Ask AI
All Categories
Product Information
Getting Started: End User Elevation

Getting Started: End User Elevation

Last updated on March 10, 2026

Evo End User Elevation enables users to send requests for administrative privileges to execute applications or installers even if their accounts do not have standing administrative rights. Upon submission, the request is forwarded to a technician for review, where it can be either approved or denied.

To simplify usage and administration, rules can be defined within the Evo Partner Portal to automatically approve or deny requests based on criteria about the application being requested and also be scoped to specific users, groups, endpoints, and tenants so that just the right people can do just the right things.

Evo Portal Setup

These instructions assume that you already have access to your Evo Partner Portal and have completed the basic steps to setup your MSP with Evo.

If not, head over to our MSP Onboarding Guide and compete the steps there first!

Note: In particular, these directions assume that the technicians that will respond to elevation requests already have access to the Evo Partner Portal and have the Evo Authenticator app installed. We recommend completing those steps before proceeding.

Agents & Licenses

Enable Training Mode

Training Mode in Evo Security’s End User Elevation (EUE) is designed to help MSPs and IT administrators transition users from local administrator access to standard users without disrupting daily operations. When enabled, Training Mode audits all application elevations, including those performed by users with local admin rights or when admin credentials are used to elevate applications for standard users. This audit runs for a defined period and captures real-world elevation behavior, following the philosophy of observe first, enforce later.

 
  1. Enable Training Mode

      2. Turn on Training Mode with End User Elevation enabled on the Evo Agents to begin auditing elevation activity.

  1. Collect Elevation Data

      2. Allow users to work normally while Evo tracks all application elevations in the Training section of the Evo Portal.

  1. Review Training Data

      2. Analyze the collected elevation activity to identify applications that legitimately require elevated access.

  1. Create Elevation Rules

      2. Use the training data to define approved application elevation rules based on your security and business requirements.

  1. Remove Local Administrator Rights

      2. Once rules are in place, remove users from the local Administrators group and convert them to standard users.

  1. Disable Training Mode

      2. Turn off Training Mode to move from observation to enforcement.

  1. Enforce End User Elevation

      2. Standard users are prompted for elevation when required. Applications that match approved rules are automatically approved, while all other elevation requests are securely managed through the EUE workflow.

Note: If EUE is enabled for a tenant without Training Mode, users will immediately be required to submit elevation requests through Evo. If you want to delay request-based enforcement until rules are built and users are prepared, we recommend starting with Training Mode enabled.

Note: While Training Mode remains enabled, existing elevation rules will still require elevation (via Windows UAC). Rule-based streamlined behavior takes effect after Training Mode is disabled.

 
  1. Navigate to Elevation > Training.
      2. Notion image
  1. Select Training Setup and select the Tenant scope to apply to. If you have already deployed the Evo Agent, you can chose the whole tenant, users, user groups or endpoints.
Notion image
Notion image
  1. Select Save to commit the changes.

Deploy Agents

The Evo Endpoint Agent needs to be deployed to each endpoint on which Technician Elevation will be available as it facilitates the authentication of an Evo user into an administrator account on the target machine.

Refer to our Windows Agent Deployment article to complete that process.

Assign Licenses

End User Elevation is licensed per endpoint, so each endpoint that has the Evo Agent on it for purposes of facilitating EUE requests will need to have a license.

  1. In your Evo Partner Portal, navigate to Endpoints > Computers.
    1. Note: You can do this in either the Global scope if you are assigning to multiple tenants, or you can pick a particular tenant from the dropdown menu at the top of the left nav to scope your view to just that tenant.
  1. Select the machines to which you would like to assign an End User Elevation license using the checkboxes at the left and then click Assign EUE License from the menu at the bottom of the table.

Note: Refer to our full article on managing user licenses for fuller details of how to manage Evo licenses.

Configure Custom Branding (optional)

The Evo Agent can be configured to display your MSP’s logo and other custom branding on the request and approval screens that users will see on their endpoints.

See our article on Custom EUE Branding for details on how to configure. This process can be completed at any time, so it may be something that you want to come back to later if you’re just getting started with testing EUE.

Preparation & Rules

Determine Deployment Strategy

There are three ways to approach rolling out End User Elevation. The right path depends on your users and whether or not they currently have administrative rights and how you are currently managing elevation requests.

If Your Users Do Not Have Admin Rights

If your users already do not have administrative rights and are requesting assistance each time they need it, we recommend enabling End User Elevation without any pre-made rules. The users' experience will improve right away by automating the request experience, and you can build a rule set over time to gain more efficiency in serving those requests.

