Enable Safe Re-enrollment by Root/Admin for Unprivileged Elastic Agent Installs on All Platforms

[kaanyalti]

Background & Problem Statement

The original issue (#4889) highlighted that re-enrolling an Elastic Agent installed as an unprivileged user could break the agent if the re-enroll was performed by a privileged user (root/admin).

PR #6144 addressed this by disallowing re-enrollment by privileged users when the agent was installed unprivileged, with actionable error messages. This approach worked for Linux and Darwin, but was too strict for Windows, where impersonation is not feasible.

PR #8503 relaxed the restriction for Windows, allowing any admin to re-enroll, but this reintroduced the risk of breaking the agent.

Desired Outcome

Root or admin users should be able to safely execute a re-enroll on an agent that was installed unprivileged, on all supported platforms (Linux, Darwin, Windows), without requiring user impersonation.

• The underlying cause that leads to agent breakage when a privileged user re-enrolls an unprivileged install should be identified and fixed for all platforms.

Additional Context

• Original issue #4889
• PR #6144 (initial fix, too strict for Windows)
• PR #8503 (relaxed for Windows, but not a full solution)