EPM for Windows 26.2.1
🆕 New features
Disable driver features on a per-process basis
You can now disable specific EPM driver features for individual processes rather than applying settings globally. This gives administrators more granular control over driver behavior without affecting all processes on the endpoint.
Exclude applications and folders from hook loading via registry key
You can now prevent the BeyondTrust hook component from loading into specific applications or folders by configuring a single registry key. The registry key supports * and ? wildcards, so you can target multiple applications at once. This is useful for troubleshooting application crashes to determine whether EPM is involved, without needing to remove the agent.
✨ Enhancements
Workstyle computer filters now support Active Directory computer groups
Workstyle computer filters now support Active Directory computer groups as a filter target. You can apply a policy to entire machine populations by referencing an existing AD group, rather than listing individual hostnames or IP addresses.
For more information, see:
- Workstyles > Add filters (Pathfinder)
- Workstyles > Add filters (Classic)
Workstyle user group filters now support Okta groups
Workstyle user group filters now support Okta groups in addition to Entra ID groups, allowing you to apply policies based on group membership from either identity provider.
Refresh Active Directory group memberships on demand from the endpoint utility
The endpoint utility now lets you refresh Active Directory group memberships on demand, so policy evaluations reflect the latest group assignments without waiting for the next scheduled sync.
BeyondInsight Adapter now supports IPv6-only environments
The Windows BeyondInsight Adapter now registers IPv6 addresses, enabling it to function correctly in IPv6-only network environments.
🛠️ Issues resolved
| Description | Resolution |
|---|---|
| Memory use could grow continuously on endpoints that frequently launched processes under an "only if elevated" application rule. | Memory use no longer grows continuously on endpoints that frequently launch processes under an "only if elevated" application rule. |
| A user with elevated rights on an endpoint could cause an incorrect Workstyle to be applied when computer group Workstyle filtering was in use. | Computer group Workstyle filtering now correctly applies the expected Workstyle regardless of the rights held by the user on the endpoint. |
| Application block rules using a negated Parent Process match could trigger incorrectly when an allowed parent application appeared higher in the process chain. | Application block rules using a negated Parent Process match now evaluate the full process chain correctly and no longer trigger when an allowed parent application is present. |
| The Privilege Management service could unexpectedly stop on an endpoint when a policy update was received while applications were being launched or elevated. | The Privilege Management service no longer stops unexpectedly when a policy update is received while applications are being launched or elevated. |
| Agent Protection could cause significant system slowness on busy endpoints. | Agent Protection no longer causes significant system slowness on busy endpoints. |
| Some applications failed with a "Path not found" error when being uninstalled on endpoints with Privilege Management for Windows installed. | Applications no longer fail with a "Path not found" error when being uninstalled on endpoints with Privilege Management for Windows installed. |
| Elevating Task Manager could cause all running processes to appear as elevated. | Task Manager now correctly reflects the elevation status of each running process. |
| Buttons in Power Rules dialogs could be missing on systems where the default font size differed from the English baseline, such as Korean-language Windows. | Buttons in Power Rules dialogs now display correctly on systems with non-English default font sizes. |
| The Privilege Management for Windows service could crash when a policy containing a very long matching value was applied to an endpoint. | The Privilege Management for Windows service no longer crashes when a policy containing a very long matching value is applied to an endpoint. |
| The RADIUS shared secret could be corrupted when importing a policy as a new policy in the MMC Policy Editor. | The RADIUS shared secret is now preserved correctly when importing a policy as a new policy in the MMC Policy Editor. |
| Referral link text in end-user dialogs was cut off at a single line. | Referral link text in end-user dialogs now wraps and displays fully. |
| The endpoint utility could display an "Access denied" error after a configuration capture completed successfully. | The endpoint utility no longer displays an "Access denied" error after a configuration capture completes successfully. |
| Windows Store app rules using publisher matching could fail to match when the rule was created from an audit event. | Windows Store app rules using publisher matching now match correctly when the rule is created from an audit event. |
| PowerShell script elevation rules could fail to match a script when the command line included named parameters after the script path. | PowerShell script elevation rules now correctly match scripts when the command line includes named parameters after the script path. |
| Software installations could fail or hang when deployed as SYSTEM using tools such as PSAppDeployToolkit. | Software installations deployed as SYSTEM using tools such as PSAppDeployToolkit now complete successfully. Affected executables can be added to the DriverInjectionFallback registry key to use an alternative injection method. See KB0023067. |
| Audit events could display the executable filename in the file description field when the application had no description set. | Audit events now correctly display an empty file description when the application has no description set. |
📝 Requirements
- Microsoft .NET Framework 4.6.2 (required to use Power Rules, PowerShell audit scripts, PowerShell API, and Agent Protection)
- Microsoft .NET Framework 4.8 (required to use Multifactor Authentication with an OIDC provider)
- PowerShell 3.0 (required to use Power Rules, PowerShell audit scripts, and PowerShell API)
- Trellix (formerly McAfee) Agent (required if you are installing the Privilege Management client with switch EPOMODE=1)
🔄 Compatibility
- Privilege Management Policy Editor 26.2.1.54, 24.5+
- Privilege Management ePO Extension 26.1 (recommended), 24.5+
- Privilege Management Console Windows Adapter 26.2.1 (recommended), 24.5+
- BeyondInsight/Password Safe 26.1.0.878 (recommended), 24.2+
- Trellix Agent 5.7+
- Trellix ePO Server 5.10 Service Pack 1 Update 6 (recommended), Update 4+
