• User Environment Manager administrators pre-define applications to run or install using elevated privileges.
• Standard user accounts can run these applications as if they were a member of the local administrators group
• This improves security by removing local administrator privilege from domains users, while enabling elevation for specific applications.

Configure executables to be elevated only if they are invoked with specific arguments. Elevation options now available:

• Argument-based
• Hash-based
• Path-based
• Publisher-based

The benefit is improved security when elevating certain EXEs and enable user to execute only specific scripts in the context of a local administrator.

With Argument-based Privilege Elevation, if the EXE is run with a matching argument, the EXE is elevated. If the EXE is run with any other arguments (or none), the EXE runs in context of the user.

We will be using some scripts to show the Argument Based Privilege Elevation.

• PEdemo.vbs : This will be the Argument and refers to a vb script located in UEMScripts folder. This script invokes a second executable (legacyapp.exe)
• legacyapp.exe : This executable is designed to show when it is run as a user or as an administrator
• legacyapp.exe.config: config file for the executable

We need to move the scripts in order to use for Privilege Elevation.

First we will copy the PEdemo.vbs script to the Scripts directory of the UEMProd.

1. Open the Windows File Explorer from the taskbar
2. Navigate to C:\Tools\UEM-Lab
3. Right click on the file PEdemo.vbs script
4. Select Copy.

We are copying this file to be pasted in the script folder in the next step.

We will create Scripts folder in C:\UEMProd\general\FlexRepository and copy our script into this folder for use later.

1. Go to the C:\UEMProd\general\FlexRepository folder and right click.
2. Select New and Folder
3. Type Scripts and return
4. And copy PEdemo.vbs file into this folder by Right Clicking on the newly created Scripts folder and select Paste.

We are putting the script we will be using into the UEM Scripts folder so that we can use it later.

We also need to copy the legacyapp.exe and the legacyapp.exe.config file into UEM custom file and folders to share with Desktop.

We will copy the two files here and will be pasting them in the next few steps from within the UEM Manager.

1. Go into the C:\Tools\UEM-Lab folder on the Main Console
2. Select both files: LegacyApp.exe and LegacyApp.exe.config.
3. Right Click to Copy

From the Main Console, double-click the Management Console shortcut on the desktop.  This will open up the User Environment Manager Management Console.

If you have UEM still open from the previous lesson, then you can proceed to the next step.

You may need to minimize the Windows Explorer Windows or Chrome Browser so you can see the desktop.

We are going to add customer files to the user environment. We will set up the files to share on the User's Desktop upon login.

1. Click on the User Environment
2. Click on Files and Folders
3. Click Create
4. Enter PE Demo for the Name and Label
5. Click on Create under Files and Folders Settings

We will paste those files to the User's Desktop by UEM when the user logs into the Windows 10 Instant Clone desktop.

The window will pop up for the VMware UEM Profile Archive Settings.

Right click over the Desktop in the middle pane and select Paste to copy those files into the Desktop folder.

1. Click X to close the Desktop window inside VMware UEM Profile Archive Settings
2. Back on the Files and Folders Box, Click Done.  
3. Click Save.

We have copied those two files into the Users Desktop through UEM for when you log in as a user.

We are going to enable Privilege Elevation.  It is disabled by default.

1. On the User Environment tab
2. Select Privilege Elevation.
3. Click Global Configuration.

1. Select Enable Privilege Elevation.  It is disabled by default.
2. Select Also elevate all child processes to elevate child processes on a global level. If you select this option, all processes of a user-installed application run elevated.
3. Click OK.

In this section you also have the ability to configure conditions to control the elevated applications. We are not going to configure any conditions in this lab. You also can add a Message to display with User-installed apps.  You would select Ask user to elevate in the Message section to display a message when a user launches an application that is configured for elevation. The user is presented with the option to run the application elevated or with the normal privileges of the user. We will not be doing that in this lab.

The Privilege Elevation feature grants temporary administrator privileges to a user. The feature must be used only for specific use cases by administrators. It is not intended as a security feature. Use additional security measures to prevent malicious use.

Click OK.

We are going to configure Argument-based Privilege Elevation.

1. On the User Environment tab, select Privilege Elevation.
2. Click Create.
3. Enter a name for the setting definition: PE Demo
4. Enter Label: PE Demo
5. Click on Also elevate child processes
6. Select the privilege elevation type from the Type drop-down under Privilege Elevation Settings: Argument-based elevated application
   • You can only use folders for user-installed applications.
   • If you are configuring path-based settings that reference network paths, specify UNC paths instead of drive letters. When users launch these applications, they should access them from the UNC path.
7. Click Add in the Elevate section

You can use the selection tool to highlight any text below and drag the hand to the lab to paste text instead of typing it in the demo environment.

1. Select the folders or applications to add to the list:  (Use Click & Drag)
   • Executable: C:\Windows\System32\wscript.exe
   • We have to put in the entire path for the executable.
   • Argument: %UEMScripts%\PEdemo.vbs
   • This Argument refers to a vb script located in UEMScripts folder. The script invokes a second executable that is designed to show when it is run as a user or as an administrator.
2. Verify that Case-sensitive arguments is enabled. We will demonstrate using correct case to run as elevated privilege or not.
3. Click OK in the Select executable and arguments to elevate box
4. Click Save for the Privilege Elevation box

Minimize the UEM Management Console so we can launch a desktop.

If you have the Instant Clone Desktop still open from the previous lesson, then you can open the Instant Clone Desktop from the Chrome Browser for User2Mod1 and enter the password: VMware1!

1. Open Chrome Browser
2. Select the VMware Horizon bookmark
3. Select VMware Horizon HTML Access

Double Click the Instant Clone Pool to launch the desktop.  It will automatically log user2mod1 user into the desktop.

The files we added to the UEM share are present on the users desktop upon login.

Notice LegacyApp.exe and LegacyApp.exe.config are on the desktop.

Note:  The files may not be together on the desktop.

1. Right-click on the window in the bottom left corner
2. Select Run from the menu

Windows Script Host box pops up saying the VBScript will invoke a remote executable.

Click OK

Observe that Privilege Elevation executed wscript.exe and the secondary application with administrative privileges.

Click X in the top right corner of the Demo Tool window to close the box.

For this test we will run the wscript.exe executable with the argument improperly formatted.

Right click on the window and click Run.

In the Run box type with the argument pedemo.vbs in lower case letters. (Use Click & Drag)

1. c:\windows\system32\wscript.exe %UEMScripts%\pedemo.vbs
2. Click OK

Click OK to continue to the secondary script.

The second app now runs in the context of the user not as Administrator. wscript.exe was not elevated since argument case did not match that of the privilege elevation rule.

Click the X in the top right corner of the Demo Tool to close the window.

1. Click on the Window in the bottom left corner
2. Click on the Person icon
3. Click lock
4. Close the Chrome Browser

Click the X in the top right corner of the UEM Management Console window.