Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Managing Windows Devices
  3. Configurations

Category filter

Privilege elevation for Windows users with Self Service

Jump To

Organizations often prefer employees operating with standard accounts on corporate-owned devices. But, standard users often lack enough privileges from carrying out essential tasks such as installing approved applications or updating drivers.

To address this challenge, Hexnode offers a Self Service feature that allows IT administrators to provide temporary administrator privileges for the standard users. This document helps you define self service policy for Windows devices from the Hexnode UEM console.

Prerequisite:


Ensure that both the Hexnode Service (Agent) App and the Hexnode UEM app are updated to their latest versions on the devices for effective functioning of the feature.

Deploy Self Service policy

The Self Service policy must be defined by the IT administrators from the Hexnode console and then associated with the devices on which the privilege elevation should be allowed. Only standard user accounts on those targeted devices can elevate their privileges temporarily as defined by the policy, thereby ensuring administrative access is granted in a secure manner.

Steps to configure the policy:

  1. Log in to the Hexnode UEM.
  2. Navigate to Policies > New Policy.
  3. Choose the platform as Windows and click Next.
  4. Choose Enterprise and then click Next.
  5. Provide a policy name and description.
  6. Go to Configurations > Self Service.
  7. Click on Configure. Then, check the boxes required.
    • Allow user to elevate standard account to administrator: Enabling this option allows the standard user on the device to temporarily elevate their privilege as an administrator.
    • Set the time period for administrator privileges: You can set the time period for a standard user account to elevate their privilege as an administrator. For example, if the time limit is set as 3 minutes, then the user can be an admin for only 3 minutes and will be automatically reverted to standard user past the specified duration.

      Note:


      The maximum time period that can be set for a Self Service action ranges from 1 to 10 minutes.

    • Set a limit for the maximum number of times the user account can be elevated in a day: Once you enable this setting, it limits the number of times any standard account can elevate the privileges within a 24-hour period.
    • Maximum limit: By setting up a number, you can control how many times a user can switch their standard account to administrator privileges. For example, if the limit is set as 2, then the user will be restricted to a maximum of 2 elevations within a day.

      Note:


      The daily usage limit, i.e., how many times this provision can be granted to a user per day—can be configured between 1 to 25 times.

  8. Move to Policy Targets.
  9. Add your target device/device groups/users/user groups/domains/OUs with the policy. Then click OK.
  10. Click Save.

Self Service policy for Windows device configured in Hexnode UEM portal.

How can Standard users elevate their privileges from Windows devices?

While the initial Self Service settings are configured by the administrator through the policies in the Hexnode UEM console, the user initiates the actual request for elevation of privileges. The process of elevation is started by the end-user directly on their Windows device using a locally installed Hexnode UEM application.

Once the policy is applied:

  1. Open the Hexnode UEM app on the user device.
  2. From the left side menu, select Self Service.
  3. Click Elevate to gain admin privileges.
  4. A notification will appear if the elevation is successful, showing a confirmation message and the duration of elevated access.
  5. Admin privileges will be automatically revoked after the configured time.

Privilege elevation as administrator for the standard user account.

Frequently Asked Questions

1. What are all the possible causes for the ‘Elevate’ button to be greyed out in the Hexnode UEM app?

The ‘Elevate’ button will be greyed out under the following cases:

  • If the user is already an administrator.
  • If the maximum account elevation limit has been exhausted for the day.

2. Should the user authenticate for privilege elevation with Self Service?

No, the privilege elevation process doesn’t require user authentication.

3. Can any user on the device utilize privilege elevation with Self Service?

Yes. All standard users on the same device can use this feature independently. The time limit and daily elevation limit configured are tracked and applied separately for each user account on that device.

4. What should the user do if they can’t see the Self Service tab in the Hexnode UEM app?

The user should ensure that the Hexnode UEM app installed on the device is updated to its latest available version.

Troubleshooting

1. Error: The ‘Elevate’ action is reported as successful in the UEM app, but the user account remains a Standard User.

Probable Cause:

The Hexnode Service (Agent) App is inactive, or its communication channel has been severed. While the Hexnode UEM app provides the user interface, the Service App is responsible for executing the underlying local group membership changes. If the service is not running, the command cannot be finalized at the system level.

Solution:

The admin should verify the status of the Hexnode Service App in the Device Summary page of the portal. If it is marked as inactive, the admin should instruct the user to ensure the device has a stable internet connection and then initiate a manual Sync from the Hexnode UEM app.

2. The user account remains in the “Administrators” group even after the configured time period has elapsed.

Probable Cause:

The endpoint entered a sleep or hibernation state, or lost network connectivity, before the Hexnode Service could execute the automatic reversion command.

Solution:

The admin can remotely demote the user by executing a custom PowerShell script: Remove-LocalGroupMember -Group “Administrators” -Member “Username”.

Best Practices

  • Pilot Group Validation: The admin should initially deploy Self Service to a small pilot group to identify potential conflicts with installed software or EDR policies before a global rollout.
  • Mandate Application Allowlisting: The admin should deploy an Application Allowlisting policy alongside Self Service. This ensures that even with admin rights, users can only execute or install software pre-approved by the organization.
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Managing Windows Devices