DocumentationAPI ReferenceRelease Notes
Log In
Documentation

Install, Uninstall, Upgrade PM for Windows

Suggest Edits

Frequently asked questions

Can I install the 32-bit client on a 64-bit endpoint?

No. The 32-bit client can only be installed on 32-bit endpoints.

Can I install the 32-bit Endpoint Privilege Management Policy Editor on a 64-bit endpoint?

Yes. The 32-bit Endpoint Privilege Management Policy Editor can be installed on 64-bit endpoints if required.

Do I need to install the Endpoint Privilege Management for Windows and the Endpoint Privilege Management Policy Editor together?

For standalone installations, you must install both Endpoint Privilege Management for Windows and the Endpoint Privilege Management Policy Editor. We also recommend that Endpoint Privilege Management for Windows and the Endpoint Privilege Management Policy Editor be installed together during evaluation, to simplify the evaluation process.

For larger deployments, there is no requirement to install the Endpoint Privilege Management Policy Editor on endpoints.

What distribution mechanisms do you support?

Endpoint Privilege Management for Windows can be deployed using any third party software which supports the deployment of MSI and/or Executable files, such as Microsoft Active Directory, Microsoft SMS/SCCM, and McAfee ePolicy Orchestrator (ePO).

For silent installations and advanced installations (such as CERT_MODE and EPOMODE), the third party deployment software must also support the use of command line options.

What is the update priority for Endpoint Privilege Management GPO edition?

The update priority for Endpoint Privilege Management GPO edition is as follows:

  1. Event Collector
  2. Reporting Database
  3. Client
  4. Management Console
  5. Policy
Can different versions of the agent coexist?

Yes. In some estates, a range of different agent versions can exist together. Here are a couple of scenarios where this might occur:

  • An older version of the agent might be needed for an older OS. For example, agent version 22.5 does not support Windows 7, so an earlier version is required.
  • A company might create a pilot group to run a newer version for agent testing while the rest of the estate runs the older version.

We always retain backwards compatibility for the policies when adding new features. This allows you to configure and use new features in your policies and use them with newer agents. On any older agents in your estate the new features will be ignored and will not affect the function of the agents.

Install Endpoint Privilege Management for Windows

ℹ️

Note

Endpoint Privilege Management for Windows requires that Windows short file name creation be enabled.

Client packages

To install Endpoint Privilege Management for Windows, run the appropriate installation package:

  • For 32-bit (x86) systems, run PrivilegeManagementForWindows_x86.exe.
  • For 64-bit (x64) systems, run PrivilegeManagementForWindows_x64.exe.

The installation prompts you to install missing prerequisites.

Endpoint Privilege Management for Windows may be installed manually, but for larger installations we recommend you use a suitable third-party software deployment system.

ℹ️

Note

There is no license to add during the client installation, as this is deployed with the Endpoint Privilege Management for Windows Workstyles, so the client may be installed silently.

⚠️

Important

As of version 5.5, all releases of Endpoint Privilege Management for Windows are signed only with a SHA-256 code signing certificate. Previous versions were dual signed with SHA-1 and SHA-256 certificates. The decision to drop SHA-1 certificates was made to avoid weaknesses in the SHA-1 algorithm and to align to industry security standards. For more information, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

If you intend to deploy Endpoint Privilege Management for Windows 5.5 to Windows 7 or Windows Server 2008 R2 machines, you must ensure the following KBs are installed prior to installation of this product:

We strongly recommend you keep your systems up to date with the latest Windows security updates.

Installing this release on a system which does not support SHA-256 code signing verification results in Bad Image exceptions referring to PGHook.dll.

Unattended client deployment

When deploying Endpoint Privilege Management for Windows with automated deployment technologies, such as System Center Configuration Manager (SCCM), you can deploy the client silently and postpone the computer from restarting.

