Just-in-Time Admin Login
Table of Contents
AutoElevate's Just-in-Time Admin Login feature enables technicians to access a computer as an Admin user by scanning a QR code to authenticate, making it easy and secure to perform critical tasks. However, it's worth noting that when the Agent creates or takes control of an existing user, access will only be granted to the Agent. This feature is designed and supported for 64-bit Windows workstations, including versions 10, and 11.
Your agents must be on v2.5+ for this feature to be available.
Important Notice: Just-in-Time Admin Login Limitations and Upcoming Fix
JIT Admin Login does not currently work within a RDC (Remote Desktop Connection) or for a Windows 365 cloud computer. We are currently working on a fix for this issue.
Just-in-T Admin Login with Windows Authentication Products
Please note that certain Windows authentication products might prevent the display of the JIT Admin Login button on the Windows login screen. These products prevent our credential provider from loading. This is the case with DUO and WatchGuard AuthPoint.
For instructions on how to whitelist AutoElevate with DUO, please refer to the following article: DUO with Admin Login.
- From the Settings screen select Global> Agent Customizations & Behavior> Just-in-Time Admin Login> Edit (Pencil icon) or create a new Level Setting (Whole Company, Location or Computer) using the "+" icon from the top of the grid.
- Check the "Enabled" box, set custom User name then SAVE.
- Then select Global> Agent Security> Just-in-Time Admin Login Authorization> Edit (Pencil icon) or create a new Level Setting (Whole Company, Location or Computer) using the "+" icon from the top of the grid.
- Select Role or Users you wish to allow access to this feature and SAVE.
Enabling - Additional Options & Info
From the Settings screen, select either Global > Agent Security > Just-in-Time Admin Login > Edit (Pencil icon) or create a new Level Setting (Whole Company, Location, or Computer) using the + icon from the top of the grid.
Enabled: Check to enable.
Username: Set a username. When adding a user, it's important to note that if the username already exists on the machine, its password will be overwritten. This can be helpful for existing admin accounts on the end-user's computer. However, it's crucial to exercise caution when using this feature to avoid overwriting a user's password of a user that the technician did not intend to modify. Always verify that the correct username has been entered before proceeding.
Delete User After Every Log Off: Check to enable. This option allows technicians to create temporary admin users that are automatically removed when they are no longer in use. Persistent users will not be deleted during uninstallation or when the "Admin Login" setting is disabled.
It is advisable to avoid using the usernames of Administrator or ~0000AEAdmin. These usernames cannot be deleted, preventing Admin Login access, specifically when the Delete User After Every Log Off option is enabled.
Next, select either Global > Agent Security > Just-in-Time Admin Login Authorization > Edit (Pencil icon) or create a new Level Setting (Whole Company, Location, or Computer) using the + icon from the top of the grid.
- Select the Role or Users you wish to allow access to this feature.
Finally, select either Global > Agent Customizations & Behavior > Logo (Square) > Edit (Pencil icon) or create a new Level Setting (Whole Company, Location, or Computer) using the + icon from the top of the grid.
- Upload an image that will be used for the User icon at the Windows Lock Screen.
- The image cannot be larger than 1MB.
- Does not support “.webp” images.
- Transparent images will not be transparent. The transparent space will be replaced with a white background.
- The image cannot be larger than 1MB.
How it works
Enabling the "Just-in-Time Admin Login" setting adds a "Credential Provider" to the system, which appears on the Windows Lock Screen. This gives the technician access to an admin account, allowing them to sign in without needing a password.
A QR code is displayed to authenticate the technician as no password is required to log in to the admin account. This code expires after 10 minutes. If the technician's role or the technician themselves have been authorized in the Just-in-Time Admin Login Authorization setting, they can use the AutoElevate Notify app to scan the QR code and grant access.
Upon logging in, the session is automatically entered into Technician mode.
The Credential Provider comes with a built-in self-recovery feature. If it detects any issues, it will disable itself automatically to avoid further problems. In such cases, the AutoElevate Agent service or the computer can be restarted to reset the Credential Provider and restore its functionality.
The Credential Provider is designed not to load in Safe Mode, providing an alternative method of recovery in case the credential provider fails. This ensures that the Credential Provider does not interfere with other system-level changes necessary in Safe Mode. In the event of a failure, users can access the computer in Safe Mode and then disable or reset the Credential Provider to restore normal functionality.
To monitor if a computer has logged in using JIT Admin Login, you can access the computer's View screen (indicated by an eye icon) from the Computer grid. This screen displays detailed information about the computer's activity and login history.
In addition to the Computer grid, you can view a computer's General Information and State Information by expanding the dropdown menu. This provides a quick overview of the computer's status and any relevant information that may impact its security.
To track attempted JIT Admin Login, you can access the JIT Admin Logins section. This will display the date and time when the login attempt was made (Date Created), whether it was successful or not (Date Updated), and the name of the user who authenticated the login (Authenticated By).