Remove local admin rights without killing productivity. Users request elevation, you approve in seconds. Full audit trail, automatic rules, zero friction.
End user right-clicks the ElevateGuard tray icon, browses to the application they need to run elevated, and adds a justification.
The agent captures the file hash, publisher signature, and user details, then sends the request to the cloud. Auto-approve rules are checked instantly.
Pending requests appear in your web console in real-time. You see the app name, publisher, hash, user, machine, and justification. One click to approve or deny.
On approval, the agent receives the decision via MQTT in under a second and launches the process with admin privileges in the user's session. No passwords shared, no persistent admin rights.
Requests arrive in your console instantly via MQTT push. Approve or deny with one click and the agent acts within a second. No polling delays.
Create rules by SHA256 hash, publisher certificate, file path, or path prefix. Known-good apps get elevated automatically without admin intervention.
Every request, approval, denial, and execution is logged with timestamps, user identity, machine name, and file details. Complete compliance-ready history.
The agent extracts the digital publisher signature from executables so you can verify the software source before approving elevation.
Built for MSPs. Manage elevation policies across all your client companies from a single console with per-company rules and settings.
Single Windows executable runs as a SYSTEM service. Under 5MB, no dependencies, no PowerShell, no shell execution. Elevation only.
Deploy with confidence using Learning Mode. Capture all UAC elevation attempts without blocking users, then review and whitelist apps before switching to enforcement. Zero-disruption rollout.
Create whitelisting rules at machine, company, or tenant level. Machine rules for individual PCs, company rules for all endpoints in an org, tenant rules across your entire portfolio.
Invite team members with granular roles. Admins get full access, approvers handle specific companies with configurable permissions. Owner, admin, approver, and viewer roles built in.
Start with a 14-day free trial. No credit card required. Full access to all features.
ElevateGuard installs a Windows service that runs as SYSTEM. When an elevation request is approved, the service launches the specified application with elevated privileges in the user's desktop session using Windows API calls (CreateProcessAsUser). The user never receives admin credentials or persistent admin rights — only the specific approved application runs elevated.
Without connectivity, new elevation requests cannot be submitted or approved. The agent will queue the request locally and submit it when connectivity returns. Previously approved auto-approve rules are cached locally, so matching applications can still be elevated offline.
No. Each approval is for a specific application identified by its SHA256 hash, file path, and publisher signature. The agent verifies the file hash before launching. If the file has been modified or replaced, the elevation will not proceed. Approvals are single-use by default.
UAC prompts can be clicked through by any local admin. Making users admins gives them permanent, unrestricted access. ElevateGuard provides just-in-time, just-enough privilege: specific apps, specific times, with approval, audit trail, and automatic rules. You maintain least-privilege while keeping users productive.
Yes. ElevateGuard is a standalone agent that works alongside any RMM tool. It doesn't conflict with existing management agents and can be deployed via your RMM's software deployment feature.
Learning Mode lets you deploy ElevateGuard without enforcing any policies. The agent captures all UAC elevation attempts and reports them to the console, but doesn't block or prompt users. Once you've reviewed the captures and created whitelist rules for known-good apps, you switch to Elevation Mode with confidence that legitimate software won't be disrupted.
Yes. ElevateGuard has four roles: Owner, Admin, Approver, and Viewer. Approvers can be assigned to specific companies and given granular permissions like approve-once, create machine rules, or create company rules. This lets you delegate approval authority while maintaining control.