You can remove the administrator privilege from domain users and still allow users to start certain applications as administrators.

With privilege elevation, a user can start certain pre-configured applications, which the User Environment Manager agent runs elevated on the local desktop, as if the user is a member of the administrators group.

Note:

Privilege elevation is not supported for members of the Network Configuration Operators group.

Important:

The Privilege Elevation feature grants temporary administrator privileges to a user. The feature must be used only for specific use cases by administrators. It is not intended as a security feature. Use additional security measures to prevent malicious use. Privilege elevation is not enabled on User Environment Manager endpoints that use the SyncTool.

You can configure elevated applications and user-installed applications.

Mode

Description

Elevated applications

Select the applications you want to elevate.

You can elevate applications based on a particular hash, path, or publisher, or on command-line arguments.

  • With hash-based elevation, you can configure one or more hashes, allowing User Environment Manager to elevate the executable file regardless of the file's location. User Environment Manager elevates an executable file only if its SHA256 hash is identical to one of the configured hashes.

  • With path-based elevation, you can configure specific file or folder paths to be elevated. User Environment Manager only elevates an executable file when a user runs the file from one of the configured file or folder paths.

  • With publisher-based elevation, you can enable User Environment Manager to elevate applications from certain publishers. User Environment Manager only elevates an executable file if the file's Authenticode signature matches one of the configured publishers.

  • With argument-based elevation, you can configure specific combinations of file paths and command-line arguments to be elevated. User Environment Manager only elevates an executable file when a user runs the file from one of the configured file paths using a corresponding command-line argument. Users must use the fully qualified path to run the targeted executable files.

    To avoid conflicts with path-based elevation, User Environment Manager silently ignores argument-based privilege elevation for executable files residing in a folder for which path-based elevation is currently configured, or in a corresponding subfolder. User Environment Manager runs such executable files with elevation regardless of the specified arguments.

You can only elevate .EXE files. By default, child processes are not elevated, but you can configure this setting manually.

User-installed applications

Select a folder, from which the user installs elevated applications. You can only use path-based configuration for the user-installed applications.

Child processes are not elevated, unless they are located in the same folder as the elevated applications, the temporary folder of the user, or the temporary folder of the system.

User-installed applications support .MSI and .EXE files.

Note:

If you use application blocking, by default only applications in Program Files and Windows are allowed to run. You might need to create an allow setting to enable the application to run.