search

Policy: Privilege Elevation Allow Policy for Notepad++

This example shows a Privilege Elevation policy that targets a specific application (Notepad++) and explicitly allows it to run with elevated privileges on targeted endpoints. It’s useful for demonstrating how to allowlist a known administrative tool so users can elevate it without approvals or MFA prompts.

hashtag
What This Policy Does

  • Applies a Privilege Elevation rule in enforce mode.

  • Targets:

    • Any user (*)

    • A specific application (one App ID, representing Notepad++)

    • One specific endpoint (one Machine ID)

  • On a match, it applies an ALLOW control for elevation (OnSuccess: ALLOW).

  • Does not require the user to acknowledge the notification.

hashtag
Why It Behaves This Way

  • Application-Scoped Allowlist: Because the application targeting is a single App ID (not *), only Notepad++ (as identified by that App ID) is covered.

  • Broad User Scope: The wildcard user targeting means any user on the targeted endpoint can benefit from the allow rule.

  • Enforced Allow: The policy is set to enforce and the success control is ALLOW, so matching elevation requests are permitted.

  • Standard Checks With No Extra Constraints: Date/Time/Day/Certificate restrictions are empty, so the behavior mainly depends on whether the user, machine, and application match.

hashtag
What The User Experiences

  • When users attempt to run Notepad++ as an administrator on an in-scope endpoint, the elevation should succeed without requiring approval or MFA (because the policy explicitly allows it).

  • The policy includes a notification message, but acknowledgement is not required, so it should not add an extra “click to continue” step.

hashtag
Important Notes And Common Adjustments

  • Fix The Notification Message: The current notification text references “monitor mode” and says MFA/justification/request will be required when enabled, but this policy is enforced and uses ALLOW. Update or remove the message so it matches actual behavior.

  • Narrow The User Scope If Needed: Replace * with specific users/groups if only certain users should be able to elevate Notepad++.

  • Consider Certificate Constraints: If supported in your environment, add signer/publisher/certificate constraints to ensure the allow applies only to trusted builds of Notepad++, not any binary that happens to match the same identifier.

hashtag
Example JSON

PreviousPolicy: Privilege Elevation Allow Policy for Admin CLINextPolicy: Privilege Elevation Justification Policy for Command Prompt

Last updated

Was this helpful?