AutoElevate enables you to create rules that automate elevation requests based on specific software vendors, publisher certificates, file hashes, or other criteria. These rules can be applied at various levels, including individual computers, groups of computers (Locations), grouped Locations (Company), or globally (All Companies/Tenant). Click here to find our more informaiton about the AutoElevate Hierarchy. A rule consists of three main components: Identification Criteria: Defines conditions for when the rule applies. Approval Type: Specifies if the file should be approved, denied, or ignored, along with the elevation type. Scope: Defines the rule’s level of application. Identification Criteria File Identification Criteria: Product Name: Specified by the software publisher, embedded in the binary, and may be blank if version information is absent. File Path: Full path to the file on the local machine, including the file name. Windows environment variables are expanded when processed. File Name: Extracted from the path. Original File Name: Original file creation name, which may be blank if version information is absent. MD5 Hash: The file’s MD5 hash value. Heads up! Do not create rules for applications managed or deployed by the IT Department, such as Microsoft 365 Apps for Enterprise, web browsers (Chrome, Edge, Firefox), 7-Zip, VLC Media Player, etc. If rules are necessary for these applications, the IT Department will handle them. Do not create rules for any applications that fail the App Security Checks Avoid creating rules for any operating system processes, applications, or files, including but not limited to Windows Firewall, Command Prompt, PowerShell, DLLs, or Control Panel items. Wildcards can be used in rules when applicable, but make sure you understand their impact. Publisher Identification Criteria Subject Elements: Components of the Subject Distinguished Name found in the publisher’s certificate. Selecting fewer elements can broaden the range of matched software. Certificate Hash: Certificate thumbprint used to sign the file, specific to that certificate. Note that publisher certificates often expire within 1–2 years, requiring new thumbprints and potentially updated rules. Heads up! Certain publishers lack certificates, making them ineligible for higher tier rule creation. In such cases, ensure the rule is as restrictive as possible. Approval Type Approval Status Approved: Allows AutoElevate to auto-enter credentials for identified files that request elevation. Denied: Blocks AutoElevate from elevating the identified file. Users will receive a notification the request was denied. Ignored: Instructs AutoElevate to bypass/ignore elevation requests for the identified file. Elevation Type Admin: Used for elevating system functions or most MSI/executable installations. Admin credentials are rotated for each elevation, ensuring they’re valid only for that specific use. This method operates under a local account, limiting access to network resources and mapped drives, supporting least-privilege principles. Recommended as the default. User: Suitable for installing, updating or executing applications in the user’s context. This mode grants Administrator privileges to the logged-in user, providing access to resources in the user’s profile, registry, AppData folder, network printers, mapped drives, and shared network resources they’re authorized to access. Heads up! It is recommended that only the IT Department create Deny and Ignore Rules, as these are typically established for specific purposes. The default elevation type should be set to "Admin," unless there is a specific issue where the user’s context is critical. Scope Level All Companies: Applies the rule globally to all computers across all locations and companies. Whole Company: Applies the rule to all computers within all locations of the selected company. Whole Location: Applies the rule to all computers within the selected location. Computer: Applies the rule specifically to the selected computer. Heads up! Create rules at the lowest possible level to adhere to the principles of least privilege. If a rule needs to apply to multiple locations but not to the entire company, it is preferable to create individual rules for each location rather than setting the rule at the whole company level.

Understanding our AutoElevate Hierarchy Structure will help you detetermine what level to create a rule for. Generally speaking, if a rule needs to be created for All Companies or More than 1 Location, you should contact the IT Team to update the rule to work as intended.

To determine the correct rule level, start at Level 1 and only proceed to the next level if all criteria for that level are met. Use the highest level possible for which you meet all required criteria. If a higher level’s criteria are not fully supported, fall back to the highest achievable level. Heads up! Incorrect rule creation and scope can have a significant impact to our business. If you are unsure of something, please seek guidence from the IT Department. Levels of Identification Criteria Basic: Requires MD5 Hash only. This is the default rule type in AutoElevate and is the most restrictive. Intermediate: Requires Publisher Certificate and Product Name or File Name. Advanced: Requires System File Path (Program Files, Program Files (x86)) and File Name, is reserved for applications that are already installed on the device. Decision Table Criteria Basic Intermediate Advanced MD5 Hash ✓ Product Name / File Name ✓ ✓ Publisher Certificate ✓ System File Path (Program Files) ✓ Lets take a look at some example rules and discuss the decision: Example Level 1 Rules: Example 1: Rule Example Rule Decision Rule Level: Basic Justification: The application does not have a valid Publisher Certificate, so does not meet the requirements for a higher level rule. Comments: This is a dangerous rule as any bad actor can generate an executable with the Product Name and File Name specified and it would be allowed to execute on our computers. The Elevation Type is set to user for application installation, which increases the rike as this file now has access to anything the user does. Example 2: Rule Example Rule Decision Rule Level: Basic Justification: The application does not have a valid Publisher Certificate, so does not meet the requirements for a higher level rule. Comments: This is a dangerous rule as any bad actor can generate an executable with the Product Name and File Name specified and it would be allowed to execute on our computers. Example 3: Rule Example Rule Decision Rule Level: Basic Justification: The application does not have a valid Publisher Certificate, so does not meet the requirements for a higher level rule. Comments: The Elevation Type should be set to "Admin" as there should not be a requirement for the installation to elevate in User Context. If the installation was user-based, it can be installed by the user entering their standard account credentials when prompted by UAC. Example Level 2 Rules: Example 4: Rule Example Rule Decision Rule Level: Intermediate Justification: The application has a valid and recognised Publisher Certificate and the Product Name is correctly identified by the file. Comments: File Name can be removed as a requirement as the Product Name is specified by the publisher in the file Example 5: Rule Example Rule Decision Rule Level: Intermediate Justification: The application has a valid and recognised Publisher Certificate, since the Product Name it not recognised, the approver has chosen to use the File Name as a fallback. Comments: If the Publisher changes the file name that is downloaded from their website, this rule will stop working. Example 6: Rule Example Rule Decision Rule Level: Intermediate Justification: The application has a valid and recognised Publisher Certificate. The Product Name is recognised and the approved has included a wildcard to specific all versions of GrandMA on PC. Comments: Example Level 3 Rules: Example 7: Rule Example Rule Decision Rule Level: Advanced Justification: The application has a valid and recognised Publisher Certificate, the Product Name is defined properly by the developer and the file path is from a system file path. Comments: The elevation type could likely be set to Admin as the application is installed in the system context, which would make this rule safer. Example 8: Rule Example Rule Decision Rule Level: Advanced Justification: The application has a valid and recognised Publisher Certificate, the Product Name is defined properly by the developer and the file path is from a system file path. Comments: The elevation type could likely be set to Admin as the application is installed in the system context, which would make this rule safer. File Name can be removed as a requirement as the Product Name is specified by the publisher in the file Example 9: Rule Example Rule Decision Rule Level: Advanced Justification: The application has a valid and recognised Publisher Certificate, the Product Name is defined properly by the developer and the file path is from a system file path. Comments: The elevation type could likely be set to Admin as the application is installed in the system context, which would make this rule safer.