The AutoElevate software is referred to as the "AutoElevate System Agent" and get's installed on each computer. It monitors, reports, and responds to all UAC privilege events and LOTL attacks. The AutoElevate Agent operates in either Audit, Policy or Live Elevation mode. In addition, there are Blocker Modes that operate in either Disabled, Audit or Live mode. Upon installation, Agents are placed in Audit for Elevation mode and Disabled for Blocker mode by default. This variable can be changed within the deployment script. 
 

How to Change Elevation Modes

In the Admin Portal (https://msp.autoelevate.com) from the Computers tab, select the check box next to the computer(s) you would like to change, and then from the Actions menu, select Set Elevation Mode to Live, Audit, or Policy under Elevation Mode. You are ready to test once the Agent checks in and picks up the setting (check-in happens every 10 minutes). Please click the "Refresh Data" button in the top right-hand corner to refresh your view, and then look at the 'Agent Mode' column to see if the Agents have picked up the new Agent mode setting. See the below image from the actions menu:

Elevation Modes Defined

• Audit - All UAC events are logged, but the Agent does not respond to or apply defined rules and, therefore, no change to the user experience. 
   
• Policy - Policy mode will apply and process any defined rules. Still, for any event with no corresponding rule, it will NOT invoke the Real-Time evaluation process but instead allow the UAC to appear to the user. Policy mode will allow an you to make and apply rules for critical applications with an immediate use case benefit. Still, it will not prompt the user or technician to evaluate anything unknown.
   
• Live - All UAC events are intercepted, and rules that have been defined are applied (to either elevate with privilege or block). For any event with no corresponding rule, the end user will be given the choice to proceed with a privilege request. The privilege request causes any company-access technician to be notified and open a ticket (if you have an integrated PSA ticketing system). The technician is presented with information on who is making the request, what they are requesting, the basic security disposition of the machine, and whether the application or action they want is safe, along with the ability to respond to the user's request in real-time.  
  
   

How to Change Blocker Modes

In the Admin Portal (https://msp.autoelevate.com) from the Computers tab, select the check box next to the computer(s) you would like to change, and then from the Actions menu, select Set Blocker Mode to Live, Audit, or Disabled under Blocker Mode. You are ready to test once the Agent checks in and picks up the setting (check-in happens every 10 minutes). Please click the "Refresh Data" button in the top right-hand corner to refresh your view, and then look at the 'Blocker Mode' column to see if the Agents have picked up the new Agent mode setting. See the below image from the actions menu:

Note: These modes are found in the actions menu of the Computers screen. More on Blocker here.

 

Blocker Modes Defined

• Disabled - The Agent's filter driver is not installed or is uninstalled if previously installed. As a result no Windows process is monitored in this state and no existing Blocker Rule is applied. Since Blocker is disabled there is no change in the user experience.
   
• Audit - The Agent's filter driver is installed. Windows process for binaries that are used in LOTL attacks are monitored and their usage is analyzed to generate Blocker Recommendations. The AE Agent does not apply any defined Blocker Rules and, therefore, there is no change in the user experience. 
   
• Live - The Agent's filter driver is installed. Windows process for binaries that are used in LOTL attacks are monitored and their usage is analyzed to generate Blocker Recommendations. The AE Agent blocks or allows Windows processes based on any defined Blocker Rules.
  
   

Technician Mode

This is a special mode that enables onsite Technicians to interact with the computer's UAC prompts. Please see the: Technician Mode documentation on our support site for a more in depth explanation. This is what the setting looks like below from the Computers Action's Menu:

The AutoElevate Agent Components

The components that make up the System Agent are the AutoElevate Agent service, which is set to start automatically at Windows startup and then spawns the AEAlert and AEUACAgent applications once a user is logged in.  When the AutoElevate Agent service is stopped, the computer resumes standard, UAC functionality, and UAC events are no longer tracked.  

Please take a look at the System Agent Installation document for more detailed instructions on Agent deployment options.
 

The AutoElevate Blocker Component

The component that makes up the Blocker is the AEAutoBlocker application which runs once Blocker is enabled in either Audit or Live mode. The filter driver is also not installed until Blocker is enabled. See more here: Managing Blocker.
 

How to Update the Agent

Updates are rolled out automatically depending on the state of your tenant. To update the agent, please see below from the Computers screen Actions menu: