Skip to content

Agentless privilege elevation on Windows endpoints.

Motivation

Privilege elevation on Windows endpoints allows users to obtain temporary, tightly controlled access to higher-level permissions when needed to perform administrative tasks. While Unix and Linux systems provide native mechanisms such as sudo to run specific commands with elevated privileges, Windows platforms lack a comparable built-in capability that allows granular, policy-driven elevation without exposing privileged credentials.

Privileged Access Management (PAM) solutions close this gap by enabling controlled privilege elevation on Windows systems. Instead of sharing administrator passwords or requiring users to log in with separate privileged accounts, PAM platforms allow authorized users to temporarily elevate privileges within their existing session. This approach preserves the user’s session context while ensuring that privileged credentials remain protected and never disclosed.

Beyond enabling elevation itself, a modern PAM platform introduces centralized governance over privileged activity. Security teams can define policies, enforce role-based access controls, integrate with enterprise directories, and capture detailed audit trails. Full session recording, event logging, and AI-driven monitoring provide the visibility and accountability needed to detect misuse, investigate incidents, and meet compliance requirements. Rather than relying on fragmented local configurations, organizations gain consistent policy enforcement and oversight across all Windows endpoints.

An agentless approach to privilege elevation delivers these capabilities without installing or maintaining software agents on every endpoint. By eliminating the need for third-party packages or persistent agents, organizations significantly simplify deployment and reduce operational overhead. Systems remain cleaner and easier to manage, while security teams can rapidly extend privileged access controls across new devices, environments, and remote users.

The result is a modern privilege elevation model that combines strong security controls, centralized governance, and rapid deployment—empowering organizations to protect privileged access on Windows endpoints without the complexity traditionally associated with endpoint agents.

Use Cases

Privilege elevation allows authorized users to temporarily run commands as the Administrator or another user, providing a secure, audited way to perform administrative tasks without logging in as Administrator. It enhances system security by preventing accidental damage from typos, limiting exposure to malware, and creating logs of privileged commands.

The option also allows non-privileged users to perform selected maintenance tasks that require elevated privileges. Examples include updating client side applications chosen by the administrator, switching user profile for the client side applications or attaching network resources.

12Port Solution

The 12Port PAM PowerShell Proxy with credential injection is a core capability that enables system owners to grant secure, policy-driven access to Windows endpoints at precisely defined privilege levels using the native PowerShell client.

Users working within a standard, unprivileged PowerShell session can initiate a privileged command or open an elevated session when authorized. The connection is transparently routed through the 12Port PAM server, which brokers the request and re-establishes the session to the same endpoint using privileged credentials securely stored in the PAM vault.

These credentials are injected into the privileged session dynamically without ever being exposed to the user or event sent to the endpoint. This approach allows administrators to perform necessary elevated tasks while maintaining strict control over privileged accounts.

By brokering the session through the PAM platform, organizations gain centralized policy enforcement, full session visibility, and complete auditability. Every privileged action can be recorded, monitored, and analyzed, ensuring accountability and helping security teams detect misuse or anomalous activity.

The result is seamless privilege elevation for administrators and operators, combined with the governance, security, and oversight required to protect critical Windows infrastructure.

Architecture of the agentless privilege elevation

The diagram below demonstrates the architecture of the agentless privilege escalation.

The diagram shows the following components

  • 12Port PAM Server.

  • WEB RDP Client.

  • Native PowerShell Client.

  • Native RDP Client.

  • Destination Windows endpoint.

  • Non-Privileged Asset stored in the PAM Vault.

  • Privileged Asset stored in the PAM Vault.

Agentless privilege elevation on Windows devices

Step 1: Accessing unprivileged session

First, the user establishes an unprivileged session on the remote Windows endpoint through one of the following access paths:

  • Route 1a: via the PAM Web RDP session using Not-Privileged Asset.

  • Route 1b: via the PAM PowerShell Proxy using a native PowerShell client using Not-Privileged Asset.

  • Route 1c: direct access to the endpoint using PowerShell or RDP client.

This initial connection operates with regular user privileges before any controlled privilege elevation is requested.

Step 2: Privilege elevation

Inside the unprivileged shell on the remote endpoint, the user launches the native PowerShell client to establish a new connection routed through the PAM Server. The PAM Server then brokers the session back to the same endpoint using credentials stored in a designated Privileged Asset, securely injecting the vaulted credentials into the elevated session.

This process enables controlled privilege elevation without exposing high-privilege credentials to the user.

Route 2 on the diagram above highlights the network traffic during privilege elevation.

When elevating privileges on the remote endpoint, the user may either establish an interactive privileged shell (Route 2a) or execute a single command with elevated rights (Route 2b). In both scenarios, the PAM server can optionally enforce command filtering within the privileged session, restricting access to specific commands or resources according to defined policies.

This ensures that privilege elevation remains controlled, auditable, and aligned with least-privilege principles.

Examples of the privilege elevations commands.

Below is the example of launching interactive privileged PowerShell

Enter-PSSession -ComputerName pam.company.com  -Port 5990 -Credential $cred

Below is the example of launching privileged PowerShell command

Invoke-Command -ComputerName pam.company.com -Port 5990 -Credential $cred -ScriptBlock {
    Privileged-Command
}

In both examples

  • pam.company.com is the PAM host.

  • 5900 is the PowerShell proxy port allocated for the PAM tenant.

  • $cred is credentials object collected for the user#asset where user is a PAM user and the asset is the asset ID, name or part of the description for the search.

  • Privileged-Command is the privileged command to execute.

12Port Advantage

In addition to controlled privilege elevation on remote Windows devices, 12Port delivers a set of powerful extended capabilities designed to strengthen overall security posture and operational governance:

  • Granular access control enables administrators to precisely grant or revoke permission for selected users to elevate privileges on specific servers and devices, as well as control file upload, download, and clipboard usage.

  • Access approval workflows support multi-level, interactive, or automated approvals for privilege elevation—configurable by policy, time of day, or day of the week.

  • Comprehensive event logging provides detailed reporting of access requests, approvals, and all activity performed within privileged sessions.