Manual vs Automatic Elevation

Run as administrator

Elevating the customer client enables switching user accounts, deploying Jump Clients in service mode, and controlling protected windows and UAC dialog boxes. Elevation does not change the user context of the active user and is not the same as logging out the active user and logging back in as an administrator. Once you have elevated a session, you can log out of the existing user and back in with an administrative account, or use Run as administrator to run commands or programs within the admin user context.


Manual Elevation

Automatic behavior prompt to elevate setting

To elevate the customer client to have administrative privileges, click the Elevate button at the top of the session window.

Golden shield that represents the session elevation button.

A prompt for administrative credentials appears. A prompt to elevate will also appear if the representative attempts to perform an action which requires administrative rights in an unelevated session.

You may also configure settings in the representative console so that the user at the remote device is automatically prompted if their secure desktop is enabled. This setting can be found by navigating to File > Settings > Support Sessions > Automatic Behavior. This setting can also be globally configured in the /login interface on the Rep Console > Rep Console Settings page under Manage Rep Console Settings.


Automatic Elevation

BeyondTrust Automatic Elevation Service

In special cases, you may need a session to start with the customer client already in elevated mode, or you may need to elevate the customer client without providing credentials. To securely elevate the customer client without the prompt, download the Automatic Elevation Service from /login > My Account and install it beforehand on the remote Windows systems to which you need credential-less elevation access. You must install the elevation service using an account that has administrative privileges to the local machine.

When the elevation service runs, it adds to the registry a hash unique to your BeyondTrust site. Then, when the remote system begins a session through that site, the elevation service matches the registry hash against the hash in the client. If they match, the client attempts automatic elevation.

Elevation occurs following the rules set in /login > Public Portals > Customer Client > Other Options. If the rules set for the customer client do not allow it to elevate automatically, a matching hash will still make the elevation service the means for elevation when the representative clicks the Elevate button in the representative console. When the elevation service is used, neither the representative nor the customer is prompted for credentials.

After a BeyondTrust software update, your site hash changes. Download and run the elevation service registry file to update the registry hash on systems which already have the elevation service installed. You must run the elevation service registry file using an account that has administrative privileges to the local machine.

For more information on elevation, please see the following articles: