How to Set Up and Use TechIDElevate
TechIDElevate gives MSPs a controlled way to manage UAC elevation requests from end-user machines. Instead of giving users standing local admin rights, technicians can approve or deny elevation requests when users need to run an application, installer, command prompt, PowerShell, QuickBooks update, or another task as administrator. This feature is available in public beta with TechIDAgent version 6.600 and newer.
What TechIDElevate Does
TechIDElevate allows a technician to remotely control whether an end user’s UAC prompt should be approved or denied.
When an end user tries to run something as administrator, they are prompted to request permission through TechIDManager. A technician can then review the request, confirm the details, and approve or deny the action.
Once approved, TechIDElevate temporarily satisfies the UAC requirement using a just-in-time managed user. After the elevated task is complete, that temporary access is removed and the account is disabled.
This means users can get the elevation they need without being granted permanent local admin rights.
Before You Begin
To use TechIDElevate, you will need:
-
TechIDAgent version 6.600 or newer
-
TechIDElevate enabled for your tenant
-
TechIDAgent installed on the end-user machine
-
Technician permissions to approve Elevate requests
-
Elevate scopes configured for the appropriate technician and agent groups
For partners joining the public beta, TechIDManager recommends scheduling a support meeting (support@techidmanager.com ) so the team can enable the feature in your tenant and walk through the initial setup.
Step 1: Enable TechIDElevate on the End-User Machine
On the end-user computer where the TechIDAgent is installed, enable TechIDElevate using the TechIDAgent.exe command line.
Let’s start with these command lines to setup everything.
TechIDAgent.exe TechIDElevate
TechIDAgent.exe – The executable to run.
TechIDElevate – this tells the TechIDAgent to enable TechIDElevate
After TechIDElevate is enabled, you can run the agent’s show command to confirm the new Elevate options are visible.
You should see a new section showing TechID Elevate settings, including:
-
UAC Elevate management
-
Removal of local admin from users on the computer
-
Host information
-
Whether the Elevate provider is registered
These commands can be run locally, remotely, or in bulk across multiple machines.
Step 2: Have the End User Request Elevation
Once TechIDElevate is enabled, the end user can attempt to run something as administrator.
For example, they may try to run:
-
Command Prompt
-
PowerShell
-
An installer
-
QuickBooks
-
A line-of-business application
-
Another executable that requires admin rights
Instead of receiving a normal UAC prompt, the user will see a TechIDElevate permission request.
The prompt asks why the application needs to run as administrator. The user can enter a reason or submit the request without additional detail.
Once submitted, the request waits for a technician response.
Step 3: Review the Elevate Request in TechIDManager
The technician will see the Elevate request in the TechIDClient.
The request includes details such as:
-
The user making the request
-
The machine where the request originated
-
The executable being run
-
The file path
-
The trusted certificate status
-
How long ago the request was submitted
The technician can review the request and decide whether to approve or deny it.
Before approving, the technician may choose to contact the user, confirm the reason for the request, or verify whether the application should be allowed to run as administrator.
Step 4: Approve or Deny the Request
If the request is legitimate, the technician can approve it.
Once approved, the UAC prompt is satisfied automatically and the requested application runs as administrator for the user.
TechIDElevate uses a Just-In-Time managed user to complete the elevation. That user is granted the permissions needed to run the approved task. Once the task is complete, the user is disabled and the rights are removed.
If the request should not be allowed, the technician can deny it.
This gives the MSP control over elevation without giving the end user permanent admin access.
Step 5: Manage Requests from the TechIDPortal
Elevate requests also appear in the TechIDPortal under the Elevate Requests section.
From the portal, technicians and managers can view request details such as:
-
User
-
Machine
-
IP address
-
Agent name
-
Executable path
-
Certificate information
-
Whether the certificate is trusted
-
User-provided reason
Managers can approve requests from the portal. Once processed, approved or denied requests move into the processed request list.
If a user submitted a request but did not wait for a technician response, the request can still be reviewed and approved later.
When approval is granted after the user has stopped waiting, the user will receive a notification within about 60 seconds. The notification explains that their request has been approved and that the approval is valid for one elevation.
The user can then choose to run the application immediately or later.
Step 6: Understand One-Time Approval Behavior
TechIDElevate approvals are valid for one use.
If the user chooses “Run it now,” the approved application launches as administrator.
If the user chooses to run it later, the next time they attempt to run that same approved item, the elevation will proceed without requiring another technician response.
After that one-time use, the approval is consumed.
This helps keep elevation controlled, temporary, and auditable.
Step 7: Create Auto Responses for Trusted Requests
TechIDElevate also supports auto responses.
Auto responses allow specific elevation requests to be automatically approved based on criteria you define.
For example, you could create an auto response that allows a specific version of PowerShell or a trusted application to run as administrator from a specific machine.
Auto responses can be based on details such as:
-
File path
-
File hash
-
Certificate
-
Certificate trust status
-
Username
-
Machine name
-
IP address
-
Agent name
You can make rules as specific or as broad as needed.
For example, you could automatically approve:
-
A specific executable for a specific user
-
A specific application on a specific machine
-
Applications with trusted certificates from selected certificate providers
-
A known installer with a matching hash
The goal is to reduce repeated technician approvals for known-safe actions while still keeping elevation controlled.
Step 8: Convert History into Auto Responses
TechIDElevate keeps a history of past elevation activity.
From the Elevate History section, previously approved requests can be converted into auto responses.
This makes it easier to build rules from real-world usage.
For example, if technicians regularly approve the same trusted application for the same user or device, that historical request can be converted into an auto response and then edited as needed.
You can adjust the rule to apply to:
-
The same user
-
Any user
-
The same machine
-
Any machine
-
The same executable
-
A specific file hash
-
A trusted certificate
-
Other matching criteria
This allows MSPs to start with manual approval, observe real usage patterns, and then safely automate repeat requests.
Step 9: Configure Elevate Scopes
Elevate scopes determine which technicians can approve Elevate requests for which agents.
These scopes work similarly to TechIDManager triplets, which define which technicians receive which rights for which accounts on which agents.
An Elevate scope combines:
-
A technician group
-
An agent group
Scopes are additive, which means you can create multiple scopes to match your operational structure.
For example, you may allow:
-
All technicians to approve requests for all agents
-
A specific technician group to approve requests for a specific client
-
A manager group to approve requests across all clients
By default, managers can respond to any request from the portal.
Best Practices for Using TechIDElevate
Use TechIDElevate to reduce standing local admin access while still allowing users to complete legitimate work.
Recommended practices include:
-
Remove local admin rights from end users where possible
-
Require users to provide a reason for elevation requests
-
Train technicians to verify unusual requests before approval
-
Use auto responses only for known, trusted, repeatable actions
-
Review Elevate History regularly
-
Keep auto response rules specific enough to avoid unnecessary risk
-
Use Elevate scopes to limit which technicians can approve requests for each environment
-
Treat one-time approvals as the default and automation as the exception
TechIDElevate gives MSPs a practical way to manage UAC elevation without handing out permanent local admin rights.
End users can request elevation when needed. Technicians can review and approve or deny the request. Approved actions run through a temporary just-in-time managed user, and access is removed when the task is complete.
With Elevate requests, history, auto responses, and technician scopes, TechIDElevate helps MSPs balance usability, security, and accountability.
To get started with TechIDElevate during the public beta, schedule a TechIDManager support meeting so the feature can be enabled for your tenant and configured correctly.
