I had a quick question and would appreciate if I got some insight. As part of posture remediation, the customer is looking to start a service using Windows command prompt: net start besclient .The user logged into the system has local admin rights, and we do not see a UAC prompt attempting to elevate privileges when we run this command which I believe is expected. The only way to get it to work this way is to log into the command prompt using admin credentials but this is not feasible. I suggested launching services.msc to start the service and that prompted the UAC, and accepting the UAC allowed the local admin to start the program, however the customer is not agreeable to this approach.

This is his feedback: “Technically, yes but it is in no way a workable solution. Asking a user to open services and restart the services is a huge inconvenience to the user and most users wouldn’t even know what to do and would be scared to do it. Posture remediation is supposed to be smooth and easy for the user. We were hoping it would be entirely in the background. But even if it has to be in the foreground, we definitely don’t want users messing with things like system services. Beyond this, it does actually require UAC/localAdmin priviledges, so looking further down the road, as we tighten our security and go towards limiting or removing localAdmin rights from users, we have no way to remediate standard system functions. We can manage services, but we also won’t be able to install applications.

At a very high level, what the customer wants is if a particular service is not running ,to go ahead and start it as part of remediation. Whats the best way to do this assuming the user will have very little or no rights? Appreciate your inputs here.