Elevation Control Module

4 min. readlast update: 05.29.2024

Elevation Control Module

The ThreatLocker Elevation Control module is where users with Elevation Control enabled can manage the local Windows and MacOS administrators on all endpoints with ThreatLocker installed. There are two distinct methods to manage local administrators, allowing the flexibility to choose the method that suits your business needs.

Method one will be available with Windows Agent 8.8 and Mac Agent 3.0

The first method, Remove Selected, will show all local administrators on your endpoints.

Along with the Computer Name, the main grid includes User Name and Last Login.

To remove any one user from the local Administrator group, select that row and select the 'trash can' icon. 

To remove several users from the local Administrator group, select multiple rows and select the red 'Remove X Users from the Local Administrator group' button. 


The second method works with the logic "Remove All Except."

On this page, create a list of permitted administrators by adding them to the exclusions list. ThreatLocker will then check for members of the local Administrator group on every endpoint. Any users in the local administrator group who are not listed in the exclusions will be removed from the group, returning them to standard user privileges.

This setting will not DELETE local administrators. Rather, on Windows, it removes users from the local Administrators group on any specified endpoint. For MacOS, it removes users' ability to administer the computer.

Please Note: On a Domain Controller, administrators in the built-in Administrator group will be removed with the 'Remove All Except' option unless the members of this group are listed as exclusions.


Before Enabling Remove All Except: 

Timothy Two is a Local Administrator

After enabling Remove All Except:

After deploying policies, Timothy Two is now a standard Local user

This setting is off by default.


Permissions/Products required for Manage Local Administrator Settings

To use this setting:

  • Add the 'Manage Local Admin Settings' permission 
  • The Elevation product must be enabled on an organizational level
  • Windows endpoints must be running agent version 8.7.1 or later
  • MacOS endpoints must be running agent 2.8 or later


Initial Setup

To configure this setting:

  1. Navigate to the Elevation Control Module
  2. Choose the method by which to remove the elevated privileges throughout your environment
  3. The default landing page is 'Remove Selected'.
    1. From here, review all local administrators in your environment.
    2. Using the 'trash can' icon, remove any users from the local administrator group.
    3. Click the 'Deploy Policies' button to apply these changes to the endpoints.
  4. To create policies that prevent new local administrator users, navigate to the 'Remove All Except' tab in the upper right corner.
  5. In the upper left, select 'New Exception'
    1. Choose the "Applies To" location for your permitted local administrator.
    2. Enable the setting.
    3. Add the name, or names, of approved local administrators.
    4. Select 'Create'. The new exception will populate on the main grid. 
    5. Deploy Policies. At that point, all member of the local Administrators group who are not listed under exclusions will be removed and returned to standard user permissions.

Caution: If NO local Administrators are listed and this setting is enabled, ALL current local Administrators will be removed. 

Note: Once Enabled and Saved, this will not immediately begin removing local Administrators from your endpoints. Policies must be deployed for this setting to begin removing administrators from the local Administrators group.


Edit or Stop Removing Local Administrators

  • To stop removing ALL local administrators with exclusions, disable the setting at all levels, save, and deploy policies. 
  • To permit a new local administrator, add them to the enabled setting, save, and deploy policies.


Exceptions to this setting

This setting will not remove the following:

  • The primary/first administrator created on a Windows machine. Windows does not allow this administrator to be removed. 
  • Windows Domain Administrators who are also in the local Administrators groups.
  • System users (Unix-style users) will not be removed on Mac endpoints.


Frequency of Local Administrator Removal

  • When policies are deployed. 
  • Once every sixty minutes. This hour is determined by when the service was last started/restarted.
  • On Windows, if a user is newly added to the Administrators Group, ThreatLocker will verify that this is an approved local Administrator. If it is not, the user will be removed from the local Administrators group.


Was this article helpful?