ZKE

Privileged Access Management for Windows

Local admin power, without standing local admin.

ZKE lets your technicians elevate on any Windows endpoint using their corporate identity — no permanent admin accounts, no shared passwords. Every elevation is rotated, audited and cryptographically tamper-evident.

Request a demo See how it works
  • Zero-Knowledge
  • Entra ID native
  • Per-tenant HSM
  • Tamper-evident audit

Local admin is a standing liability

Permanent admin rights

Every standing local admin account is an open door for ransomware and lateral movement.

Shared passwords

A reused local admin password across the fleet means one leak compromises everything.

No real audit

When elevation isn't tied to identity, you can't prove who did what, when — or detect tampering.

How it works

No new habits for your technicians. ZKE plugs into the native Windows UAC dialog.

  1. 1

    Trigger native UAC

    The technician right-clicks "Run as administrator" — the same Windows flow they already know.

  2. 2

    Authenticate with corporate identity

    They pick the ZKE tile and sign in with their Entra ID credentials. The password is validated locally and never leaves the endpoint.

  3. 3

    Elevate with a one-time admin

    If policy allows, the ZKE agent rotates the local admin password, elevates, then re-seals the account. Every step is audited.

See it in action

From the UAC tile to the audit trail — the whole flow in one place.

The ZKE tile in the native Windows UAC dialog
Endpoint fleet and live status in the admin portal
Tamper-evident audit trail of every elevation

Architecture, in brief

A lightweight agent, native UAC and per-tenant key isolation. No on-prem servers to run.

Endpoint agent

A lightweight Windows service on each device. Polls for policy; rotates and re-seals the local admin account.

Credential Provider

A ZKE tile in the native UAC dialog. Verifies the technician's password locally with the OS and asserts only the identity.

Multi-tenant backend

Evaluates policy and issues a freshly rotated, single-use local admin credential. Every query is tenant-scoped.

Per-tenant HSM

Each customer's credentials are encrypted with their own key in a managed HSM. Keys never leave it.

How a credential flows

  1. 1

    The technician authenticates in the UAC tile. The Credential Provider validates the password locally — it never leaves the device.

  2. 2

    Only the verified identity is sent to the backend, which checks policy and returns a one-time local admin credential.

  3. 3

    The agent applies it, elevation proceeds, and the account is re-sealed with an unknown password. The whole flow is audited.

Built security-first

Zero-Knowledge

The technician's password is verified on the device and never transmitted to the backend. ZKE stores no primary credentials.

Per-tenant HSM encryption

Each customer's admin credentials are encrypted with their own key in a managed HSM. Strict tenant isolation throughout.

Tamper-evident audit

Every action is recorded in a per-tenant HMAC hash chain — altering or deleting a record is cryptographically detectable.

No mobile app, no heavy workflows

No approval ping-pong, no second device. ZKE focuses on fast, policy-driven, fully audited elevation.

Why ZKE

The security of removing local admin, without the operational pain.

Capability Standing admin Password rotation (LAPS) ZKE
No permanent local admin
Tied to corporate identity
Rotated on every use~
Password never shared
Tamper-evident audit
Native UAC, lightweight footprint~

Use cases

Technician elevation

Authorized technicians elevate on any managed endpoint with their own identity.

Delegated user elevation

Grant a user a single, time-boxed elevation from the portal — no technician on site.

Permanent delegation

Trusted users elevate on their own machine under a reviewed, audited standing grant.

Recovery elevation

Endpoint offline? Authorized technicians recover access under reinforced audit and notifications.

Who it's for

MSPs & IT service providers

Give technicians per-endpoint elevation across many client tenants, each fully isolated and audited.

Internal IT teams

Remove standing local admin from the fleet without drowning the help desk in tickets.

Regulated industries

Prove who elevated, where and when, with a cryptographically tamper-evident trail.

Requirements

  • Windows 10 / 11 endpoints
  • Microsoft Entra ID
  • A lightweight agent — no second device, no mobile app
  • No on-prem servers — ZKE runs as a SaaS backend

On the roadmap

What we're building next, driven by what enterprises ask for.

Coming soon

Technician session recording

A full record of the actions performed during each elevated session, for forensics and compliance.

Coming soon

Admin request (just-in-time)

Users request elevation on demand; an administrator approves it just-in-time, fully audited.

Coming soon

Remote disconnect from the portal

Instantly disable an endpoint from the portal — blocking elevation and re-enrollment in one click.

Frequently asked questions

Does the technician's password ever leave the device?

No. The Credential Provider validates it locally against the OS; only the verified identity is sent to the backend. ZKE stores no primary credentials.

What happens if the backend is unreachable?

Authorized technicians can recover access through Recovery Elevation, under reinforced audit and notifications. When the endpoint reconnects, the local admin password is rotated automatically.

How is this different from LAPS?

LAPS rotates and stores a local admin password. ZKE ties each elevation to corporate identity, issues a single-use credential per elevation, never shares the password, and records everything in a tamper-evident audit chain.

Which identity providers are supported?

Microsoft Entra ID. Technicians and users authenticate with the corporate identity you already manage.

Where are admin credentials stored?

Encrypted per tenant with the customer's own key in a managed HSM (Azure Key Vault Managed HSM). The key never leaves the HSM, and tenants are strictly isolated.

Does it replace Intune or SCCM?

No. ZKE handles interactive privileged elevation, not mass software deployment. It complements your existing management tooling.

Is every action audited?

Yes. Every elevation and administrative action is recorded in a per-tenant HMAC hash chain, so altering or deleting a record is cryptographically detectable.

How heavy is the agent?

It's a lightweight Windows service that plugs into the native UAC dialog. No second device, no mobile app, no approval ping-pong.

See ZKE on your own endpoints

Tell us about your environment and we'll set up a tailored demo. No commitment.

Request a demo

Or email us at [email protected]