Agent Protection Utility
What is the Agent Protection Utility?
The Agent Protection Utility is a tool to support the agent protection feature:
- Generate unlock tokens to disable agent protection.
- Generate a private/public key-pair to enable agent protection.
The utility is available for Windows OS computers only.
For more information about agent protection, see Agent Protection Settings.
How is it useful to my organization?
The utility provides the commands to safely disable agent protection on Windows computers. There might be a legitimate need to temporarily deactivate agent protection.
Agent protection reverts to active after the Defendpoint service restarts.
Download the utility
- Log on to EPM Cloud.
- Select Configuration > Privilege Management Installation.
- Find agent protection in the list.
- Select the Download link, and choose 32-bit or 64-bit.
Usage and options
AgentProtectionUtility GENERATE | UNINSTALL | VERIFY
| Command | Description |
|---|---|
| GENERATE /PRIVATE /PUBLIC | Generates encrypted private/public key pair stored at <path> and <path>. The private key is encrypted with a password entered at the prompt. The password requires at least 12 characters. |
| UNINSTALL /EXPIRY | Generates a secure token using the private key located at <path> to drop all protection for <time> days/hours. If the key is encrypted, a password prompt is displayed. Time format: 0d | 00h | 0d00h (up to a maximum of 30 days). |
| VERIFY /TOKEN /PUBLIC | Verify a secure token stored at using public key stored at <path> |
Generate key pairs
Generating key pairs is part of setting up agent protection. You can use the utility or the Agent Protection Settings in the Policy Editor to set up key pairs.
We recommend using the Policy Editor to generate the key pairs.
To generate the key pair using the command line (or a tool like PowerShell):
- From the command line, call AgentProtectionUtility using the command:
GENERATE /PRIVATE <path> /PUBLIC <path>
- Enter the password at the prompt.
The private and public keys are generated and saved to the designated paths. You must use PowerShell API to insert the public key into the policy configuration.
Disable agent protection temporarily on one endpoint
In some cases, there might be a legitimate need to deactivate the agent. You can use the Endpoint Utility to disable the protection. Deactivation is temporary and reverts to active after the Defendpoint service restarts.
Disabling the protection on an endpoint is a two-part process:
- First, a support engineer with the necessary rights uses the Agent Protection Utility, as well as the correct password-protected private key for the policy, to generate a time-based token.
- The token is then passed to the end-user computer and used by the Endpoint Utility to temporarily disable the agent protection for that endpoint.
To disable the agent protection:
- Generate an uninstall token. Use the Agent Protection Utility located in Program Files\Avecto\Privilege Guard Management Consoles or downloaded from EPM. The token must be generated using administrator credentials. The token is encrypted and is set to expire after the time you provide passes.
- From the command line, run:
UNINSTALL /EXPIRY <time> /PRIVATE <path> /TOKEN <path>
For example
UNINSTALL /EXPIRY 30d /PRIVATE priv.txt /TOKEN token.txt
- Enter the password you set when generating the private key, when prompted. A token file is created at the designated path.
The token file contains a string of characters that is required to disable the endpoint. The token must reside on the end user computer where you want to disable protection. Copy the token to that computer before proceeding to step 4. - On the end-user computer, disable protection using the Endpoint Utility located in Program Files\Avecto\Privilege Guard Client.
- Run the following command:
/ap /t <tokencharacterstring>
A confirmation message indicates agent protection is disabled. The agent protection reverts to the enabled state after the Defendpoint service restarts.
Updated 3 days ago