DocumentationAPI ReferenceRelease Notes
Log In
Documentation

Policy Editor utilities

Suggest Edits

Policy Assistant

Use the Policy Assistant to learn more about your policy configuration. The assistant detects if there are errors in configuration and provides remediation details. For example, duplicate Application Rules that potentially contradict each other, or duplicated user accounts in a Workstyle account filter.

The Policy Assistant validates the following areas of the policy:

  • Accounts filters
  • Application
  • Application rules
  • Audit script
  • Content
  • License
  • On-demand rules
  • Trusted application protection settings
  • Workstyles

If there are no issues identified by the Policy Assistant, then the current set of checks hasn't detected issues. However, there could be potential issues not covered by the checks currently running.

Policy checks can run without saving the policy; any unsaved changes are checked when you access the Policy Assistant.

Access the assistant

  1. In the Policy Editor, expand Utilities.
  2. Click the Policy Assistant tab.
  3. Click the suggested action link to remediate the potential policy issue identified.
  4. Sort the issues by severity level to prioritize the issues to resolve.

View issues

When you select Save & Unlock after changing a policy, the Policy Assistant runs checks to detect any policy configuration issues.

  • If no issues are detected, a confirmation displays in the Save & Unlock panel.
  • If issues are detected, the number of conflicts and a link to view more detail displays on the Save & Unlock panel.

Licensing

Endpoint Privilege Management for Windows requires a valid license code to be entered in the Policy Creator. If more than one policy is applied to a computer, you need at least one valid license code for one of those policies.

For example, you could add the Endpoint Privilege Management for Windows license to a policy that is applied to all managed endpoints, even if it does not have any Workstyles. This ensures all endpoints receive a valid license if they have Endpoint Privilege Management for Windows installed. If you are unsure, then we recommend you add a valid license when you create the policy.

  1. Go to the Policies page, and then select Edit & Lock Policy for the policy you want to edit.
  2. Expand the Utilities node.
  3. Click the Licenses node.
  4. Click Add.
  5. Enter the license key, and then click Add License.

Import policy

Endpoint Privilege Management policies can be imported to and exported from Group Policy as XML files, in a format common to other editions of Endpoint Privilege Management, such as the Endpoint Privilege Management ePO Extension. Policies can be migrated and shared between different deployment mechanisms.

  1. In the Policy Editor, expand Utilities.
  2. Select Import Policy.
  3. Select one of the following:
    • Merge Policy
    • Overwrite Policy: If you select to overwrite, you can optionally select Export Existing Policy to save a copy before overwriting the policy.
  4. Drop the file onto the box or click inside the box to navigate to the file.
  5. Click Upload File.

Import template policy

You can import a template and merge or overwrite the settings in an existing template.

  1. In the Policy Editor, expand Utilities.
  2. Select Template Policies.
  3. Select one of the following:
    • Merge Policy: Merges the configuration to the existing template.
    • Overwrite Policy: If you select to overwrite, you can optionally select Export Existing Policy to save a copy before overwriting the policy.
  4. Select a template from the list: Discovery, QuickStart for Mac, QuickStart for Windows, Server Roles, TAP (High Flexibility), TAP (High Security).
  5. If you are merging, select Merge Template Policy to save the settings. If you are overwriting, select Overwrite Policy.

Manage audit scripts

When an application is allowed, elevated, or blocked, an event is logged to record details of the action. Actions are recorded in a third party tracking system by using audit scripts.

You can write audit scripts in Powershell or Javascript and configure the scripts using the policy Creator.

  1. In the Policy Editor, expand the Utilities node.
  2. Select Manage Audit Scripts.
  3. Click Upload Script to expand the Upload Script panel.
  4. Click the following menus to further configure the script:
    • Timeout Options
    • Context Options
  5. Click inside the upload box to select the script.

Manage rule scripts

You can upload, view, and delete Power Rules in the Policy Creator.

The script must be a Windows PowerShell script in JSON format.

  1. In the Policy Editor, expand Utilities.
  2. Select Manage Rule Scripts.
  3. Click Upload Script to expand the Upload Script panel.
  4. Select a value from the Timout options list.
  5. Drag and drop the new script into the upload box or click to select a file.
  6. Click Upload Script to save your changes.

After a script is uploaded, you can delete or upload an updated script at any time.

Advanced agent settings

You can configure advanced agent settings to deploy additional registry based settings to endpoints that are running Endpoint Privilege Management for Windows and Mac.

  1. In the Policy Editor, expand Utilities.
  2. Select Advanced Agent Settings.
  3. Click Add to create a new setting.
  4. Type the desired value name.
  5. Select one of the following to designate the type:
    • DWORD
    • String
    • Multi-String
  6. Click Create to confirm your changes and create the new setting, or Discard to delete your work.

Agent protection settings

Add agent protection to your endpoints to prevent admin users from tampering with the product, including stopping the services running or deleting its files from an endpoint.

EPM components protected and the level of protection are provided in the table.

ActionEPM Component
Blocks uninstalls
  • Defendpoint client
  • PMC adapter
  • AD connector
  • Package Manager
Prevents stopping services
  • Defendpoint client
  • BeyondInsight adapter
  • ePO service
Blocks DLL injections
  • Defendpoint client
  • PMC adapter
  • ePO service
  • BeyondInsight adapter
Blocks access to registry settings
  • Defendpoint client
  • ePO service
  • BeyondInsight adapter
  • Password Safe service
File protection (deleting, moving, renaming, writing security attributes, or taking ownership)
  • C:\ProgramData\Avecto
  • C:\Program Files\Avecto\Privilege Guard Client</li>
  • C:\Windows\System32\drivers\PGDriver.sys
  • C:\Program Files (x86)\Avecto\Privilege Guard Client
  • C:\Program Files (Arm)\Avecto\Privilege Guard Client

Set up protection

The setup is a two-part process:

  • Generate public-private key pair.
    • The public key is stored in a policy and distributed to all endpointscomputers. The public key is automatically inserted into the policy when using MMC to create the key pair.
    • The password-protected private key must be stored securely by the administrator. The private key and private key password are required when you want to disable agent protection.
  • Enable protection.

Generate key pairs

To generate the key pair:

  1. In the Policy Editor, expand Utilities.
  2. Select Agent Protection Settings.
  3. Click Generate Key.
  4. Enter a password to encrypt the private key.
  5. Click Generate Key.
  6. The private key is automatically downloaded to the local computer. The file name is private.pem. The public key is automatically inserted into the policy.

Enable agent protection

Agent protection is enabled after the policy is deployed and loaded by the Windows computers.

To enable protection:

  1. In the Policy Editor, expand Utilities.
  2. Select Advanced Agent Settings.
  3. Click Add.
  4. Enter AgentProtectionState in the Name box.
  5. Select 64 bit.
  6. Ensure type is DWORD.
  7. In the Decimal box, set the value to 1. The Hex value automatically populates with the same value. There are three possible states: 0 = off, 1 = enabled, 2 = disabled.

Regenerate UUIDs

When importing and exporting policies from external sources, it can sometimes be necessary to regenerate the internal policy Universally Unique Identifier (UUID), so that Reporting manages the events correctly. For most normal scenarios in which this is required (policy duplication, for example), this is handled seamlessly.

However, duplication by importing a text XML file will not be covered because sometimes you will not want to regenerate the UUIDs, such as when restoring a policy from a backup.

  1. In the Policy Editor, expand Utilities.
  2. Select Regenerate UUIDs.
  3. Click the Regenerate UUIDs button.

A success message displays at the bottom center of the page.

Updated 3 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.