You can remove the administrator privilege from domain users and still allow users to start certain applications as administrators.

With privilege elevation, a user can start certain pre-configured applications, which the User Environment Manager agent runs elevated on the local desktop, as if the user is a member of the administrators group.


The Privilege Elevation feature grants temporary administrator privileges to a user. The feature must be used only for specific use cases by administrators. It is not intended as a security feature. Utilize additional security measures to prevent malicious use. Privilege elevation is not enabled on User Environment Manager endpoints that use the SyncTool.

You can configure elevated applications and user-installed applications.



Elevated applications

Select the applications you want to elevate.

You can elevate applications based on a particular hash, path, or publisher.

  • With hash-based elevation, you can configure one or more hashes, so the executable is elevated regardless of its location.

  • With path-based elevation, you can configure specific file or folder paths to be elevated.

  • With publisher-based elevation, you can allow applications by certain publishers to be elevated.

You can only elevate .EXE files. By default, child processes are not elevated, but you can configure this setting manually.

User-installed applications

Select a folder, from which the user installs elevated applications. You can only use path-based configuration for the user-installed applications.

Child processes are not elevated, unless they are located in the same folder as the elevated applications, the temporary folder of the user, or the temporary folder of the system.

User-installed applications support .MSI and .EXE files.


If you use application blocking, by default only applications in Program Files and Windows are allowed to run. You may need to create an allow setting to enable the application to launch.