Concept

When End Users have permissions to install applications and modify system settings on Local Machines (Local Administrator), and you want to implement the CyberQP End User Elevation, the Audit Mode capability will allow you to capture the existing actions that an End User may perform, that required those additional Elevated Permissions, without interfering with their operations.  You can then use the Audit Mode to build Elevation Policy rules, which will allow you to easily transition the End Users away from permanently having Administrator level permissions on the system.  You can also use this process to build Elevation Policies for Customers that use similar programs or applications, or need access to change system configurations.

 

Intent

This KB Article is designed to provide Best Practice guidance for implementation of End User Elevation Audit and then transitioning the End Users away from those permissions.  

Recommended Phases

1. Initial Collection Phase (Week 1–2)
   Enable Audit Mode to begin capturing elevation events without disrupting users.
2. Monitor Activity & Identify Patterns (Week 1–2)
   Review captured events to understand which actions require elevated permissions.
3. Build Elevation Policies (Week 2+)
   Convert audit data into reusable Policy Rules tailored to users, roles, and applications.
4. Prepare Customers for Elevation Rollout (Week 2+)
   Communicate upcoming changes with customers and prepare End Users for new workflows.
5. Remove Admin Permissions for Sample Users (Week 3+)
   Start enforcing Elevation Policies for a small group and validate user experience.
6. Expand Policy Enforcement (Ongoing)
   Apply refined Policies to broader user groups and additional customers.
7. Complete Audit Mode Transition
   Move all users to managed elevation, disable Audit Mode, and remove admin rights.
8. Continuous Monitoring & Improvement
   Regularly update Policies as applications evolve and new elevation needs arise.

Initial Collection Phase (1-2 weeks)

Enabling End User Elevation Audit Mode

1. Start with selecting a few Customers that currently have over provisioned permissions for End Users to run as Administrators on their systems.
2. Focus on Customers that have both common and unique needs.  This will give you a full picture of the types of actions that your Customers need the elevated credentials for.
3. Review the Audit Mode Enable and Configuration KB.

4. Enable Audit Mode for the selected Customer(s) you chose.

   1. Ensure to deploy the Agent to the Workstations/Servers where the End Users have Administrator Permissions enabled.
   2. Ensure that the End Users are imported from Active Directory or M365/Azure/Entra

   Note: Enabling Audit Mode will not disrupt any workflows. It runs silently in the background and captures privileged actions without affecting the user experience.
   
   Learn more about how CyberQP captures audit events: https://support.getquickpass.com/hc/en-us/articles/33205685514391-How-CyberQP-Captures-Privileged-Events-in-Audit-Mode-for-End-user-Elevation

Monitor Activity

1. Allow 1 to 2 weeks for collection of the Audit Mode events.  Monitoring activity during this period of collection is advised, to fully understand the processes and actions that you may want to build Policy Rules for.

2. Using the Audit Event page:
   https://admin.getquickpass.com/elevation/elevation-events

   You can begin to see what types of activity your Customer's End Users are performing that require elevation.
   

   1. You can see common Programs, Publishers, and Matching Elevation Policies for the actions performed, as well as patterns for which End Users are using elevated permissions.

Begin Building Elevation Policies (Week 2 onwards)

Once you begin to see trends for usage at your Customers, you can begin building policies for these actions.  You can transform an existing Audit Event to a Policy, manually create a Policy that would apply, or determine that specific actions are NOT desired to allow End Users to perform.