To install the client executable silently, without a reboot, use the following command line (the double quotes are required and the syntax must be copied exactly):

PrivilegeManagementForWindows_x86.exe /s /v" /qn /norestart"

To install the client MSI package silently, without a reboot, use the following command line:

Msiexec.exe /i PrivilegeManagementForWindows_x86.msi /qn /norestart

ℹ️

Note

Endpoint Privilege Management for Windows will not be fully operational until a reboot. To perform an unattended deployment with a reboot, omit the /norestart switch.

Configure an alternate event log location

You can configure an alternate event log location in the following ways:

  • From the client installer (initial installation or upgrade)
  • In Windows registry after installation

The default location is Windows Logs\Application. The alternate location is Application and Services Logs\BeyondTrust Privilege Management.

Set the event log location using the installer

When running the installer, enter the parameter and value as shown:

msiexec.exe /i PrivilegeManagementForWindows_x64.msi APPEVENTLOGTYPE=1

or

PrivilegeManagementForWindows_x64.exe /v"APPEVENTLOGTYPE=1"

Change the event log location in Windows Registry

If the client is already installed, set the value in the registry.

ℹ️

Note

If agent protection is configured, you must first disable agent protection on the machine before you can change settings in the Registry Editor.

Run regedit.exe with elevated privileges and navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Avecto\Privilege Guard Client

ApplicationEventLogType=1

where:

0: Windows Logs\Application

1: Application and Services Logs\BeyondTrust Privilege Management

You must restart the service after changing the value.

Set up agent protection

Add agent protection to your endpoints to prevent admin users from tampering with the product, including stopping the services running or deleting its files from the endpoint.

The setup is a two-part process:

  • Generate public-private key pair.
    • The public key is stored in a policy and distributed to all endpoints. The public key is automatically inserted into the policy when using the Policy Editor to create the key pair.
    • The password-protected private key must be stored securely by the administrator. The private key and private key password are required when you want to disable agent protection.
  • Enable protection.

Generate key pairs

The key pair can be generated using either Policy Editor or command line.

To generate the key pair in Policy Editor:

  1. In a Policy Editor:
    • Web Policy Editor: Policies > Edit Policy > Utilities > Agent Protection Settings > Generate Key
    • MMC Policy Editor: Right-click the Privilege Management Settings node, and then select Generate Agent Protection Keys.
  2. Enter a password to encrypt the private key.
  3. Click Generate.
  4. Navigate to a location to save the private key, and then click Save. The public key is automatically inserted into the policy.

To generate the key pair using the command line (or a tool like PowerShell):

  1. From the command line, call AgentProtectionUtility using the command: 
    GENERATE /PRIVATE <path> /PUBLIC <path>
  2. Enter the password at the prompt.

The private and public keys are generated and saved to the designated paths. You must use PowerShell API to insert the public key into the policy configuration.

📘

For more information about AgentProtectionUtility, see Agent protection utility usage and options.

Enable agent protection

To enable protection:

  1. Expand the Endpoint Privilege Management Settings node.
  2. Select the Windows node, and then select Advanced Agent Settings.
  3. Click Add Value.
  4. Select 64-bit Agent Values from the Edit dropdown.
  5. Type AgentProtectionState in the Value Name box.
  6. Ensure type is DWORD.
  7. In the Value Data column, set the value to 1. There are three possible states: 0 = off, 1 = enabled, 2 = disabled.

Agent protection is enabled after the policy is deployed and loaded by the endpoints.

Disable agent protection temporarily on one endpoint

In some cases, there might be a legitimate need to uninstall the agent. You can use the Endpoint Utility to disable the protection.

Disabling the protection on an endpoint is a two-part process:

  1. First, a support engineer with the necessary rights uses the Agent Protection Utility, as well as the correct password-protected private key for the policy, to generate a time-based token.
  2. The token is then passed to the end-user computer and used by the Endpoint Utility to temporarily disable the agent protection for that endpoint.

