DocumentationAPI ReferenceRelease Notes
Log In
Documentation

Policy Editor utilities

Suggest Edits

Licensing

Endpoint Privilege Management for Windows requires a valid license code to be entered in the Policy Editor. If more than one policy is applied to a computer, you need at least one valid license code for one of those policies.

For example, you could add the Endpoint Privilege Management for Windows license to a policy that is applied to all managed endpoints, even if it does not have any Workstyles. This ensures all endpoints receive a valid license if they have Endpoint Privilege Management for Windows installed. If you are unsure, then we recommend you add a valid license when you create the policy.

To add a license:

  1. Go to the Policies page, and then select Edit & Lock Policy for the policy you want to edit.
  2. Expand the Utilities node.
  3. Click the Licenses node.
  4. Click Add.
  5. Enter the license key, and then click Add License.

Password Safe settings

Password Safe users can be included in an Application Rule or On-Demand Application Rule to help manage access to applications.

Password Safe must already be installed and configured.

Use the following procedure to set up the integration to Password Safe. After this initial setup is complete, you can edit the Application Rule or On-Demand Application Rule to allow Password Safe users.

  1. On the Policy Editor page, expand Utilities.
  2. Select Password Safe Settings.
  3. From the Password Safe connection list, select one of the following: Not Configured, Enabled, or Disabled.
  4. Set a heartbeat interval. This is the time span the computer polls Password Safe unless the time is determined by Password Safe. For most subsequent messages, the poll time is driven by Password Safe in the messages it sends to EPM. This is because Password Safe knows when the next scheduled action must be performed.
  5. Click Update Settings.

Configure local account discovery

Configure a discovery scan to detect unmanaged accounts on an endpoint. The scan results are sent to Password Safe.

  1. On the Policy Editor page, expand Utilities.
  2. Select Password Safe Settings.
  3. Set an account discovery interval.
  4. Click Update Settings.

Import policy

Endpoint Privilege Management policies can be imported to and exported from Group Policy as XML files, in a format common to other editions of Endpoint Privilege Management, such as the Endpoint Privilege Management ePO Extension. Policies can be migrated and shared between different deployment mechanisms.

  1. In the Policy Editor, expand Utilities.
  2. Select Import Policy.
  3. Select one of the following:
    • Merge Policy
    • Overwrite Policy: If you select to overwrite, you can optionally select Export Existing Policy to save a copy before overwriting the policy.
  4. Drop the file onto the box or click inside the box to navigate to the file.
  5. Click Upload File.

Import template policy

You can import a template and merge or overwrite the settings in an existing template.

  1. In the Policy Editor, expand Utilities.
  2. Select Template Policies.
  3. Select one of the following:
    • Merge Policy: Merges the configuration to the existing template.
    • Overwrite Policy: If you select to overwrite, you can optionally select Export Existing Policy to save a copy before overwriting the policy.
  4. Select a template from the list: Discovery, QuickStart for Mac, QuickStart for Windows, Server Roles, TAP (High Flexibility), TAP (High Security).
  5. If you are merging, select Merge Template Policy to save the settings. If you are overwriting, select Overwrite Policy.

Manage audit scripts

When an application is allowed, elevated, or blocked, an event is logged to record details of the action. Actions are recorded in a third party tracking system by using Audit Scripts.

You can write Audit Scripts in Powershell or Javascript and configure the scripts using the policy editor.

  1. In the Policy Editor, expand the Utilities node.
  2. Select Manage Audit Scripts.
  3. Click Upload Script to expand the Upload Script panel.
  4. Click the following menus to further configure the script:
    • Timeout Options
    • Context Options
  5. Click inside the upload box to select the script.

Manage rule scripts

You can upload, view, and delete Power Rules in the Policy Editor.

The script must be a Windows PowerShell script in JSON format.

  1. In the Policy Editor, expand Utilities.
  2. Select Manage Rule Scripts.
  3. Click Upload Script to expand the Upload Script panel.
  4. Select a value from the Timout options list.
  5. Drag and drop the new script into the upload box or click to select a file.
  6. Click Upload Script to save your changes.

After a script is uploaded, you can delete or upload an updated script at any time.

Configure advanced agent settings

You can configure advanced agent settings to deploy additional registry based settings to endpoints that are running Endpoint Privilege Management for Windows and Mac.

  1. In the Policy Editor, expand Utilities.
  2. Select Advanced Agent Settings.
  3. Click Add to create a new setting.
  4. Type the desired value name.
  5. Select one of the following to designate the type:
    • DWORD
    • String
    • Multi-String
  6. Click Create to confirm your changes and create the new setting, or Discard to delete your work.

Regenerate UUIDs

When importing and exporting policies from external sources, it can sometimes be necessary to regenerate the internal policy Universally Unique Identifier (UUID), so that Reporting manages the events correctly. For most normal scenarios in which this is required (policy duplication, for example), this is handled seamlessly.

However, duplication by importing a text XML file will not be covered because sometimes you will not want to regenerate the UUIDs, such as when restoring a policy from a backup.

To regenerate UUIDs:

  1. In the Policy Editor, expand Utilities.
  2. Select Regenerate UUIDs.
  3. Click the Regenerate UUIDs button.

A success message displays at the bottom center of the page.

Set up agent protection

Add agent protection to your endpoints to prevent admin users from tampering with the product, including stopping the services running or deleting its files from an endpoint.

EPM components protected and the level of protection are provided in the table.

ActionEPM Component
Blocks uninstalls
  • Defendpoint client
  • PMC adapter
  • AD connector
  • Package Manager
Prevents stopping services
  • Defendpoint client
  • BeyondInsight adapter
  • ePO service
Blocks DLL injections
  • Defendpoint client
  • PMC adapter
  • ePO service
  • BeyondInsight adapter
Blocks access to registry settings
  • Defendpoint client
  • ePO service
  • BeyondInsight adapter
  • Password Safe service
File protection (deleting, moving, renaming, writing security attributes, or taking ownership)
  • C:\ProgramData\Avecto
  • C:\Program Files\Avecto\Privilege Guard Client</li>
  • C:\Windows\System32\drivers\PGDriver.sys
  • C:\Program Files (x86)\Avecto\Privilege Guard Client
  • C:\Program Files (Arm)\Avecto\Privilege Guard Client

Set up protection

The setup is a two-part process:

  • Generate public-private key pair.
    • The public key is stored in a policy and distributed to all endpointscomputers. The public key is automatically inserted into the policy when using MMC to create the key pair.
    • The password-protected private key must be stored securely by the administrator. The private key and private key password are required when you want to disable agent protection.
  • Enable protection.

Generate key pairs

To generate the key pair:

  1. In the Policy Editor, expand Utilities.
  2. Select Agent Protection Settings.
  3. Click Generate Key.
  4. Enter a password to encrypt the private key.
  5. Click Generate Key.
  6. The private key is automatically downloaded to the local computer. The file name is private.pem. The public key is automatically inserted into the policy.

Enable agent protection

To enable protection:

  1. In the Policy Editor, expand Utilities.
  2. Select Advanced Agent Settings.
  3. Click Add.
  4. Enter AgentProtectionState in the Name box.
  5. Select 64 bit.
  6. Ensure type is DWORD.
  7. In the Decimal box, set the value to 1. The Hex value automatically populates with the same value. There are three possible states: 0 = off, 1 = enabled, 2 = disabled.

Agent protection is enabled after the policy is deployed and loaded by the Windows computers.

Updated 3 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.