DocumentationAPI ReferenceRelease Notes
Log In
Documentation

Troubleshoot

Suggest Edits

Troubleshoot on macOS

Check Endpoint Privilege Management for Mac is installed and functioning

If you are having problems, the first step is to verify you have installed the client and the client is functioning.

  • Endpoint Privilege Management for Mac: The graphical interface of Endpoint Privilege Management for Mac on the toolbar for messages and end user interaction
  • defendpointd: The Endpoint Privilege Management for Mac daemon that manages interaction with Endpoint Privilege Management for Mac
  • dppolicyserverd: Manages policy and communicates with defendpointd
  • Custodian: Manages authentication as required by Endpoint Privilege Management for Mac

Check settings are deployed

Assuming Endpoint Privilege Management for Mac is installed and functioning, the next step is to verify you have deployed settings to the computer or user.

Check Endpoint Privilege Management for Mac is licensed

One of the most common reasons for Endpoint Privilege Management for Mac not functioning, is the omission of a valid license from the Endpoint Privilege Management for Mac settings. If you create multiple policies, then you must ensure the computer or user receives at least one policy containing a valid license. To avoid problems, it is simpler to add a valid license to every set of Endpoint Privilege Management for Mac settings that you create.

Check Workstyle precedence

Assuming Endpoint Privilege Management for Mac is functioning and licensed, most other problems are caused by configuration problems or Workstyle precedence problems.

Once an application matches an Application Group entry in the Application Rules, then processing will not continue for that application. Therefore, it is vital you order your entries correctly:

  • If you create multiple Workstyles, Workstyles higher in the list have a higher precedence.
  • If you have multiple rules in the Application Rules section of a Workstyle, entries higher in the list have a higher precedence.

Application Rules are applied to applications launched either directly by the user or by a running process.

If you have multiple policies applying to a user, computer, or both, then you should ensure policy precedence rules are not causing the problem. If multiple policies are applied to a computer or user, then Endpoint Privilege Management for Mac will apply the policies based on alphanumeric order with the precedence list in defendpoint.plist.

Troubleshoot on Windows

Resultant set of policy

Endpoint Privilege Management for Windows provides support for Resultant Set of Policy (RSoP). RSoP is usually accessed through the Group Policy Management Console (GPMC).

The GPMC supports the following mode of operation for RSoP: Group Policy Results (RSoP logging mode)

RSoP can be used to establish which policy applies to a particular user or computer to aid troubleshooting. Detailed HTML reports are generated, which may also be exported to aid policy documentation.

Group Policy results

To run a Group Policy Results query (RSoP logging), perform the following steps from the GPMC:

  1. Double-click the forest in which you want to create a Group Policy Results query.
  2. Right-click Group Policy Results and click Group Policy Results wizard.
  3. In the Group Policy Results wizard click Next and enter the appropriate information.
  4. After completing the wizard, click Finish.
  5. Right-click the node for the completed query in the console tree, and click Advanced View to launch the Resultant Set of Policy window.
  6. Select the Endpoint Privilege Management Settings node under the Computer Configuration node or the User Configuration node to view the RSoP HTML report for Endpoint Privilege Management for Windows.

Endpoint Privilege Management also appears in the Summary tab of the Group Policy Results node. Expand the Component Status section of the HTML report to find out whether RSoP data has been collected for Endpoint Privilege Management for Windows.

Endpoint Privilege Management does not appear in the Settings tab of the Group Policy Results node, as third-party Group Policy extensions are not detailed in this HTML report. You must use the Advanced View, as outlined above, to view Endpoint Privilege Management for Windows Workstyles for an RSoP query.

Check Endpoint Privilege Management for Windows is installed and functioning

If you are having problems, the first step is to check that you installed the client and the client is working.

  • BeyondTrust Endpoint Privilege Management System Tray: The UI of Endpoint Privilege Management for Windows on the system tray for messages and end user interaction.
  • Avecto Defendpoint Service: The Endpoint Privilege Management for Windows service that manages interaction with PGDriver.
  • PGDriver: A kernel driver that communicates with Avecto Defendpoint Service.

The easiest way to determine the client is installed and working is to check for the existence of the Avecto Defendpoint Service in the Services app provided by Windows. Ensure this service is both present and started. The Avecto Defendpoint Service is installed by Endpoint Privilege Management for Windows and should start automatically.

ℹ️

Note

The Endpoint Privilege Management for Windows service requires MSXML6 to load the Endpoint Privilege Management for Windows settings, but the service still runs even if MSXML6 is not present.

Check settings are deployed

Assuming Endpoint Privilege Management for Windows is installed and functioning, the next step is to check that you deployed settings to the computer or user.

You can use RSoP logging mode to determine whether the computer has received settings. Assuming the RSoP query shows that Endpoint Privilege Management for Windows settings are applied, you should check the contents of the settings (including licensing and Workstyle precedence).

Check Endpoint Privilege Management for Windows is licensed

One of the most common reasons for Endpoint Privilege Management for Windows not functioning is the omission of a valid license from the Endpoint Privilege Management for Windows settings. If you are creating multiple GPOs, then you must ensure the computer or user receives at least one GPO that contains a valid license. To avoid problems, it is simpler to add a valid license to every set of Endpoint Privilege Management for Windows settings that you create.

Check Workstyle precedence

Assuming Endpoint Privilege Management for Windows is functioning and licensed, most other problems are caused by configuration problems or Workstyle precedence problems.

Once an application matches an Application Group entry in the Application Rules or the On-Demand Application Rules, processing does not continue for that application. Therefore, it is vital you order your entries correctly:

  • If you create multiple Workstyles, Workstyles higher in the list have a higher precedence.
  • If you have multiple rules in the Application Rules and the On-Demand Application Rules sections of a Workstyle, entries higher in the list have a higher precedence.

Application Rules are applied to applications that are launched either directly by the user or by a running process. On-Demand Application Rules are only applied to applications that are launched from the Endpoint Privilege Management for Windows shell menu (if enabled).

If you have multiple GPOs applying to a user and/or computer, you should ensure GPO precedence rules are not causing the problem. If multiple GPOs are applied to a computer or user, Endpoint Privilege Management for Windows merges the computer GPOs and user GPOs by following Group Policy precedence rules. Once merged, the user Workstyles take precedence over the computer Workstyles. In other words, the computer Workstyles are only processed if an application does not match an entry in the user Workstyles.

For this reason, we strongly recommended you do not create over-complex rules that rely on the merging of many GPOs, as this can become difficult to troubleshoot. If, however, it makes sense to split rules over multiple GPOs, you should make use of RSoP to ensure Workstyles are combined correctly. You must also remember that computer and user Workstyles are processed separately, with user Workstyles always processed ahead of computer Workstyles, if both exist.

Updated 8 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.