To disable the agent protection:

  1. Generate an uninstall token. Use the Agent Protection Utility located in Program Files\Avecto\Privilege Guard Management Consoles or downloaded from EPM. The token must be generated using administrator credentials. The token is encrypted and is set to expire after the time you provide passes.
  2. From the command line, run the following: 
    UNINSTALL /EXPIRY <time> /PRIVATE <path> /TOKEN <path>

For example:

UNINSTALL /EXPIRY 30d /PRIVATE priv.pem /TOKEN token.txt
  1. Enter the password you set when generating the private key, when prompted. A token file is created at the designated path.

ℹ️

Note

The token file contains a string of characters that is required to disable the endpoint. The token must reside on the end-user computer where you want to disable protection. Copy the token to that computer before proceeding to step 4.

  1. On the end-user computer, disable protection using the Endpoint Utility located in Program Files\Avecto\Privilege Guard Client.
  2. Run the following command: 
    /ap /t <tokencharacterstring>

A confirmation message indicates agent protection is disabled. The agent protection reverts to the enabled state after the Defendpoint service restarts.

📘

For more information about Agent Protection Utility, see Agent protection utility usage and options.

Disable agent protection on all endpoints

ℹ️

Note

This procedure permanently disables agent protection on all endpoints on which the policy is deployed. Agent protection will also be temporarily disabled for all in progress admin access sessions.

  1. Expand the Privilege Management Settings node.
  2. Select the Windows node, and then select Advanced Agent Settings.
  3. In the Value Name column, enter AgentProtectionState.
  4. In the Value Data column, set the value to 0.

Agent protection utility usage and options

Usage

AgentProtectionUtility GENERATE | UNINSTALL | VERIFY <options>

CommandDescription
GENERATE /PRIVATE /PUBLIC Generates encrypted private/public key pair stored at and . The private key is encrypted with a password entered at the prompt. The password requires at least 12 characters.
UNINSTALL /EXPIRY Generate a secure token using the private key located at to drop all protection for
VERIFY /TOKEN /PUBLIC Verify a secure token stored at using public key stored at .

Upgrade PM for Windows

Before upgrading any versions of Endpoint Privilege Management for Windows software or existing settings, we recommend you test your deployment in a preproduction environment. This will help mitigate any unforeseen compatibility issues, and avoid disruption to the business. In addition, you should export your policies for backup purposes prior to an upgrade.

All Endpoint Privilege Management for Windows MSI and EXE installers automatically remove old versions of BeyondTrust software when installed. Therefore, it is not necessary to manually remove old versions prior to installation.

If you previously installed Endpoint Privilege Management for Windows with a switch, you must ensure you upgrade Endpoint Privilege Management for Windows with the same switch. If you do not use the same switch, the new installation parameters apply and any functionality relating to the previous installation are lost.

Endpoint Privilege Management for Windows guarantees backward compatibility with previous versions, but does not guarantee forward compatibility.

If you are running Endpoint Privilege Management for Windows 22.7 or higher, and are upgrading to a newer version, then a reboot is not mandatory and all existing functions will continue to work. New features may require a reboot, so it is still recommended to reboot at your earliest convenience after an upgrade.

ℹ️

Note

When installing in silent mode, a reboot will occur automatically unless the no restart flag is also used. Therefore, we recommend that upgrades be performed outside of core business hours, or during scheduled maintenance windows, to avoid loss of productivity.

Use policy precedence in a migration scenario

During any migration from one Endpoint Privilege Management platform to another, you can use the POLICYPRECEDENCE parameter to provide policy redundancy. For example, you are migrating from BeyondTrust's ePO platform to BeyondInsight or EPM, and want to ensure there is zero policy downtime during the migration.

Add the POLICYPRECEDENCE parameter to the client install syntax. Existing policy continues to apply until superseded by the new platform policy.

