Evo End User Elevation enables users to request administrative privileges for executing applications or installers even if their accounts do not typically have administrative rights. Upon submission, the request is forwarded to a technician for review, where it can be either approved or denied.

To simplify usage and administration, custom rules can be defined to automatically approve or deny requests. Rules are based on definable details about the application being requested and can be targeted to specific users, groups, endpoints, and tenants. Rules can also be created by using Training Mode, which monitors user actions while allowing all requests to allow the building of rule sets before removing users' elevated permissions.

While in the beta period, you must submit a request to Evo Support to enable End User Elevation.

This article focuses on End User Elevation and assumes that you have already rolled out the Evo Agent to your customer endpoints. If this isn't done yet, refer first to the article covering that deployment.

The technicians who will answer elevation requests will also need access to the Evo Portal and/or the Evo mobile app.

There are three ways to approach rolling out End User Elevation. The right path depends on your users and whether or not they currently have administrative rights.

If your users already do not have administrative rights and are requesting assistance each time they need it, we recommend enabling End User Elevation without any pre-made rules. The users' experience will improve right away by automating the request experience, and you can build a rule set over time to gain more efficiency in serving those requests.

If your users do have administrative rights, then rolling out Evo End User Elevation will be a part of your project plan for reducing those users' administrative rights.

The full scope of coordinating such a project is beyond the scope of this document, but we recommend starting by using Training Mode to gather details of what actions users are currently taking with admin privileges. This way, you can pre-build rules to continue seamlessly allowing safe activities and minimize user impact.

If you are replacing an existing admin elevation solution and want to duplicate your existing rules, we recommend duplicating your existing rules in Evo before migrating endpoints to Evo End User Elevation. We do not currently support the automated migration of rules from other solutions, but contact support if you are interested in working with us in developing an automated migration path.

Note: We do not recommend deploying Evo until the previous elevation solution has been removed from the endpoints as having multiple solutions trying to simultaneously manage processes like Windows User Access Control may cause unpredictable behaviors.

Training Mode is useful when your Evo End User Elevation deployment process will involve removing administrative rights from a set of users for the first time. This can be a tricky process because it involves managing not just the technology but also user experience and expectations.

Training Mode allows users to continue operating with administrative permissions but with the system recording each action that was undertaken using admin privileges. After running for a period of time, those observations can then easily be turned into elevation rules in Evo for actions that you want to continue to allow, minimizing the user impact once Training Mode is disabled and admin rights are withdrawn from those users' accounts.

Note: When a user is running an application for the first time they will be prompted to enter their credentials, This is needed so we can run the applications as them and proceed with the training mode.

Navigate to the Training section under the Elevation tab and click Training Setup to get started.

Permissions can be configured within the Roles & Permissions settings to restrict access to Elevation requests, ensuring that only designated users and groups have the ability manage requests and create rules.

We recommend adding the Elevation Requests set of permissions (or a sub-set according to your preferences and security policies) to an appropriate Role already defined for technician users who will manage elevation requests.

Alternatively, you can define a new role with these permissions in it and assign it to the Users or Groups that are appropriate.

When End User Elevation is enabled, if a user needs to run an application as an administrator or install an application that requires administrator rights there will be add a link to at the bottom of the UAC prompt “Request End User Elevation”.

When a user selects “Request End User Elevation,” an Elevated Access Request pop-up will appear, prompting them to provide a reason for the request. This request is then forwarded to the Evo Portal, where a technician can review the details and either approve or deny the request.

Once a request is submitted, the user will see confirmation that their request was submitted. The user can close this window, and it will reappear once the request has been approved or denied. Additionally, users can check the status at any time by accessing the Status Viewer.

Upon approval, users will receive a popup notifying them of the approval and prompting them to run the file. If denied, they will see a similar popup notifying them and prompting them to contact the IT team for details.

On the Evo Portal, technicians can locate and review requests by navigating to the respective Tenant and accessing the Elevation → Request section.

From this section, the technician can review the request by clicking on either the application name or the "Review" button.

The Request Details section provides the technician with comprehensive information for review, including the following: Requested By, Request Timestamp, Resolution By, Action, Endpoint, Reason, Resolution Reason.

At the bottom of the Request Details page, the technician has the option to approve the request, deny it, or create a new rule.

Upon approval, the technician can choose to create a rule for future requests.

To automate future approvals for similar requests, the technician can select “Create rule from this request.”

To configure automatic approval for specific applications when a user requests End User Elevation, rules can be created in one of two ways.

In the process of approving a user's elevation request, you will be prompted for the opportunity to create a rule.

You can configure the rule to match based on file criteria, which will be automatically filled in for you to pick from based on the request.

We recommend including robust criteria such as certificate details or file hashes to ensure that weaker criteria like deceptive file names cannot bypass proper review.

You will then also pick the elevation mode and the scope to which the rule will apply:

Rules can be assigned to specific Users, Groups, and Endpoints to ensure controlled and automated elevation approvals.

You can also create rules by dragging-and-dropping files directly into the Evo Portal. Navigate to the Rules tab and select “Create Rule.”

Here, you can upload executable files such as .exe, .dll, .scr, or .msi, and the system will automatically extract and populate the application details. Based on the extracted information, you can select the relevant attributes for rule creation by checking the corresponding boxes.

Much as in the request-based rule creation flow, you will pick matching criteria and the scope for your rule.

Once the rule is created, it will appear in the Rules tab, where it can be edited, enabled, disabled, or deleted as needed. Additionally, the system will display the admin who created the rule for tracking and auditing purposes.

Once the technician approves the request or if the application is already permitted by an existing rule, the user will receive an Elevation Status notification indicating that their request has been approved and prompting them to run it.

In the Configurations tab, you can set up notification alerts for specific email addresses, users, or groups. When an End User Elevation request is submitted, an email notification will be sent to the designated recipients.

The email will include the Request Details as seen in the Evo Portal, along with a direct link to the request for quick access and review.

JIT accounts for elevated login instead of shared admin accounts, with all changes logged under the specific JIT account associated with an individual user

/ENDUSERELEVATION

/DISABLE_UPDATE

/JITMODE

/USER_ADMIN_ESCALATION

Signed PowerShell Script

Disclaimer: Local Policies > Security > User Account Control: “Switch to secure desktop when prompting for elevation.”

This setting must be disabled and not enforced via GPO to ensure that Evo UAC can operate properly in secure desktop mode.

Please reach out to the Support Team at support@evosecurity.com with any questions!