DocumentationAPI ReferenceRelease Notes
Log In
Release Notes
Back to All

Endpoint Privilege Management for Windows 25.2.40 release notes

14 days ago

April 10, 2025

Requirements

  • Microsoft .NET Framework 4.6.2 (required to use Power Rules, PowerShell audit scripts, PowerShell API, and Agent Protection)
  • Microsoft .NET Framework 4.8 (required to use Multifactor Authentication with an OIDC provider)
  • PowerShell 3.0 (required to use Power Rules, PowerShell audit scripts, and PowerShell API)
  • Trellix (formerly McAfee) Agent (required if you are installing the Privilege Management client with switch EPOMODE=1)

📘

The executable version of the client package includes all necessary prerequisites (excluding .NET Framework) and automatically installs them as necessary. If you use the MSI or ZIP package, you must manually install any necessary prerequisites.

📘

Our Assistive Technology solutions depend on various Knowledge Base articles for optimal functionality. The KBs include links to our Accessibility policy XML, allowing you to automatically implement the necessary policy changes.

KB0022206: NVDA screen reader does not correctly activate on Secure Desktop

KB0022207: JAWS screen reader does not narrate 'Select Reason' drop-down

KB0022209: JAWS and NVDA screen reader compatibility with EPM-W

KB0022210: Use of .NET COR_PROFILER with EPM-W and suggested actions

KB0021703: Changes to the EPM-W QuickStart policy to address Microsoft Narrator behavior

❗️

Removal Notice - Post 25.4 Release

As per the deprecation notice provided in the 5.5 admin guide (BeyondTrust End User Utilities section), we are planning to remove the following tools in the next version of EPM-W, released post 25.4. If you still need or use these executables, provide your feedback to let us know.

  • PGProgramsUtil.exe
  • PGNetworkAdapterUtil.exe
  • PGPrinterUtil.exe

If you or your team rely on any of these executables or have concerns about their deprecation, reach out to us as soon as possible. We value your input and want to ensure a smooth transition.

New features and enhancements

Support Microsoft method for COM hijacking via hooking

We’ve improved compatibility for installers that require COM registration by refining our COM protection mechanism, ensuring legitimate elevated processes can register COM objects without issue while maintaining strong security against COM hijacking.

Assistive Tech - NVDA & JAWS fixes

We have concentrated on critical fixes for NVDA and JAWS screen readers, addressing significant issues to improve user experience and accessibility.

Key improvements include resolving navigation bugs, such as ensuring all fields have appropriate alt-text and fixing issues that prevented users from activating certain features.

Additionally, we have corrected the reading order of message contents to ensure that all elements are read in the correct sequence, providing a more intuitive and seamless experience for users relying on assistive technologies.

These enhancements are designed to make our messages more accessible and user-friendly for everyone.

Auditing for COM hijacking

When a process is blocked from reading or writing to the HKU\Software\Classes\CLSID part of the registry, a local auditing event will be generated. This helps administrators understand why an application might have behaved unexpectedly.

Issues resolved

DescriptionResolution
Smartcard PIN alt-text is incorrect on messages with User Principal Name (UPN) included Fixed an accessibility issue where the Smartcard PIN field had incorrect alt-text on messages with User Principal Name (UPN) included.

Details:
What: A bug was found where the Smartcard PIN field was incorrectly picking up the alt-text from the domain name field when displaying messages with Smartcard logon. This issue affected both secure and non-secure desktops.

Why: Updated to improve accessibility for users relying on screen readers, ensuring accurate narration of Smartcard fields.

What’s changed:
Added missing alt-text to the Smartcard PIN and Smartcard Hint fields.
The Smartcard PIN field is now correctly narrated as "Smartcard PIN - Edit Blank".
The Smartcard Hint field is now correctly narrated as "Smartcard Hint - Edit Blank".
This didn’t affect other fields or functionalities.
Microsoft Teams add-in no longer working in Outlook.exe when EPM is ONFixed an issue where a specific add-in in Outlook was not functioning correctly when certain services were running. This prevented the add-in options from appearing in Outlook.
Regsvr32 elevation not working correctly since 25.2 - call to dllregisterserver failed with error code 0x80070005We’ve improved compatibility for installers that require COM registration by refining our COM protection mechanism, ensuring legitimate elevated processes can register COM objects without issue while maintaining strong security against COM hijacking.
We have also added a local auditing event, when a process is blocked from reading or writing to the HKU\Software\Classes\CLSID part of the registry, this event will be generated. This helps administrators understand why an application might have behaved unexpectedly.
PGMessageHost crash on non-secure desktop smartcard messages when CAPS Lock is enabledFixed an issue causing PGMessageHost to crash on non-secure desktop smartcard messages when CAPS Lock is enabled.

Details:
What: A bug was identified where PGMessageHost crashes when a non-secure desktop message configured with smartcard-only authentication is launched while CAPS Lock is enabled. This issue has been observed on both Windows 10 and Windows 11.

Why: The fix ensures stability and prevents crashes when CAPS Lock is enabled during smartcard authentication.

What’s changed:
Added: Handling to prevent PGMessageHost from crashing when CAPS Lock is enabled.
Updated: The logon bar cleaning code to avoid deadlocks caused by CAPS Lock warnings.
Delayed file save times on network paths when Agent Protection is enabledFixed delay in file save times on network paths when Agent Protection is enabled.

Details:
What: A bug was identified where systems take an average of 30 seconds longer to save files on network paths when Advanced Agent Protection is enabled, compared to when it is turned off or when saving files locally. The delay increases with the directory depth.

Why: The fix addresses a latency issue caused by the FtlGetFileNameInformation function in the Agent Protection code, which was leading to longer save times for deeper directory paths.

What’s changed:
Added: Handling to bypass calls to the FtlGetFileNameInformation function for network paths.
Updated: The driver filter setup to exclude the Agent Protection filter from network drives, preventing unnecessary processing.

Security Updates

DescriptionResolution
Use of non-cryptographic Pseudo Random Number Generators (PRNGs) for cryptographic operationsImproves the security of the policy encryption by generating cryptographically secure GUIDs for a given policy's Configuration ID.

Compatibility

  • Privilege Management Policy Editor 25.2 (recommended), 22.1+
  • Privilege Management ePO Extension 25.2 (recommended), 22.7+
  • Privilege Management Console Windows Adapter 25.2 (recommended), 22.1+
  • BeyondInsight/Password Safe 24.2.1 (recommended)
  • Trellix Agent 5.7+

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.