GPO clients

POLICYPRECEDENCE="WEBSERVICE,GPO,LOCAL"

ePO clients

POLICYPRECEDENCE="WEBSERVICE,EPO,LOCAL"

BeyondInsight

POLICYPRECEDENCE="WEBSERVICE,BEYONDINSIGHT,LOCAL"

WebServer

POLICYPRECEDENCE="WEBSERVICE,WEBSERVER,LOCAL"

Example

The complete install syntax may look something like this:

Msiexec.exe /i PrivilegeManagementForWindows_x.xxx.x.msi IC3MODE=1 POLICYPRECEDENCE="WEBSERVICE,GPO,LOCAL" /qn /norestart

Recommended steps

⚠️

Important

As of release 5.5, all releases of this product are signed with BeyondTrust Corporation, rather than Avecto, as the software publisher name. If prior to 5.5 you used the QuickStart Policy Template as a starting point, it is likely that your configuration will include Application Groups which target our own applications based on a publisher match to Avecto. An upgrade to 5.5 or beyond requires you to update your configuration so that it continues to match the versions of the applications and tools that you use. We recommend one of the following two options:

Option 1

Add a copy of any existing application definitions which target Avecto and update those copies to target BeyondTrust Corporation instead; the presence of both sets of application definitions ensure they continue to match both new and existing versions during the implementation of 5.5. This option has an advantage over Option 2, in that it also targets any application definitions that you may have created yourself that target the Avecto publisher.

Option 2

You may copy fragments of the QuickStart policies in version 5.5 to your existing application definitions.

For either option, it is critical that you roll out your configuration changes before you update your Endpoint Privilege Management for Windows software to version 5.5 or later.

Step 1: Upgrade the Endpoint Privilege Management Policy Editor

📘

For steps to upgrade the Endpoint Privilege Management Policy Editor, see Install the Policy Editor.

Step 2: Upgrade application groups to match publisher name BeyondTrust Corporation (when upgrading to version 5.5)

Option 1 - duplicate application definitions matching Avecto publisher and update to target BeyondTrust Corporation
  1. Locate all Avecto matches:
    • Select the Application Groups node.
    • Type Avecto into the Search applications box to filter.
  2. Create a copy of all definitions in each Application Group found that contain a publisher match on Avecto:
    • Copy and paste the existing definitions.

ℹ️

Note

Rename one of the copies to OLD, so it’s easy to tell which to delete after the new application definitions take effect. OLD can be deleted once the 5.5 upgrade is complete.

