Reference: AutoElevate Rule Creation Decision Tree

To determine the correct rule level, start at Level 1 and only proceed to the next level if all criteria for that level are met. Use the highest level possible for which you meet all required criteria. If a higher level’s criteria are not fully supported, fall back to the highest achievable level.

Heads up!

Incorrect rule creation and scope can have a significant impact to our business. If you are unsure of something, please seek guidence from the IT Department.

Levels of Identification Criteria

Basic: Requires MD5 Hash only. This is the default rule type in AutoElevate and is the most restrictive.
Intermediate: Requires Publisher Certificate and Product Name or File Name.
Advanced: Requires System File Path (Program Files, Program Files (x86)) and File Name, is reserved for applications that are already installed on the device.

Decision Table

Criteria Basic Intermediate Advanced MD5 Hash
✓

Product Name / File Name
✓
✓ Publisher Certificate

✓
System File Path (Program Files)

✓

Lets take a look at some example rules and discuss the decision:

Example Level 1 Rules:

Example 1:

Rule Example
Rule Decision

Rule Level:
Basic

Justification:
The application does not have a valid Publisher Certificate, so does not meet the requirements for a higher level rule.

Comments:
This is a dangerous rule as any bad actor can generate an executable with the Product Name and File Name specified and it would be allowed to execute on our computers.

The Elevation Type is set to user for application installation, which increases the rike as this file now has access to anything the user does.

Example 2:

Rule Example
Rule Decision

Rule Level:
Basic

Justification:
The application does not have a valid Publisher Certificate, so does not meet the requirements for a higher level rule.

Comments:
This is a dangerous rule as any bad actor can generate an executable with the Product Name and File Name specified and it would be allowed to execute on our computers.

Example 3:

Rule Example
Rule Decision

Rule Level:
Basic

Justification:
The application does not have a valid Publisher Certificate, so does not meet the requirements for a higher level rule.

Comments:
The Elevation Type should be set to "Admin" as there should not be a requirement for the installation to elevate in User Context. If the installation was user-based, it can be installed by the user entering their standard account credentials when prompted by UAC.

Example Level 2 Rules:

Example 4:

Rule Example
Rule Decision

Rule Level:
Intermediate

Justification:
The application has a valid and recognised Publisher Certificate and the Product Name is correctly identified by the file.

Comments:
File Name can be removed as a requirement as the Product Name is specified by the publisher in the file

Example 5:

Rule Example
Rule Decision

Rule Level:
Intermediate

Justification:
The application has a valid and recognised Publisher Certificate, since the Product Name it not recognised, the approver has chosen to use the File Name as a fallback.

Comments:
If the Publisher changes the file name that is downloaded from their website, this rule will stop working.

Example 6:

Rule Example
Rule Decision

Rule Level:
Intermediate

Justification:
The application has a valid and recognised Publisher Certificate. The Product Name is recognised and the approved has included a wildcard to specific all versions of GrandMA on PC.

Comments:

Example Level 3 Rules:

Example 7:

Rule Example
Rule Decision

Rule Level:
Advanced

Justification:
The application has a valid and recognised Publisher Certificate, the Product Name is defined properly by the developer and the file path is from a system file path.

Comments:
The elevation type could likely be set to Admin as the application is installed in the system context, which would make this rule safer.

Example 8:

Rule Example
Rule Decision

Rule Level:
Advanced

Justification:
The application has a valid and recognised Publisher Certificate, the Product Name is defined properly by the developer and the file path is from a system file path.

Comments:
The elevation type could likely be set to Admin as the application is installed in the system context, which would make this rule safer. File Name can be removed as a requirement as the Product Name is specified by the publisher in the file

Example 9:

Rule Example
Rule Decision

Rule Level:
Advanced

Justification:
The application has a valid and recognised Publisher Certificate, the Product Name is defined properly by the developer and the file path is from a system file path.

Comments:
The elevation type could likely be set to Admin as the application is installed in the system context, which would make this rule safer.