Using a Computer Agent Certificate requires administrative rights

[mike-csis]

We have observed that when using a Computer certificate, the ES must be run using Admin rights.

The ES should present a notification that it should be run as admin if it detects a computer certificate, if it doesn't have the necessary rights.

[ian-csis]

Rights are given on a private key basis. Everyone has access to public keys in the computer store, but private keys require additional privileges. By default, the administrators group (and SYSTEM) has full control access to the private keys in the computer store. The Users group should have read access to the private keys (this is not the same as exporting the private key)

Best practice is to remove all access to the private keys and add the specific users that needs access. Since we don't have an installer, which would be the optimal place to require elevation, and then add the user to the private key group, we could probably work around it by detecting computer store usage, require elevation, add the user and then drop the extended rights.

[LordMike]

Perhaps as an option? (Yes, No, Don't remind me)

The intended use case is for "secure" installations, where none but the intended admins should have access anyways. But in case a rogue user stumbles across, it would be bad that they could use the key (especially if we went ahead and allowed it by default).