Converting an Audit Event to an Elevation Policy Rule

1. The process for this is identical to creating an Elevation Policy from Elevation Requests.
2. Create a Policy
   1. Expand Elevation on the Main Dashboard page
   2. Click Policies
   3. Click New Policy in the upper right corner.
   4. Give it a name and description that is applicable - see some suggestions below:
      1. Customer Name - use this to build Policy Rules that will apply to a specific Customer
      2. Common Applications - use this to build Policy Rules that will apply to multiple Customers that use similar applications or require access to similar administrative functions.
      3. Specific Application - use this to build Policy Rules for specific applications. (ex Quickbooks, Solidworks, AutoCAD)
      4. Job Function/Role - use this to build Policy Rules based upon Customer's Employee Job Function (ex Developer, Reception, Co-Managed Support, Executives/ C-Suite)
   5. Depending on the use case, set the Audience Scope as desired.
      1. Target Select Customers - use this for Customer specific, or generic policies that would apply to multiple customers.
      2. Target Select End-Users - use this for End User specific policies (ex End Users that use the application, Co-Managed Admins, Users that have specific permission to help others)
   6. Save the Policy as a Draft (you can only alter the Policy to be "Live/Active" once a rule has been applied)
3. Find the Audit Events page and then click on the Audit Event Row that you wish to turn into an Elevation Policy Rule
4. Above the Details section on the right side is a "Create Rule" button.
   
   1. Give the Rule a name (ex. Application name, or Action name)
   2. Using the Rule Conditions, modify the populated boxes to remove any restrictions you don't want to enforce for the Policy (remember MORE boxes populated equals MORE restrictive, less boxes populated equals more broad)
      Ex.  
      1. Publisher - allow all applications from a specific software vendor (NOT recommended because names can be spoofed - especially if you use WildCard values here)
      2. Publisher, Certificate Hash - allow all specific application versions from a specific software vendor.
      3. Publisher, Certificate Hash, File Hash - allows only a specific application to be installed
      4. Publisher, Certificate Hash, File Hash, Program Path - allows only a specific application from a specific path/folder to be installed.
   3. Determine the Scope of the Elevation
      1. User-scoped - Grants the process administrative privileges within the user's context. This is the recommended setting for most applications and processes. It allows the application to perform administrative tasks but does not grant full system-level control.
      2. System-scoped - Grants the process the higher level of privileges, allowing it to interact with operating system and make local system changes. Use this option only when necessary, as it grants significant power and should be reserved for specific scenarios where user context is not required (e.g. installing system drivers, modifying critical system settings such as date, firewall rules etc)
         
         
   4. Click Continue
      1. You will be shown the list of Policies that are currently added to your Policy List.
      2. Select the Policy you wish to have the Rule added to.
      3. Click Add and Save
   5. Repeat the process for each Application or Administrative Action that have been recorded in the Audit mode, that you would WANT to allow the End Users to perform.

Manually Creating a Policy Rule

This process is detailed here. 
Creating an Elevation Auto-Approval Policy

Preparing Customers for Elevation Policies

In this phase, you will want to start informing your Customer's End Users about how their permissions will change.

It is suggested to start with a small group of End Users or Applications (if assigning to multiple customers) to ensure potential impact is minimized and easily mitigated.

Explain that you will be removing their existing Local Administrator permissions, and that the Elevation Policy should handle future execution of the application or elevated permission.  Explain what the screen will look like if the policy does not apply (ex applications that are not yet converted to Rules, or applications that didn't get caught by the Audit Mode), and how they can submit a request for manual approval (see this KB for instructions).

Remove Admin Permissions for a Sample Customer (Week 3+)

Begin with a small subset of your Customer's End Users (leaving some users with Administrative Permissions still).

