Workstyles

Policy Editor Workstyles are used to assign Application Groups for a specific user, or group of users.

Create a Workstyle

A Workstyle can include the following components: Application Rules, On-Demand Application Rules, Trusted Application Protection (DLL), content rules, general rules, and filters.

Trusted Application Protection (DLL), content rules, general rules are not currently available. You can use the MMC Policy Editor to manage these components.

Workstyle Summary

The Workstyle Summary pane provides a high-level overview of the Workstyle properties.

Create the Workstyle

  1. Select the Policies tile, and then select a policy.
  2. From the Actions menu, select Edit & Lock or Edit (if the policy is already locked by you).
  3. On the Policy Editor page, expand Windows.
  4. Select Workstyles.
  5. Click Create New Workstyle.
  6. Enter a name and description. By default, the Workstyle is enabled.
  7. Click Create Workstyle.
  8. Select the Workstyle in the navigation pane to expand the properties.
  9. Configure the Workstyle properties: Application Rules, On-Demand Application Rules, Trusted Application Protection (DLL), Content Rules, General Rules, and Filters.

Workstyle Precedence

Workstyles are evaluated in the order they are listed. When an application matches on a Workstyle, no further Workstyles are processed for that application. Ensure the order of the Workstyles is correct because it is possible for an application to match more than one Workstyle.

Select a Workstyle in the list to change the order. Changes are automatically saved.

Workstyle precedence in the web Policy Editor

Application Rules

Application rules are applied to Application Groups. Application rules can be used to enforce allow listing, monitoring, and assigning privileges to groups of applications. They are a set of rules that apply to the applications listed in the Application Group.

Create an Application Rule

  1. On the Policy Editor page, expand Windows.
  2. Expand the Workstyles node, and expand a Workstyle.
  3. Click Application Rules, and then click Create New.
  4. Set the following:
    • Target Application Group: Select an Application Group.
    • Run Rule Script: Assign a rule script that is run before the Application Rule triggers. Select a rule script from the list.
    • Action: Select Allow or Block. The action that occurs if the application in the targeted Application Group is launched by the end user.
    • End User Message: Select a message from the list.
    • Access Token: Select the type of token to pass to the target Application Group. You can select from:
      • Passive (no change): Doesn't make any change to the user's token. This is essentially an audit feature.
      • Enforce User's default rights: Removes all rights and uses the user's default token. Windows UAC always tries to add administration rights to the token being used so if the user clicked on an application that triggers UAC, the user cannot progress past the UAC prompt.
      • Drop Admin Rights: Removes administration rights from the user's token.
      • Add Admin Rights: Adds administration rights to the user's token.
    • Raise An Event: Off, On, Anonymous. Select if an event is raised if this Application Rule is triggered. When on, an event is sent to the local event log file. Anonymous removes user and host name from events so the user / host are not identifiable.
    • Run an Audit Script: Select an audit script from the list.
    • Privilege Monitoring: Off, On, Anonymous. Select On to raise a privileged monitoring event.
    • Reporting Events: On by default, click to turn off. When the setting is on, events are raised for viewing in PMC Reporting.
  1. Click Create Application Rule.

Application Rule Precedence

If you add more than one Application Rule to a Workstyle, entries higher in the list have precedence. When an application matches an Application Rule, no further rules or Workstyles are processed. If an application could match more than one Workstyle or rule, then it is important that you order both your Workstyles and rules correctly.

Select an Application Rule in the list to change the order. Changes are automatically saved.

On Demand Application Rules

The On-Demand Application Rules node of the Workstyle allows you to create rules to launch applications with specific privileges (usually admin rights), on-demand from a right-click Windows context menu.

Windows Modern UI

If Apply the On-Demand Application Rule to the "Run as administrator" option is enabled and an On-Demand Application Rule is triggered, Privilege Management for Windows intercepts the Run as administrator option in the right-click context menu and overrides it. The labeling of the option doesn’t change in this instance. If the option is not selected, Privilege Management for Windows does not intercept the option to Run as Administrator.

If Hide "Run as" and "Run as administrator" commands in the Classic Shell context menu is selected, these options, where present, are hidden from the right-click context menu. Privilege Management for Windows does not continue process additional Application Rules.

Windows Classic Shell

If Apply custom on-demand option to the Classic Shell context menu (this won’t affect the "Run as administrator" option) is selected, and an On-Demand Application Rule is triggered, Privilege Management for Windows adds a new option to the right-click context menu that you configured in the Classic Shell Context Menu Option section, for example, Run with Privilege Management for Windows.

If Hide "Run as" and "Run as administrator" commands in the Classic Shell context menu is selected, these options, where present, are hidden from the right-click context menu. Privilege Management for Windows does not continue process additional Application Rules.

Unlike Application Rules, the on-demand rules list only receives the assigned privileges if the user launches a relevant application using the context menu.

To create an On-Demand Application Rule:

  1. Expand Workstyles, and then expand a Workstyle.
  2. Select On Demand Application Rules.
  3. Select Create New.
  4. Set the following:
    • Target Application Group: Select an Application Group.
    • Run Rule Script: Assign a rule script that is run before the Application Rule triggers. Select a rule script from the list.
    • Action: Select Allow or Block. The action that occurs if the application in the targeted Application Group is launched by the end user.
    • End User Message: Select a message from the list.
    • Access Token: Select the type of token to pass to the target Application Group. You can select from:
      • Passive (no change): Doesn't make any change to the user's token. This is essentially an audit feature.
      • Enforce User's default rights: Removes all rights and uses the user's default token. Windows UAC always tries to add administration rights to the token being used so if the user clicked on an application that triggers UAC, the user cannot progress past the UAC prompt.
      • Drop Admin Rights: Removes administration rights from the user's token.
      • Add Admin Rights: Adds administration rights to the user's token.
    • Raise An Event: Off, On, Anonymous. Select if an event is raised if this Application Rule is triggered. When on, an event is sent to the local event log file. Anonymous removes user and host name from events so the user / host are not identifiable.
    • Run an Audit Script: Select an audit script from the list.
    • Privilege Monitoring: Off, On, Anonymous. Select On to raise a privileged monitoring event.
    • Reporting Events: On by default, click to turn off. When the setting is on, events are raised for viewing in PMC Reporting.
  1. Click Create On-Demand Rule.

 

Filters

A Workstyle filter refines when a Workstyle is applied.

By default, a Workstyle applies to all users and computers who receive it. However, you can add one or more filters that restrict the application of the Workstyle:

  • Account Filter: Restrict the Workstyle to specific users or groups of users.

The following conditions can be applied to a filter:

  • ALL filters must match: The Workstyle is applied only if all filters match.
  • ANY filter can match: The Workstyle is applied when any filter matches.

Account Filters

An account filter restricts a Workstyle to specific users or groups of users.

You can add local or domain users and groups and Azure Active Directory groups.

To create an account filter:

  1. Expand a Workstyle, and then select Filters.
  2. Select Create New Filter, and then select Account Filter.
  3. Select the new filter in the list, and then select Go To from the menu.
  4. Select the following to add users:
    • Add From Local/Domain AD: Add an account name and SID details. Click Add Account.
    • Add From Azure AD: Add the group name. Click Add Account. If the account is valid and found in Azure AD, then the GUID is retrieved from Azure and populated in the Value column.