If Your Users Do Have Admin Rights

If your users do have administrative rights, then rolling out Evo End User Elevation will be a part of your overall project plan for reducing those users' administrative rights.

The overall process is to build rules that will automatically approve the most common things that users can and should be allowed to do using elevated permissions. Think about things like software updaters, installers for approved programs, and other common actions.

The data from Training Mode gives you visibility into what actions users are currently taking with admin privileges before removing any admin privileges. You can then use that visibility to build rules to permit or deny actions before actually changing anything for the users.

If You Are Replacing An Existing Elevation Solution

If you are migrating from another admin elevation solution and would like to replicate your existing rules, we recommend creating or importing your rules in Evo before migrating endpoints to Evo End User Elevation. This helps ensure a smoother transition and minimizes disruption for end users.

Evo supports rule imports via CSV, allowing administrators to quickly recreate large sets of elevation rules from their existing environment. If you are able to export rule data from your previous solution, it can often be formatted and imported into Evo using the CSV import functionality.

Note: We do not recommend deploying Evo until the previous elevation solution has been removed from the endpoints as having multiple solutions trying to simultaneously manage processes like Windows User Access Control may cause unpredictable behaviors.

Build Rules

To configure automatic approval for specific applications when a user requests End User Elevation, rules can be created two ways. Note: Additionally you can import Rules Via CSV.

Creating A Rule From A Request or From Training Data

  1. Navigate to Elevation > Requests or Elevation > Training as appropriate.
  1. Select an entry from the table from which you would like to create a rule. Scroll down and select Create Rule From This Request.
  1. Proceed through defining the rule according to your preferences. The file criteria will be automatically filled in for you to pick from based on the request, but you will pick which criteria for the rule to actually use for matching future requests.
    1. Note: We recommend including robust criteria such as certificate details or file hashes to ensure that weaker criteria like deceptive file names cannot bypass proper review.
Notion image
  1. Then pick the Execution Mode and the scope to which the rule will apply. Rules can be assigned to specific Users, Groups, and Endpoints to ensure controlled and automated elevation approvals.
Notion image

Creating A Manual Rule

You can also create rules by dragging-and-dropping files directly into the Evo Portal. Navigate to the Rules tab and select “Create Rule.”

Here, you can upload executable files such as .exe, .dll, .scr, or .msi, and the system will automatically extract and populate the application details. Based on the extracted information, you can select the relevant attributes for rule creation by checking the corresponding boxes.

  1. Navigate to Elevation > Rules and select Create Rule.
  1. Drag-and-drop a file into the upload box to populate the rule criteria into your rule automatically. Much as in the request-based rule creation flow, you will pick matching criteria and the scope for your rule.
Notion image
Notion image
Notion image

Import Rules via CSV

The CSV Import feature allows administrators to bulk create Elevation Rules by uploading a properly formatted .csv file.

CSV File Requirements

Your CSV must include the following header row exactly as shown:

rule

tenant

description

approved

elevation

kind

criteria_publisher_thumbprint

criteria_file_name

criteria_file_path

criteria_sha256

Each column corresponds to a configurable property of the elevation rule.

 

Note: To apply a rule across the entire environment rather than to a specific tenant, set the tenant field value to Environment instead of specifying an individual tenant name.

 

Elevation Rule Import Example

Rule Name
Tenant
Description
Approved
Elevation
Kind
Criteria_Publisher_Thumbprint
Criteria_File_Name
Criteria_File_Path
Criteria_SHA256
Environment Test
Environment
Environment rule w/ thumbprint only
true
user
windows
TP-ENV-001
env_app.exe
C:\Program Files\Env\env_app.exe
Tenant Test 1
test-1
Test rule w/ sha256 only
true
user
windows
dev_app.exe
C:\Program Files\Dev\dev_app.exe
SHA-DEV-001
Tenant Test 2
test-2
Test rule w/ Thumbprint & sha256
true
user
windows
TP-DEV2-001
dev2_app.exe
C:\Program Files\Dev2\dev2_app.exe
SHA-DEV2-001

This can be found by Navigation to your desired Tenant ( Or Global Scope ) Elevation → Rules → Then selecting the “Import Via CSV” on the top right

Notion image

Once your Rules are Imported you will be prompted to Review and finalize your staged Rules before you finalize the import.

Notion image

Once reviewed you can then Finalize the Import

Notion image

Once finalized you can then View the Results

Notion image

Clicking View Results will show how many rules were successfully created, as well as any errors that occur in the finalization process.

Notion image

Elevation Category-Based Auto Denial

Note: This is Enabled under Evo Admin → Policies in our new Policy system.

