Policy Editor Utilities

Policy Assistant (Beta)

Use the Policy Assistant to learn more about your policy configuration. The assistant detects if there are errors in configuration and provides remediation details. For example, duplicate Application Rules that potentially contradict each other, or duplicated user accounts in a Workstyle account filter.

The Policy Assistant validates the following areas of the policy:

  • Accounts filters
  • Application rules
  • Licensing
  • On-demand rules
  • Trusted application protection settings
  • Workstyles

If there are no issues identified by the Policy Assistant, then the current set of checks hasn't detected issues. However, there could be potential issues not covered by the checks currently running.

Policy checks can run without saving the policy; any unsaved changes are checked when you access the Policy Assistant.

To access the assistant:

Policy Assistant in EPM Policy Editor.

  1. In the Policy Editor, expand Utilities.
  2. Click the Policy Assistant tab.
  3. Click the suggested action link to remediate the potential policy issue identified.

 

Policy Editor Licensing

Endpoint Privilege Management for Windows requires a valid license code to be entered in the Policy Editor. If more than one policy is applied to a computer, you need at least one valid license code for one of those policies.

For example, you could add the Endpoint Privilege Management for Windows license to an Endpoint Privilege Management policy that is applied to all managed endpoints, even if it does not have any Workstyles. This ensures all endpoints receive a valid license if they have Endpoint Privilege Management for Windows installed. If you are unsure, then we recommend you add a valid license when you create the Endpoint Privilege Management policy.

To add a license:

  1. In the Policy Editor, expand Utilities.
  2. Click the Licenses tab.
  3. Click Add.
  4. Enter the license key, and then click Add License.

Import Policy

Endpoint Privilege Management policies can be imported to and exported from Group Policy as XML files, in a format common to other editions of Endpoint Privilege Management, such as the Endpoint Privilege Management ePO Extension. Policies can be migrated and shared between different deployment mechanisms.

  1. In the Policy Editor, expand Utilities.
  2. Select Import Policy.
  3. Select one of the following:
    • Merge Policy
    • Overwrite Policy: If you select to overwrite, you can optionally select Export Existing Policy to save a copy before overwriting the policy.
  4. Drop the file onto the box or click inside the box to navigate to the file.
  5. Click Upload File.

Import Template Policies

You can import a template and merge or overwrite the settings in an existing template.

  1. In the Policy Editor, expand Utilities.
  2. Select Template Policies.
  3. Select one of the following:
    • Merge Policy: Merges the configuration to the existing template.
    • Overwrite Policy: If you select to overwrite, you can optionally select Export Existing Policy to save a copy before overwriting the policy.
  4. Select a template from the list: Discovery, QuickStart for Mac, QuickStart for Windows, Server Roles, TAP (High Flexibility), TAP (High Security).
  5. If you are merging, select Merge Template Policy to save the settings. If you are overwriting, select Overwrite Policy.

Manage Audit Scripts

When an application is allowed, elevated, or blocked, an event is logged to record details of the action. Actions are recorded in a third party tracking system by using Audit Scripts. You can write Audit Scripts in Powershell, VBScript, or Javascript and configure these scripts through the web policy editor.

  1. In the Policy Editor, expand Utilities.
  2. Select Manage Audit Scripts.
  3. Click Upload Script to expand the Upload Script panel.
  4. Click the following menus to further configure the script:
    • Timeout Options
    • Context Options
  5. Click inside the upload box to select the script.

Manage Rule Scripts

You can upload, view, and delete Power Rules in the Policy Editor.

The script must be a Windows PowerShell script in JSON format.

  1. In the Policy Editor, expand Utilities.
  2. Select Manage Rule Scripts.
  3. Click Upload Script to expand the Upload Script panel.
  4. Select a value from the Timout options list.
  5. Drag and drop the new script into the upload box or click to select a file.
  6. Click Upload Script to save your changes.

After a script is uploaded, you can delete or upload an updated script at any time.

For more information, see Apply Power Rules Scripts to Your Application Rules.

Advanced Agent Settings

You can configure the Advanced Agent Settings utility through the Policy Editor to deploy additional registry based settings to endpoints that are running EPM-W.

Back up your Windows registry before making any changes. BeyondTrust Technical Support will not provide support for any issues that might occur when you change registry settings.

  1. In the Policy Editor, expand Utilities.
  2. Select Advanced Agent Settings.
  3. Click Add to create a new setting.
  4. Type the desired value name.
  5. Select one of the following to designate the type:
    • DWORD
    • String
    • Multi-String
  6. Click Create to confirm your changes and create the new setting.

Set Up Agent Protection

Add agent protection to your endpoints to prevent admin users from tampering with the product, including stopping the services running or deleting its files from an endpoint.

EPM components protected and the level of protection are provided in the table.

Action EPM Component
Blocks uninstalls
  • Defendpoint client
  • PMC adapter
  • AD connector
  • Package Manager
Prevents stopping services
  • Defendpoint client
  • BeyondInsight adapter
  • ePO service
Blocks DLL injections
  • Defendpoint client
  • PMC adapter
  • ePO service
  • BeyondInsight adapter
Blocks access to registry settings
  • Defendpoint client
  • ePO service
  • BeyondInsight adapter
  • Password Safe service
File protection (deleting, moving, renaming, writing security attributes, or taking ownership)
  • C:\ProgramData\Avecto
  • C:\Program Files\Avecto\Privilege Guard Client\
  • C:\Windows\System32\drivers\PGDriver.sys
  • C:\Program Files (x86)\Avecto\Privilege Guard Client
  • C:\Program Files (Arm)\Avecto\Privilege Guard Client

Set up Protection

The setup is a two-part process:

  • Generate public-private key pair.
    • The public key is stored in a policy and distributed to all computers. The public key is automatically inserted into the policy.
    • The password-protected private key must be stored securely by the administrator. The private key and private key password are required when you want to disable agent protection.
  • Enable protection.

Generate Key Pairs

To generate the key pair:

  1. In the Policy Editor, expand Utilities.
  2. Select Agent Protection Settings.
  3. Click Generate Key.
  4. Enter a password to encrypt the private key.
  5. Click Generate Key.
  6. The private key is automatically downloaded to the local computer. The file name is private.pem. The public key is automatically inserted into the policy.

Enable Agent Protection

To enable protection:

  1. In the Policy Editor, expand Utilities.
  2. Select Advanced Agent Settings.
  3. Click Add.
  4. Enter AgentProtectionState in the Name box.
  5. Select 64 bit.
  6. Ensure type is DWORD.
  7. In the Decimal box, set the value to 1. The Hex value automatically populates with the same value. There are three possible states: 0 = off, 1 = enabled, 2 = disabled.

Agent protection is enabled after the policy is deployed and loaded by the Windows computers.

For more information about using agent protection, see Set up Agent Protection.

Regenerate UUIDs

When importing and exporting policies from external sources, it can sometimes be necessary to regenerate the internal policy Universally Unique Identifier (UUID), so that Reporting manages the events correctly. For most normal scenarios in which this is required (policy duplication, for example), this is handled seamlessly.

However, duplication by importing a text XML file will not be covered because sometimes you will not want to regenerate the UUIDs, such as when restoring a policy from a backup.

To regenerate UUIDs:

  1. In the Policy Editor, expand Utilities.
  2. Select Regenerate UUIDs.
  3. Click the Regenerate UUIDs button.

A success message displays at the bottom center of the page.