ThreatLocker Elevation – Quick Start Guide
Note: ThreatLocker Elevation requires Agent Version 6.0 or above
To get started with ThreatLocker Elevation:
- Navigate to Computer Groups in the ThreatLocker Portal.
- Select the group(s) you want upgraded to use Elevation.
- Select update ThreatLocker Version > 6.0 (or higher).
After the computers checkin,
- Navigate to the Computers Page in the ThreatLocker Portal.
- Select the computer(s) you want to elevate > Select Restart Service.
ThreatLocker Elevation requires a new tray. Due to this, to use ThreatLocker Elevation, you will need to either:
- Log out of your machine
- Reboot your machine
- Kill the ThreatLockerTray process and manually reopen it.
Once your machines are checking in with version 6.0 as displayed in the Computers Page:
- Select the Organizations tab.
- Ensure you have Elevation enabled in the Product drop-down list.
If checked, ThreatLocker Elevation is now enabled.
Note: We Audit all elevation in the Unified Audit. All elevation will have the action type 'elevate'.
How to Use ThreatLocker Elevation:
Elevation integrates with our Application Control, meaning that if an application is not currently allowed, you may approve and elevate it simultaneously.
A user may request access to an application through the use of our new Tray Application.
This request may be viewed from the Approval Center, and it will indicate that this is an Application Request as shown here:
Now you will have the opportunity to,
- Approve the application
- Approve with Ringfence, which is highly important as you may not want the elevated app to speak to Command Prompt or PowerShell for example
- Set an expiration date for the policy
- Allow the application to elevate as an administrator
- Apply the policy to the specified level
After configurations have been made and Save has been selected,
you may now run this application as a normal user as expected. If the application is ran as an administrator, you will receive confirmation through the Tray Application that the application has been elevated.
Note: If ringfencing was enabled, you will not be able to bypass elevation for other applications. As an example, if we attempt to run PowerShell as an administrator from Putty, we will receive a block, as one would expect.
In the case that you would like to allow elevation for an application that is already being permitted there are two ways of achieving this.
- Navigate to Application Control > Policies.
- Select the pencil icon that corresponds to the desired policy.
- Enable the Elevation checkbox.
- Save and Deploy Policies.
Open the desired application as an administrator. In this example we are running PowerShell, which we have already permitted.
This will bring forth a notification allowing you to request elevation for this application.
This request may be viewed from the Approval Center, and it will indicate that this is an Elevation Request as shown here:
Within the request,
- Configure the policy settings as desired.
- Select Save.
This will create a policy and if elevation was selected, the application will be able to run as an administrator within 60 seconds.