  1. Update the new application definitions to match publisher BeyondTrust Corporation.
  2. Test the updated configuration against the new 5.5 applications.
Option 2 - insert policy fragments into existing application definitions
  1. Ensure that Hidden Groups are visible by right-clicking the Endpoint Privilege Management Settings node. Enable Show Hidden Groups.
  2. Copy the following text: 
    <ClipboardText><ClipboardResources><Config/></ClipboardResources><ClipboardItems><Application ID="95402cc1-3301-49ec-8108-7ee359c55018" Type="exe" Description="BeyondTrust Privilege Management ETW Trace Formatter" OpenDlgDropRights="true" CheckFileName="true" FileName="TraceFormat.exe" FileStringMatchType="Contains" UseSourceFileName="true" ProductName="BeyondTrust Privilege Management" ProductDesc="BeyondTrust Privilege Management ETW Trace Formatter" CheckCertificate="true" Certificate="BeyondTrust Corporation" CertificateStringMatchType="Exact"/><Application ID="d30f3395-2f7f-4a2e-b8e5-6d3073976dc0" Type="exe" Description="Performance Log Utility" OpenDlgDropRights="true" CheckFileName="true" FileName="logman.exe" FileStringMatchType="Contains" UseSourceFileName="true" ProductName="Microsoft® Windows® Operating System" ProductDesc="Performance Log Utility" CheckCertificate="true" Certificate="Microsoft Windows" CertificateStringMatchType="Exact"/></ClipboardItems></ClipboardText>
  3. Paste into a text editor and replace new lines with single spaces. Copy the text again.
  4. Create an Application Group (Default) Child Processes of TraceConfig.exe.
  5. Select the middle pane and paste what you have copied.
  6. Right-click the Application Group, select Properties, and check the Hidden box.
  7. Copy the following text: 
    <ClipboardText><ClipboardResources><Config/></ClipboardResources><ClipboardItems><Application ID="511e21b7-b059-42ca-bcfe-03ca4c5ecf58" Type="exe" Description="Privilege Management Config Capture Utility" ChildrenInheritToken="true" OpenDlgDropRights="true" CheckFileName="true" FileName="PGCaptureConfig.exe" FileStringMatchType="Contains" UseSourceFileName="true" ProductName="BeyondTrust Privilege Management" ProductDesc="BeyondTrust Privilege Management Config Capture Utility" CheckCertificate="true" Certificate="BeyondTrust Corporation" CertificateStringMatchType="Exact"/><Application ID="7995df95-0031-460f-a5e3-cfd2b12758d8" Type="exe" Description="Privilege Management TraceConfig" ChildrenInheritToken="true" OpenDlgDropRights="true" CheckFileName="true" FileName="TraceConfig.exe" FileStringMatchType="Contains" UseSourceFileName="true" ProductName="BeyondTrust Privilege Management" ProductDesc="BeyondTrust Privilege Management Config Capture Utility" CheckCertificate="true" Certificate="BeyondTrust Corporation" CertificateStringMatchType="Exact" ChildApplicationGroup="a1d8ab16-5b3d-42d1-a90d-e069d741f7b1"/></ClipboardItems></ClipboardText>
  8. Paste into a text editor and replace new lines with single spaces. Copy the text again.
  9. Select the Application Group (Default) Privilege Management Tools.
  10. Select the middle pane and paste what you have copied.
  11. Double-click the Privilege Management TraceConfig application definition..
  12. In the Allow child processes to match the application definition option in the Application dialog, choose (Default) Child Processes of TraceConfig.exe from the dropdown.
  13. Copy the following text: 
    <ClipboardText><ClipboardResources><Config/></ClipboardResources><ClipboardItems><Application ID="52a1ef23-b71b-4c3b-836c-c228a7343e33" Type="msi" Description="Any Privilege Management Client Installer Package" ChildrenInheritToken="true" OpenDlgDropRights="true" FileName="*" FilePatternMatching="true" UseSourceFileName="true" CheckProductName="true" ProductName="Privilege Management" ProductNameStringMatchType="Contains" CheckCertificate="true" Certificate="BeyondTrust Corporation" CertificateStringMatchType="Exact"/></ClipboardItems></ClipboardText>
  14. Paste into a text editor and replace new lines with single spaces. Copy the text again.
  15. Select the Application Group Block - Blocked Apps.
  16. Select the middle pane and paste what you have copied.

Step 3: upgrade Endpoint Privilege Management for Windows settings

Once the Endpoint Privilege Management Policy Editor has been upgraded, the final step is to roll out new versions of the Endpoint Privilege Management for Windows settings.

Although Endpoint Privilege Management for Windows is fully backwards compatible with older versions of Endpoint Privilege Management for Windows settings, this step is required if you want to take advantage of any new features and enhancements in Endpoint Privilege Management for Windows.

📘

Endpoint Privilege Management for Windows settings are automatically saved in the latest format each time a change is made. For details on editing settings, see Deploy Endpoint Privilege Management for Windows policy.

After an upgrade, settings cannot be downgraded. We recommend an upgrade of Endpoint Privilege Management for Windows settings is performed only after all instances of Endpoint Privilege Management for Windows are upgraded.

Step 4: upgrade Endpoint Privilege Management for Windows

To upgrade Endpoint Privilege Management for Windows manually, double-click the client installation media for your operating system.

For larger deployments, Endpoint Privilege Management for Windows supports mixed client environments, as it is fully backwards compatible with older versions of Endpoint Privilege Management for Windows settings. This allows for phased roll-outs of Endpoint Privilege Management for Windows, if preferred.

📘

For steps to upgrade Endpoint Privilege Management for Windows using a deployment mechanism, see Install Endpoint Privilege Management for Windows.

Step 5: delete old application definitions (upgrade from 5.4)

Once all machines are running version 5.5, it is safe to delete any application definitions still matching the publisher Avecto from your configuration and to deploy that configuration.

