DocumentationAPI ReferenceRelease Notes
Log In
Release Notes
Back to All

Endpoint Privilege Management for Windows 24.5 release notes

6 months ago

August 13, 2024

Requirements:

  • Microsoft .NET Framework 4.6.2 (required to use Power Rules, PowerShell audit scripts, PowerShell API, and Agent Protection)
  • Microsoft .NET Framework 4.8 (required to use Multifactor Authentication with an OIDC provider)
  • PowerShell 3.0 (required to use Power Rules, PowerShell audit scripts, and PowerShell API)
  • Trellix (formerly McAfee) Agent (required if you are installing the Privilege Management client with switch EPOMODE=1)

ℹ️

Note

The executable version of the client package includes all necessary prerequisites (excluding .NET Framework) and automatically installs them as necessary. If you use the MSI or ZIP package, you must manually install any necessary prerequisites.

New features and enhancements:

JIT application access

To smooth rollout and decrease your time to value with EPM, we've brought the popular exception management capability Just-in-time (JIT) application access into EPM SaaS workflow.

Specify in policy application groups you would like your end users to request the ability to run or elevate by specifying the Request action in message.

Your end users can view requests and their status using a new endpoint application installed with EPM, accessed via the System Tray or Menu bar.

Your EPM SaaS administrators (or those with the specific role of Request Approver) action the requests within the EPM SaaS Console, choosing whether to deny or allow the application and for how long that application can be used.

All requests and decisions made are audited.

Incorporate the applications most requested and approved into your policy via a new analytics dashboard tile.

Granular filtering on application rules

Add account filters at an application rule level, either Application Rule or On-Demand Application Rule. Use this filtering to add certain users and groups to a specific rule. This granular filtering ensures that applications will only be accessed by those employees that require it. Search and add users and groups to the application account filters via Entra ID or Local AD for Windows. Supported on clients:

  • EPM-W from 23.5
  • EPM-M from 23.7

Additional updates

  • Rebrand URM Requests to JIT Application Requests in the EndpointUtility.
  • JIT request durations that are less than an hour are shown in minutes in EPM Windows messages.
  • Refresh JIT decisions using the Endpoint App and Endpoint Utility.
  • When upgrading to 24.5, existing URM requests can be viewed in the Endpoint App.
  • Endpoint App will not install on Windows Server 2012 R2, Windows Server 2016 or Windows 10 less then 1809.
  • Added /requests and /requests /refresh commands to EndpointUtility to query the state of JIT decisions/force a refresh.
  • A proxy configuration setting is available when adding an Identity Provider in Policy Editor messages. The Windows endpoint client can use the proxy when triggering MFA messages ensuring that HTTPS calls for authentication are routed correctly according to the customer's network configuration and security policies. The Windows endpoint client will now use this setting when triggering MFA messages.
  • Added a new event field called UserRequestManagementId that contains the ticket ID of JIT requests. This helps to identify events raised from JIT user requests when viewing analytics.

Issues resolved:

  • Resolved an issue with JIT Application Access request data for Store Apps and Uninstallers.
  • Resolved an issue where messages closed immediately when displayed on the secure desktop with JAWS running.
  • Resolved an issue when creating URM requests for rules matching on hosted file. The correct details are now sent when matching on the hosted EXE.
  • Due to the absence of alt-text, screen readers previously narrated the contents of text-based controls incorrectly. This issue has now been resolved, ensuring correct narration order for text-based controls. For non-text controls, the provided alt-text, such as "Branding icon," "Program icon," and "Horizontal divider," is now properly narrated.
  • Enhanced performance when using SourceURL matching criteria. Decreased the time to download large files via a browser.
  • Fixed an issue where Content Blocking using Content Control did not work with the “Drive Match” criteria for removable media.
  • Fixed an issue with Policy Editor snapin which was causing ID duplication issues when importing policies in multiple policy setups.
  • Fixed packaged desktop apps failing to launch if the parent process matched a rule but the packaged app did not.
  • Fixed an issue where an EPM-W message would appear behind the Start menu if a user typed the full path into the search bar.

Security Updates:

  • Fixed anti-tamper not covering certain file types/registry keys.
  • Fixed an issue where JIT requests could be marked as approved by a third party application running on the system.
  • Fixed an issue where processes being ran via ShellExecute, with the 'RunAs' verb, failed to match parent-child matching criteria correctly.
  • Bouncy Castle dependency version updated to version 2.4.0.
  • Fixed an issue where certain parent matching rules would not match if the parent was launched via a shortcut which required elevation.
  • Fixed an issue with Policy Editor snapin which was causing ID duplication issues when importing policies in multiple policy setups.

Compatibility:

  • Endpoint Privilege Management Policy Editor 24.1 (recommended), 22.1+
  • Endpoint Privilege Management ePO Extension 23.10 (recommended), 22.7+
  • Endpoint Privilege Management Console Windows Adapter 24.1 (recommended), 22.1+
  • BeyondInsight/Password Safe23.3 (recommended), 7.2+
  • Trellix Agent 5.7+
  • Trellix ePO Server 5.10 Service Pack 1 Update 1(recommended), Update 13+

Supported Operating Systems:

  • Windows 11

    • 23H2
    • 22H2
    • 21H2

  • Windows 10

    • 22H2
    • 21H2
    • LTSB 2015*
    • LTSB 2016
    • LTSC 2019
    • LTSC 2021

    * The introduction of OAuth connection to the BeyondInsight management platform in 24.3 requires .Net Framework 4.8+ which cannot be installed on Windows 10 1507 (LTSB 2015). Therefore, LTSB 2015 is no longer supported for EPM-W managed via BeyondInsight.

  • Server

    • 2022
    • 2019
    • 2016
    • 2012R2
    • Core 2016
    • Core 2019
    • Core 2022

ℹ️

Note

For more information, see Supported platforms.

Notes:

None.

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.