1. Save the Policy you have Created and added Rules to as "Active"
   1. Expand Elevation on the Main Dashboard page
   2. Click Policies
   3. Find the Policy(ies) you used to convert a Audit Entry to a Policy Rule
   4. Click the Pencil Icon to Edit the Policy
      1. Modify the Audience Scope (if that was not initially defined or if you need to change it) - you may have discovered that certain Policies are going to apply to multiple Customers, or you may have discovered that an application should only be applied to specific End Users.
   5. Click SAVE -> Save & Publish
2. Switch the Elevation Settings for the Customer(s) you now want to start enforcing Elevation for.
   1. Settings -> Elevations -> Manage Access.
   2. Find the Customer(s) you are ready to start using the Policies for.
      1. Bulk select check boxes and then Edit Elevation Mode from the Header Bar
      2. Select the Pencil icon on the far right side of the individual Customer
      3. Change to Enabled and save.
3. Remove Administrator permissions from the End User system
   1. NOTE: CyberQP Agent Permissions Remediation will soon be released (as of July 1, 2025) to assist you with this.
   2. Modify the GPO or Intune Policy, or Local Security Groups to remove the Admin permissions for the End User(s) you want to do the initial set of Policy testing with.
4. Have the End Users perform their daily tasks.
   1. The Enabled/Active Policy should elevate permissions for actions/applications that require Administrative permissions.
   2. Have the End User submit Elevation requests for any actions/applications that they are now seeing the UAC Prompt for.
      1. Use those additional Elevation requests to fine-tune the Policy Rules
         1. Perhaps the Elevation Policy rules were too restrictive - compare the difference between the request and the policy to find any values from the Policy that need to be adjusted (ex Version number, folder path, etc.)
         2. Verify that the Policy Rule file name, folder path, etc. match the existing policy and update or add additional Policy Rules to match the experienced behaviour.
      2. Build new Policy Rules from any previously uncaptured Elevation requests:
         https://support.getquickpass.com/hc/en-us/articles/31075585709847-Create-a-Rule-from-an-Elevation-Request-and-Add-to-a-Policy

5. Once you have very few Elevation Requests, that should be handled by the Elevation Policy Rules, expand the scope to additional End Users at the same customer and/or additional customers.

    

Completing the Audit Mode

Once a comprehensive list of Policy(ies) and Rules have been created, to manage the majority of cases where Elevated Permissions are required, you can expand the scope of the implementation to additional customers or End Users.

1. Change the Customer Elevation Mode to Active for any customer that was previously in Audit Mode.
2. Change the Policy(ies) you have created to Active when you have added rules that cover the majority of cases.
3. Remove Admin permissions for End Users on Local Workstations and Servers
4. Ensure the End Users know how to submit new Elevation Requests and continue to improve/modify/create Policy rules to handle new cases.

Continued Monitoring and Improvement

Continued Monitoring of patterns for Elevation Requests is important.  Making the transition from having Administrator permissions, to using Elevation to handle those cases is an ongoing process.  New applications may be implemented by your customers.  Changes to Vendor or Software, or even something as simple as an updated digital signature can require updates to the Policy Rules.  

Communication between team members/technicians will be integral to finding usage patterns that may indicate that a Policy needs to be updated.  Empowering your team to determine what existing policies are working, which are not (and need refinement), and even cases where Elevation should NOT be automatically approved will help ensure the long term success of the Elevation solution.

Ensuring Continued Success with Elevation

To Ensure continued success with the effort to remove Administrative permissions from your Customer's End Users and use the CyberQP Elevation solution, please remember these key points.

 

Communication

1. Communicate with your Customer's End Users frequently to determine if the steps taken are having the desired results.
   1. What are the goals for the customer?
   2. Are those Goals being met?
   3. Can additional training be provided to minimize support requests after Administrative Permissions are removed?
2. Communicate with your Team to ensure that you are covering the desired use cases, and keeping your customer as secure as possible.
3. Establish clear processes for both your team and your Customers:
   1. How do you handle new Elevation requests?
   2. How does your Customer's End User ensure their Elevation Requests are handled quickly?
   3. Should repeated requests be converted to Policy Rules to minimize requests?

Time

1. Don't rush the Audit mode for Customers that you are implementing this for.
   1. Allowing the Audit mode to monitor for a sufficient period of time will give you more details on what Elevation will be most effective for.
   2. Enabling Audit mode for multiple customers will ensure you are getting a broad measurement of applications and processes that require additional permissions.  You can use these findings for multiple customers and Policy Rules.
2. Removing permissions for small groups of End Users at your Customer, at a time, will reduce frustration (if you missed a use case).
   1. Grow the list of End Users that no longer have Administrative permissions, in different divisions/departments of your Customer slowly.