How to deploy AutoElevate via Azure/Intune

Written By Luke Kavanagh

What is AutoElevate?
AutoElevate is a Privileged Access Management(PAM) system designed for MSP to manage administrative rights.

Why use AutoElevate?
By removing local Admin rights and employing endpoint privilege management you will immediately enhance all your cybersecurity efforts. Privileged Access Management (PAM) is one of the best ways to help stop malware and thwart attackers. Some estimates say that having users run with Standard privileges can help mitigate 94% or more of Microsoft vulnerabilities.

How to deploy AutoElevate?

Step 1. - Go to https://msp.autoelevate.com/settings and download the Agent MSI and make a note of your License Key.

Agent and License.png

Step 2. - Go to Endpoint Manager located in O365 located here: https://endpoint.microsoft.com/?ref=AdminCenter#home

Step 3. - Click Apps > All Apps > Add

Apps.png

Step 4. - Select Line-of-business app

LOB App.png

Step 5. - Click Select App Package File > Select your AutoElevate file you downloaded earlier from Auto Elevate’s portal.

App Package File.png

Step 6. - Click OK > Fill in as much of the information as you want. Select Ignore app version as we can update the app from the portal.

Add App.png

Step 7. - Command-Line Arguments MUST BE ADDED.
Please use the following information to tailor them to your organization.

Common MSIEXEC commands.
/uninstall = sets the MSI to uninstall. Uninstall should be done from add/remove applications but can also be done form the MSI file directly. When done from the MSI the other AutoElevate specific options below such as “LICENSE_KEY” do not need to be specified.
/quiet = silent installation with no user interaction.
/lv = log file with verbose output – specify the log file name that should be created.

The following AutoElevate specific options must be set for successful installation (with the exception of the optional "COMPANY_INITIALS"). Use values specific to your needs and practice:

LICENSE_KEY="123456789ABCDEFGYOURLICENSEKEYHERE" – Supplied to you upon sign-up and/or purchase
COMPANY_NAME="Contoso, Inc." – Setting this value categorizes the workstation in the Web Admin Portal by this company name. For best results match the Company Name to an existing Company Name or reference in your RMM or Ticketing system.
COMPANY_INITIALS="CI" – (Optional) Short initials that will serve as a quick reference in the Mobile Notification app.
LOCATION_NAME="Main Office" – This should match the Location Name or reference in your RMM or Ticketing system.
AGENT_MODE="live" – This can be set to “live”, "policy, “audit”, or “technician” so that the Agent installer can override the current mode or be set to automatically install in the mode of your choice. (*** these mode options are case sensitive and should be in lowercase otherwise this part of the command will fail and the agent will default to audit mode ***)

Here is an example of what the installation command might look like for a silent unattended installation and make a log file called AEInstallLog:

C:\Downloads\AESetup.msi /quiet /lv AEInstallLog.log LICENSE_KEY="123456789ABCDEFGYOURLICENSEKEYHERE" COMPANY_NAME="Contoso, Inc." COMPANY_INITIALS="CI" LOCATION_NAME="Main Office" AGENT_MODE="audit"

Command-line.png

My command-line arguments are:

/quiet /lv C:\ENTERLOGLOCATION\AEInstallLog.log LICENSE_KEY="Enteryourlicensekey"
COMPANY_NAME="Contoso, Inc." COMPANY_INITIALS="el"
LOCATION_NAME="enterlocationname" AGENT_MODE="audit"

Step 8. - Add the Group or Users you would like it to apply to.

Add Users.png

Step 9. - Click Next > Then click Create

Create.png

You’re done!
It normally takes about 30 minutes for the apps to be deployed to your machine. You can check the progress by going to
https://endpoint.microsoft.com/?ref=AdminCenter#home > Apps > All Apps > AutoElevate

Status.png
Luke Kavanagh
Previous

My first BurpSuite Vulnerability using Intercept
Next

Force Outlook for Mobile via Conditional access