The Elevation Category-Based Auto Denial policy allows administrators to automatically deny end-user elevation requests when an application falls into specific AI-detected application categories. This helps prevent users from elevating applications that are considered risky or inappropriate for privileged execution.

How to Configure

  1. Navigate to Evo Admin → Policies.
  1. Click the + New button in the top-right corner.
  1. Select Policy, then click Continue.
  1. Click Add Setting.
  1. Locate and select Elevation Category-Based Auto Denial.
  1. Click Continue with One Setting to configure the policy.

Once configured, any application that matches the selected AI-detected categories will have its elevation request automatically denied, without requiring administrator approval.

Notion image

You will now see the Categories and sub categories you can Choose to Auto Deny under your policy.

Notion image

After this policy is in place, any automatically denied elevation requests can be viewed by navigating to:

Tenant → Elevation → Auto Denials

From this section, administrators can review applications that were automatically denied and create rules directly from the listed applications if needed.

Approvals & Notifications

Configure Permissions for Technicians

Technicians will need permissions for Elevation Requests as well as to particular Tenants in order to field EUE requests from those tenants.

We recommend adding the Elevation Requests set of permissions (or a sub-set according to your preferences and security policies) to an appropriate Role already defined for technician users who will manage elevation requests.

  1. Navigate to Evo Admin > Permissions > Roles.
  1. Either Edit an existing Role or click New and create a new Role with a name like “End User Elevation Approvers”.
  1. Add the “Elevation Requests” permission to the Role.
    1. Note: Adding the entire “Elevation Requests” permissions set will allow users to do everything related to EUE requests and rules including making changes to rules for your entire MSP Environment (i.e., all Tenants) and allowing SYSTEM-level elevation via rules.
      1. This may be desirable for small teams where a handful of people will be managing all aspects of requests and rules.
      2. For larger teams or those with more segmented security policies, just adding the Manage Elevation Requests and Mobile Technician Elevation permissions are the minimum for approving requests and using the Evo Authenticator mobile app to handle requests.
          3. Notion image
  1. Navigate to Evo Admin > Permissions > Tenant Access and verify that the relevant technicians have access to the relevant Tenants.

Configure Notifications

There are two methods of technician notification for new EUE requests: push notifications to the Evo Authenticator app and email.

Mobile Push Notifications

All technicians configured with the permissions described above who have the Evo Authenticator app running in Technician Mode will receive push notifications of new EUE requests.

Notifications can be managed or disabled from the Evo Authenticator app under Settings > Notification Settings.

Email Notifications

Email notifications are managed from the Evo Partner Portal.

  1. Navigate to Elevation > Email Notifications.
  1. Click New and enter the source Tenant(s) and destination email addresses.

Deployment

Enable Elevation Enforcement

To fully enable End User Elevation, we will just turn off Training Mode for the relevant Tenant(s). Once this is done, your users will begin to see Evo prompts to request admin actions and provide a reason for the request for your team to review.

Notion image
  1. Navigate to Elevation > Training. Select Training Setup from the top right.
  1. Find the Tenant(s) (or Users, Groups, etc. if you initially configured Training Mode differently) in the Training Mode Configuration table and uncheck the box next to them.
  1. Select Save to commit the changes.
 

Remove Local Admin Permissions

The final step in improving your MSP’s security is to remove the administrator permissions from standard user accounts.

  1. Navigate to Vault > Local Accounts in the Evo Partner Portal.
  1. Select the accounts that you would like to modify from the checkboxes at the left, then select either Demote or Delete depending on how you would like to handle them.

You have now dramatically improved the security posture of your MSP and customers - and also improved your users’ experience by providing a clean, delightful way to request permissions when needed without having to submit a ticket.

 

Recommended Registry Values to Prevent Secure Desktop Delays

To ensure seamless functionality and avoid delays when the Windows Secure Desktop is invoked during elevation workflows, the following registry entries must be configured. These values control how User Account Control (UAC) prompts behave for administrators, enhanced administrators, and standard users.

Registry Path:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Required Values:

Registry Value
Setting
Description
ConsentPromptBehaviorAdmin
5
Defines the prompt behavior for administrators in Admin Approval Mode.
ConsentPromptBehaviorEnhancedAdmin
1
Controls prompt behavior for enhanced administrators.
ConsentPromptBehaviorUser
3
Specifies how standard users are prompted for credentials.

Ensuring these values are correctly configured helps maintain a consistent elevation experience, prevents secure desktop interruptions, and supports optimal operation of Evo Secure Login and Elevation features. Note: Other Values set for these entries may cause unintended outcomes

 

Please reach out to Evo Support with any questions!

 
Did this answer your question?
😞
😐
🤩
Web Accounts Usage Guide: End User Elevation