Reporting console

The Reporting Console is an MMC snap-in and may connect to the local computer or a remote computer. The Reporting Console enables you to view Endpoint Privilege Management for Windows events and privilege monitoring logs for the relevant computer.

To run the Endpoint Privilege Management Reporting Console:

  1. Launch mmc.exe.

  2. Select Add/Remove Snap-in from the File menu.

  3. Select Endpoint Privilege Management Reporting from the available snap-ins and click Add.

    Before the snap-in is added, you are prompted to select a computer to manage. The local computer is selected by default. To connect to a remote computer, click the Another computer option button and enter the name of the remote computer or click the Browse button to browse for a computer. Endpoint Privilege Management for Windows supports a connection to a central event collector if you are using event forwarding to centralize events to a server.

    You may also select an alternative location for the privilege monitoring logs, if you have a scripted solution in place to centralize the privilege monitoring logs to a server. Enter the network location or click the Browse button to browse to the location.

  4. Click Finish.

  5. Click OK.

ℹ️

Note

You can add multiple instances of the Endpoint Privilege Management Reporting snap-in and connect them to different computers.

Auditing report

The Auditing Report lists all the Endpoint Privilege Management for Windows events logged on that computer.

For each event the following information is available:

  • Date
  • Event ID
  • Filename (Codebase for ActiveX controls)
  • Command Line
  • Event Description
  • Username
  • Computer Name
  • Policy
  • Application Group
  • Reason
  • Custom Token
  • Hash (CLSID for ActiveX controls)
  • Certificate
  • PID
  • Parent PID
  • Trusted Application Name
  • Trusted Application Version
  • Date
  • Event ID
  • Filename (Codebase for ActiveX controls)
  • Command Line
  • Event Description
  • Username
  • Computer Name
  • Policy
  • Application Group
  • Reason
  • Custom Token
  • Hash (CLSID for ActiveX controls)
  • Certificate
  • PID
  • Parent PID
  • Trusted Application Name
  • Trusted Application Version

By default, the report shows all Endpoint Privilege Management for Windows events from the event log, but you can filter the report on date, event number, username, and computer name. Click Update Report to reload the report.

The application definitions contained within each event may be copied and then pasted into Application Groups in the Endpoint Privilege Management Policy Editor. Select one or more events, and then select Copy from the context menu. You can now paste the applications into an Application Group.

Privilege monitoring report

Application view

The application view shows a list of all applications that have been monitored. Applications are identified by their file hash.

For each application, the following information is available:

  • Filename/Codebase
  • Type
  • Instances
  • Description
  • Certificate
  • Hash (CLSID for ActiveX controls)
  • Version (ActiveX controls only)

The instances column shows the number of times the application has run. To view the individual instances for an application, double-click the entry in the list or select Show Details from the context menu. The Process View appears.

By default, the report shows all the monitored applications, but you may filter the report on date, username, and computer name. Click Update Report to reload the report.

Process view

The process view shows a list of the individual processes that have been monitored for an application.

For each process the following information is available:

  • Date
  • PID
  • Command Line
  • Filename

To view the activity for a process, double-click the entry in the list or select Show Details from the context menu. The Activity View appears.

Activity view

The activity view shows a list of all the privileged activity carried out by a process. Privileged activity is any activity that would fail under a standard user account.

For each activity entry the following information is available:

  • Date
  • Operation
  • Object
  • Parameters

To go back to the process view, double-click the back up entry in the list or select Back Up from the context menu. The Process View appears.

Diagnose connection problems

The Endpoint Privilege Management Reporting Console must connect to the registry and administrator file shares when connecting to a remote computer.

If the Reporting Console fails to connect or fails to retrieve data, the most common causes are:

  1. The Remote Registry service needs to be started on the remote machine. On Windows 7, this service is not set to start automatically, so you should ensure it has been started.
  2. The Windows Firewall may be blocking the incoming requests. Enabling the File and Printer Sharing exception in the Windows Firewall Settings should resolve this problem.

Updated 8 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.