US English (US)
ES Spanish

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

  • Contact Us
English (US)
US English (US)
ES Spanish
  • Home
  • AutoElevate Knowledgebase
  • Managing Rules

Advanced Elevation Rules: File & Publisher Certificate Identification Criteria

Gain a better understanding of how to organize and manage rules effectively with expert guidance.

Written by Owen Parry

Updated at March 25th, 2025

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

  • AutoElevate Knowledgebase
    New to AutoElevate? START HERE General & Troubleshooting Managing Rules Integrations Announcements FAQ Sales & Marketing
  • Password Boss Knowledgebase
    Using Password Boss Business Administration Password Boss Partner Documents
  • Changelogs for Autoelevate and Password Boss
  • Current Status
  • Marketing Toolkit
    MSP Marketing & Education Toolkit
+ More

Table of Contents

Elevation Rule Creation Using File and Publisher Certificate Identification Criteria Combinations File Identification Criteria Publisher Identification Criteria Verified Publisher Certificate Where do we get the Publisher Identification Info? Troubleshooting: Security Note

Elevation Rule Creation

Rules must originate from a UAC event or an elevation request. They cannot be created manually from scratch because we depend on the information provided to the Windows UAC to fill in the details on the AutoElevate portal.

 

When Elevation Rules are created as part of a Real-Time Privilege Request (from either the AutoElevate Notify mobile app or from the Admin Portal), the identification criteria used is always the file's MD5 hash. Advanced Rules can be developed by selecting additional File and Publisher Certificate Identification Criteria when editing an existing MD5 rule or creating a new one from an Event. 

  • Edit an Existing Rule from the Elevation Rules screen (in the Admin Portal - https://msp.autoelevate.com) by clicking the Edit (pencil icon) next to the Rule.
     
  • Create a New Rule from the Elevation Events screen (in the Admin Portal - https://msp.autoelevate.com) by checking the box next to an Event and selecting Convert to Rule from the Actions menu.
     

Using File and Publisher Certificate Identification Criteria Combinations


Advanced Rules can be set up to match as many combinations of the File and/or Publisher Certificate identification criteria as you desire by selecting the checkboxes next to the elements from the Event that you would like the Rule to match. If a match is found when a UAC Event takes place, the AutoElevate Agent then carries out the defined action of either Approved, Denied, or Ignored. For the Rule to be applied to an event, it must match ALL of the selected identification criteria. 

 

File Identification Criteria


File Identification Criteria can be selected in any combination of 5 options: Product Name, File Path, File Name, Original File Name, MD5 Hash. The default values of these criteria are set to what was read from the actual file from the local computer where the original Event happened. Wildcard characters can specify dynamic elements (* ? [a-z]).

  • Product Name: A value specified by the software publisher and embedded in the file's binary. It can be blank if the file does not contain version information.
     
  • File Path: The full path of the file's location on the local machine, including the file's name. The agent will expand any Windows environment variables when processing the File Path. Click HERE for more information on Windows env vars.
    • Currently, the agent cannot process env vars that include local user information (i.e., %LOCALAPPDATA%, %USERPROFILE%, etc.).
       
  • File Name: The file name extracted from the path.
     
  • Original File Name: The name the file was created with. It can be blank if the file does not contain version information.
     
  • MD5 Hash: The MD5 hash of the file.
     

Publisher Identification Criteria


Publisher Identification Criteria can be set to 1 of 2 options: Subject Elements or Certificate Hash.

  • Subject Elements: These are the different parts of the Subject distinguished name found in the publisher certificate. Any combination of elements can be selected. However, it's good to note that each software publisher can use many certificates. Targeting fewer subject elements will allow for a wider range of software matching the identification criteria selected.
     
  • Certificate Hash: This is the thumbprint of the certificate used to sign the file. It is very specific to that certificate only. Typically, publisher certificates expire after a year or 2. This means publishers need to get new certificates with new thumbprints frequently. Targeting the certificate hash may mean that you will need to create new Rules to account for these new certificates when they are issued. 
     

Verified Publisher Certificate

Be advised that advanced rules using any aspect of the Publisher Identification Criteria will only apply to a Verified publisher certificate.

 

 

Where do we get the Publisher Identification Info?

You will see an expandable section of information about the publisher certificate along with the publisher options. This data is generated from the file examined on the local machine that the Event originated from.

Whether the file is marked as Verified or not depends on whether the certificate chain on the local machine was verified. Verified certs are where the certificate and/or its issuer are in the local certificate authority (CA) on the local machine and whether the Signing Time falls between the Valid From to Valid To time stamps.

 

 

The defined rules are encrypted and stored in a secure registry area at each check-in and will continue to work with or without connectivity to the Internet and/or our services.

We default to a security position and allow the UAC to come up for anything that doesn't have a rule.

We also recommend creating a break-the-glass local admin on each system (perhaps only management can access the credentials) for rare cases like these.
 

Troubleshooting:


  • Make sure your agents are at v2.4+. Only events generated from a machine running version agent v2.4+ will be able to define a rule using publisher certificate & file info. Additional information is required to make publisher certificate rules that the previous Agent versions did not capture. Only Agent versions 2.4+  can interpret and process the identification criteria set on these new Rules.
     
  • If you see agents still stuck on v2.3.8, check that they have at least .NET v4.7, which is required. If the machine does not have version 4.7, the Agent will not install and should remain at the previous version.
     
  • Powershell v3.0+ is also required to process any rules with wildcard characters.
     
  • Only users in the Administrators and Technician (Level 3) roles have permission to edit & set the identification criteria on Rules.

 

Security Note

Publisher certificate verification has been built into agent v2.4+ to ensure the safety and security of making rules based on publisher certificate criteria. 

The AutoElevate rules engine does this verification, like most security tools do, using information from the local certificate authority store (CA) on each machine. Microsoft updates the local certificate authority stores. Security and mitigation of threats to the local certificate store on each machine strongly depend upon users only having standard user privileges.

 

 

advanced rules rule creation publisher certificate

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Settings Overview
  • Using DUO with AutoElevate
  • Removing Elevation or Blocking Rules
  • Enabling Browser Based Notifications For Technicians
  • Products
    • Privileged Access Management
    • Password Management
  • Solutions
    • For MSPs
    • For IT Pros
    • By Industry
  • Resources
    • Weekly Demos
    • Events
    • Blog
    • FAQ
  • Company
    • Leadership
    • Culture + Values
    • Careers
    • Awards
    • News & Press
    • Trust Center
    • Distributors
  • Get Pricing
  • Free Trial
  • Request a Demo
  • Support
  • Login
  • Contact
4925 Independence Parkway
Suite 400
Tampa, FL 33634
CALL US (813) 578-8200
  • Link to Facebook
  • Link to Linkedin
  • Link to Twitter
  • Link to Youtube
© 2023 CYBERFOX LLC ALL RIGHTS RESERVED  |  Privacy Policy

Knowledge Base Software powered by Helpjuice

Expand