Endpoint Privilege Management for Windows 25.2 release notes
about 2 months ago
February 25, 2025
Requirements
- VBScript to run the client installer. Microsoft has made VBScript a Feature on Demand (FOD) to allow the use of VBScript when required. See our Knowledgebase article for more information.
- Microsoft .NET Framework 4.6.2 (required to use Power Rules, PowerShell audit scripts, PowerShell API, and Agent Protection)
- Microsoft .NET Framework 4.8 (required to use Multifactor Authentication with an OIDC provider)
- PowerShell 3.0 (required to use Power Rules, PowerShell audit scripts, and PowerShell API)
- Trellix (formerly McAfee) Agent (required if you are installing the Privilege Management client with switch EPOMODE=1)
Note
The executable version of the client package includes all necessary prerequisites (excluding .NET Framework) and automatically installs them as necessary. If you use the MSI or ZIP package, you must manually install any necessary prerequisites.
Enhancements
JIT Application access
We've introduced several improvements to the JIT application Access view in the Endpoint Privilege Management app and Endpoint Utility command line tool.
Improvements include:
- The ticket number as a hyperlink to the ServiceNow ticket (when configured to integrate with ServiceNow).
- Request creation time. The duration of approved requests that have not yet been run.
- The expired request state when unused approvals have timed out.
JIT Admin and JIT Application access
Added a field to show the latest approval or denial note for JIT requests in the Endpoint App, when configured to do so in the EPM.
Smart Card integration
Improved Smart Card integration to allow authentication with Smart Card hints over RDP connections.
Issues resolved
Issues
| Description | Resolution |
|---|---|
| An audit event is not raised for child processes when Allow child processes to criterion was enabled. | In legacy auditing, the parameter is no longer passing a null value. |
| When users selected Request Admin Access, not all options displayed. | Added scrolling to the Create JIT Admin Request" dialog box, to ensure all fields are editable on low resolution / high scaling monitors. |
| Challenge response/JIT Application access not working for packaged desktop applications | Fixed issue with JIT Application Access messages failing for packaged desktop applications (a sub-set of the Windows Store App application type) when they use an AppExecution Alias, and ran on demand. |
| In rare scenarios, a BSOD can occur in PGDriver. | Updated PGDriver processing when file information caching feature is enabled. |
| Windows Hello can fail to authenticate users in some scenarios, for example, a user entering an incorrect PIN. | A message displays indicating Windows Hello is unavailable. |
| When selecting the JIT Application Access link on message dialog box opens Admin Requests page. | For EPM JIT application access requests, clicking the ticket ID in the message now correctly navigates to the Application Access page, and expands the details for that request. |
| The Endpoint Utility cannot print BeyondInsight policy names. | The EndpointUtility can now correctly parse BeyondInsight policy names containing unicode characters on a force policy request. |
| With EPM installed, System file handles seem to cause resource issues. | Resolved handle leak in the System process. |
| Smart Card readers not detected in EPM messages on some VDI environments. | Smart Card readers now detected in EPM messages on VDI environments. |
| Unable to authenticate through RDP session when using Smart Card authentication. | Can now authenticate with Smart Card using hints over RDP session. |
| MMC not correctly importing matching criteria for Windows Terminal. | Fixed missing matching criteria data for Windows Store Apps in event import. |
| Word wrapping not occurring on Challenge Response message headers causing longer messages to cut off. | Updated Challenge Response header field to ensure text wraps over multiple lines. |
| Issues restoring items from recycle bin with defendpointservice on. | Defendpoint service no longer locking files in certain scenarios when using content control. |
| Creating a block rule on accessing Windows Store app from removable media was not working. | Windows Store Application matching now correctly applies the drive type matching criteria. |
| During an RDP session and authenticating using Smart Card, an error occurs after entering the hint and selecting OK. | Can now authenticate using Smart Card during an RDP session. |
| Elevation messages can appear on the lock screen when messages applied on Secure Desktop. | Fixed messages no longer appear over the pre-logon dialog box. |
| UAC not displaying during launch of certain packaged desktop apps. | UAC now displaying as expected. |
| Cannot authenticate with a Smart Card, some COM/store apps require hint. | COM classes and Windows Store applications can authenticate using a Smart Card with a hint. |
Security updates
Security updates
| Description | Resolution |
|---|---|
| Standard users can Hijack COM objects that EPM-Elevated processes might load. | EPM-W elevated processes no longer access HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\ registry. This change aligns EPM-W with Windows behavior. We recommend that you update EPM-W to this version at your earliest opportunity. |
| Specially crafted messages can crash Defendpoint Service. | Resolved an issue where specially crafted messages can crash the EPM service. |
| Standard users can abuse content control to move files matching a content rule. | EPM-W rules matching behavior for Content Control will now require that the file being moved matches the same rule on both its source and destination path for file move operations, regardless of user’s access rights to each individual path. |
| It is possible to bypass QuickStart Low Flex MSI rules via modified file extensions or providing no extension to msiexec. | Can no longer bypass Windows installer rules. |
Compatibility
- Privilege Management Policy Editor 25.2 (recommended), 22.1+
- Privilege Management ePO Extension 25.2 (recommended), 22.7+
- Privilege Management Console Windows Adapter 25.2 (recommended), 22.1+
- BeyondInsight/Password Safe 24.2.1 (recommended)
- Trellix Agent 5.7+
- Trellix ePO Server 5.10 Service Pack 1 Update 4 (recommended), Update 13+
- For 5.10 SP1 Update 2 see BeyondTrust Compatibility with Trellix ePO