, which may be blank if version information is absent.
MD5 Hash: The file’s MD5 hash value.

Heads up!

Do not create rules for applications managed or deployed by the IT Department, such as Microsoft 365 Apps for Enterprise, web browsers (Chrome, Edge, Firefox), 7-Zip, VLC Media Player, etc. If rules are necessary for these applications, the IT Department will handle them.
Do not create rules for any applications that fail the App Security Checks
Avoid creating rules for any operating system processes, applications, or files, including but not limited to Windows Firewall, Command Prompt, PowerShell, DLLs, or Control Panel items.
Wildcards can be used in rules when applicable, but make sure you understand their impact.

Publisher Identification Criteria

Subject Elements: Components of the Subject Distinguished Name found in the publisher’s certificate. Selecting fewer elements can broaden the range of matched software.
Certificate Hash: Certificate thumbprint used to sign the file, specific to that certificate. Note that publisher certificates often expire within 1–2 years, requiring new thumbprints and potentially updated rules.

Heads up!

Certain publishers lack certificates, making them ineligible for higher tier rule creation. In such cases, ensure the rule is as restrictive as possible.

Approval Type

Approval Status

Approved: Allows AutoElevate to auto-enter credentials for identified files that request elevation.
Denied: Blocks AutoElevate from elevating the identified file. Users will receive a notification the request was denied.
Ignored: Instructs AutoElevate to bypass/ignore elevation requests for the identified file.

Elevation Type

Admin: Used for elevating system functions or most MSI/executable installations. Admin credentials are rotated for each elevation, ensuring they’re valid only for that specific use. This method operates under a local account, limiting access to network resources and mapped drives, supporting least-privilege principles. Recommended as the default.
User: Suitable for installing, updating or executing applications in the user’s context. This mode grants Administrator privileges to the logged-in user, providing access to resources in the user’s profile, registry, AppData folder, network printers, mapped drives, and shared network resources they’re authorized to access.

Heads up!

It is recommended that only the IT Department create Deny and Ignore Rules, as these are typically established for specific purposes.
The default elevation type should be set to "Admin," unless there is a specific issue where the user’s context is critical.

Scope

Level

All Companies: Applies the rule globally to all computers across all locations and companies.
Whole Company: Applies the rule to all computers within all locations of the selected company.
Whole Location: Applies the rule to all computers within the selected location.
Computer: Applies the rule specifically to the selected computer.

Heads up!

Create rules at the lowest possible level to adhere to the principles of least privilege.
If a rule needs to apply to multiple locations but not to the entire company, it is preferable to create individual rules for each location rather than setting the rule at the whole company level.