In 2022, PolicyPak introduced a new feature that enables users to elevate the native printers’ dialog, known as elevating NTPRINT.EXE, and also the native Windows "SETTINGS" control (SystemSettingsAdminFlows.exe).
You can review examples of these changes in these two videos:
https://kb.policypak.com/kb/article/1223-policypak-least-privilege-manager-install-printers-via-native-ntprint-dialog/
https://kb.policypak.com/kb/article/1224-policypak-least-privilege-manager-edit-ip-settings-edit-via-win-gui/
When we added this functionality, we also had to also change the behavior for any explicit elevation request normally handled by “Run As Administrator” requests.
Starting in PolicyPak CSE 3425 you can modify the “Run As Administrator” behavior depending on the goal you would like to accomplish. Use PolicyPak ADMX settings to control. Use this reference to get familiar with the PolicyPak ADMX first: https://kb.policypak.com/kb/article/505-troubleshooting-with-admx-files/
Note these ADMX settings are also built into PolicyPak Cloud and you are welcome to use those as well. The policy screenshots below in this article were all taken from PolicyPak Cloud. In the Cloud editor these policy settings can be found under Microsoft & PolicyPak Admin Templates Manager.
The corresponding Registry location for this setting is:
HKLM\SOFTWARE\Policies\PolicyPak\Client-Side Extensions\{58DE0268-6384-49E0-A333-20EC46654B82}\Explicit Elevate
In this case, keep the defaults as-is with Not Configured. You may optionally also set it to Disabled. You can also optionally set it to “Enabled + Enable and use the default context menu Run as administrator.” All three of these methods will perform default PolicyPak behavior.
Three screenshots showing this (using PolicyPak Cloud are seen here.)
OR
You might find that the default PolicyPak behavior is interfering with the way your users normally interact with “Run as administrator” commands. Here’s an example you might encounter (there are others, but this one is easy to see.)
An example of possible issues with shortcuts and Run as administrator might be when right-clicking an executable and selecting ‘Run as administrator' you receive the following error:
“There are no more endpoints available from the endpoint mapper.”
If you want to work around this concern, you could specify Configure processing Explicit-Elevation requests for processes: Enabled + Disable intercept Explicit-Elevation.
This will turn off the new Intercept Explicit-Elevation behavior in LPM and revert the Run as administrator to Windows default behavior. Therefore, ”Run as administrator” requests will be handled by Windows OS and not PolicyPak.
Note: Because this method will ALSO turn off NTPRINT.EXE elevations, you can still use the legacy Printer elevation method within “PolicyPak Helper Tools” to perform Printer operations in this mode, because it doesn’t rely on the updated functionality to perform elevation directly upon NTPRINT.EXE. To see the PolicyPak Helper Tools in action to add printers, please refer to these videos: https://kb.policypak.com/kb/section/313/
In this case, use Enabled + “Enable and use alternative context menu ‘Run as administrator' with Netwrix PolicyPak’”
On the one hand, you’ll be able to elevate NTPRINT.EXE operations.
However, when a user selects the original "Run as administrator" menu option it will be intercepted by the PPLPM.
As a workaround, in this mode, users will see and should use "Run as administrator with Netwrix PolicyPak" menu to ensure UAC works.
Here’s an example RESULT when this option is selected.
Now users can perform the same “Run as administrator” type of operation, but they will need to use the PolicyPak-supplied “Run as administrator with Netwrix PolicyPak.”