When Elevation Rules are created as part of a Real-Time Privilege Request (from either the AutoElevate Notify mobile app or from the Admin Portal), the identification criteria used is always the file's MD5 hash. Advanced Rules can be developed by selecting additional File and Publisher Certificate Identification Criteria when editing an existing MD5 rule or creating a new one from an Event. 

• Edit an Existing Rule from the Elevation Rules screen (in the Admin Portal - https://msp.autoelevate.com) by clicking the Edit (pencil icon) next to the Rule.
   
• Create a New Rule from the Elevation Events screen (in the Admin Portal - https://msp.autoelevate.com) by checking the box next to an Event and selecting Convert to Rule from the Actions menu.
   

Using File and Publisher Certificate Identification Criteria Combinations

Advanced Rules can be set up to match as many combinations of the File and/or Publisher Certificate identification criteria as you desire by selecting the checkboxes next to the elements from the Event that you would like the Rule to match. If a match is found when a UAC Event takes place, the AutoElevate Agent then carries out the defined action of either Approved, Denied, or Ignored. For the Rule to be applied to an event, it must match ALL of the selected identification criteria. 

File Identification Criteria

File Identification Criteria can be selected in any combination of 5 options: Product Name, File Path, File Name, Original File Name, MD5 Hash. The default values of these criteria are set to what was read from the actual file from the local computer where the original Event happened. Wildcard characters can specify dynamic elements (* ? [a-z]).

• Product Name: A value specified by the software publisher and embedded in the file's binary. It can be blank if the file does not contain version information.
   
• File Path: The full path of the file's location on the local machine, including the file's name. The agent will expand any Windows environment variables when processing the File Path. Click HERE for more information on Windows env vars.
  • Currently, the agent cannot process env vars that include local user information (i.e., %LOCALAPPDATA%). This will be adjusted in a future update.
     
• File Name: The file name extracted from the path.
   
• Original File Name: The name the file was created with. It can be blank if the file does not contain version information.
   
• MD5 Hash: The MD5 hash of the file.
   

Publisher Identification Criteria

Publisher Identification Criteria can be set to 1 of 2 options: Subject Elements or Certificate Hash.

• Subject Elements: These are the different parts of the Subject distinguished name found in the publisher certificate. Any combination of elements can be selected. However, it's good to note that each software publisher can use many certificates. Targeting fewer subject elements will allow for a wider range of software matching the identification criteria selected.
   
• Certificate Hash: This is the thumbprint of the certificate used to sign the file. It is very specific to that certificate only. Typically, publisher certificates expire after a year or 2. This means publishers need to get new certificates with new thumbprints frequently. Targeting the certificate hash may mean that you will need to create new Rules to account for these new certificates when they are issued. 
   

The defined rules are encrypted and stored in a secure registry area at each check-in and will continue to work with or without connectivity to the Internet and/or our services.

We default to a security position and allow the UAC to come up for anything that doesn't have a rule.

We also recommend creating a break-the-glass local admin on each system (perhaps only management can access the credentials) for rare cases like these.
 

Troubleshooting:

• Make sure your agents are at v2.4+. Only events generated from a machine running version agent v2.4+ will be able to define a rule using publisher certificate & file info. Additional information is required to make publisher certificate rules that the previous Agent versions did not capture. Only Agent versions 2.4+  can interpret and process the identification criteria set on these new Rules.
   
• If you see agents still stuck on v2.3.8, check that they have at least .NET v4.7, which is required. If the machine does not have version 4.7, the Agent will not install and should remain at the previous version.
   
• Powershell v3.0+ is also required to process any rules with wildcard characters.
   
• Only users in the Administrators and Technician (Level 3) roles have permission to edit & set the identification criteria on Rules.