DocumentationAPI ReferenceRelease Notes
Log In
Documentation

ePO Troubleshooting

Suggest Edits

Check Endpoint Privilege Management is installed and functioning

Windows

If you are having problems, the first step is to check that you have installed the client and that the client is functioning.

The easiest way to determine that the client is installed and functioning is to check for the existence of the BeyondTrust Endpoint Privilege Management Management Console service. Ensure that this service is both present and started. The Endpoint Privilege Management service is installed by Endpoint Privilege Management for Windows and should start automatically.

ℹ️

Note

The Endpoint Privilege Management service requires MSXML6 to load the Endpoint Privilege Management for Windows settings, but the service runs even if MSXML6 is not present.

Windows 10 already includes MSXML6.

macOS

You can confirm whether Endpoint Privilege Management for Mac is running by checking the Activity Monitor for the following processes:

  • Defendpoint
  • defendpointd
  • dppolicyserverd

Check settings are deployed

Assuming Endpoint Privilege Management is installed and functioning, the next step is to check that you have deployed settings to the computer or user.

ePO policies are stored by Endpoint Privilege Management as an XML file in the following location:

%ProgramData%\Avecto\Privilege Guard\ePO Cache\Machine\PrivilegeGuardConfig.xml

Check that Endpoint Privilege Management is licensed

One of the most common reasons for Endpoint Privilege Management not functioning is the omission of a valid license from the Endpoint Privilege Management settings. If you create multiple policies, then you must ensure that the computer or user receives at least one GPO that contains a valid license. To avoid problems, it is simpler to add a valid license to every set of Endpoint Privilege Management settings that you create.

Check Workstyle precedence

Assuming that Endpoint Privilege Management is functioning and licensed, most other problems are caused by configuration problems or Workstyle precedence problems. Please be aware that if you have multiple policies, these are evaluated in alphanumeric order.

Once an application matches an Application Group entry in the Application Rules or the On-Demand Application Rules, then processing does not continue for that application. Therefore, it is vital that you order your entries correctly:

  • If you create multiple Workstyles, then Workstyles higher in the list have higher precedence.
  • If you have multiple rules in the Application Rules and the On-Demand Application Rules sections of a Workstyle, then entries higher in the list have higher precedence.

Application Rules are applied to applications that are launched either directly by the user or by a running process. On-Demand Application Rules are only applied to applications that are launched from the Endpoint Privilege Management shell menu (if enabled).

Certificate error in Trellix Endpoint Security (ENS)

A certificate error is shown on the endpoint in the Event Log for Trellix Endpoint Security (ENS) if Endpoint Privilege Management was installed prior to Trellix Endpoint Security.

Add the certificate for Endpoint Privilege Management:

  1. Navigate to Policy Catalog and select Trellix Endpoint Security from the Product dropdown menu.
  2. In the Self Protection section, navigate to the Certificates section and check the Allow box. This allows BeyondTrust processes to be trusted.
  3. Click Save.

This resolves the error encountered when using BeyondTrust Endpoint Privilege Management and Trellix Endpoint Security software.

Updated 3 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.