Install the Windows Adapter

The PMC client adapter installers can be found in the AdapterInstallers folder of the PMC deployment. You need to use the Windows Command Prompt to install the Windows PMC Adapter.

The adapters poll every 60 minutes by default. An additional delay is applied based on the CPU load of the node that the adapter is connected to. The minimum supported value for the adapter poll time is 5 minutes.

You must install the Privilege Management adapters using this process. You can optionally choose to automatically assign endpoints to groups and authorize them in one step using the GroupID parameter for the adapters. This is detailed in the following sections.

When Privilege Management agents are managed by the operating system, the PMC adapter is responsible for delivering policies and events between the endpoint and PMC servers.

If you are not using the GroupID to automatically assign and authorize computer groups, you can assign and authorize endpoints in PMC.

For more information, please see Privilege Management Console Computers.

You can install and automatically authorize Windows machines to connect to PMC using the command line.

There are five parameters for the PMC Adapter:

  • TenantID: You get this from PMC. Click Administration > Diagnostics. Copy the Tenant ID for this script.
  • InstallationID: You get this from PMC. Click AdministrationAgent Installation. Copy the Installation ID for this script.
  • InstallationKey: You get this from PMC. Click AdministrationAgent Installation. Copy the Installation Key for this script.
  • ServerURI: This is the URL for PMC. For example, https://<customerhost>-services.pm.beyondtrust.cloud.com, where customerhost is the DNS name for PMC.

Do not include a port number or slash character on the end of the ServerURI.

For example, https://test.pm.beyondtrustcloud.com/ and https://test.pm.beyondtrustcloud.com:8080/ will not work.

  • GroupID(Optional): If supplied, this will auto-authorize the endpoint and assign it to the specified group. If that group does not exist, the computer will remain in the pending state. You get this from PMC. Click the group you want to use. The Group ID is shown in the Details page for the script. Copy the Group ID for this script.

To install adapters:

Include the GroupID to automatically group and authorize the endpoint.

  1. Navigate to the location of the Adapter installer. By default this is the AdapterInstallers folder.
  1. Enter the command line with the required attributes and press Enter. The Adapter installer launches. Proceed through the installation wizard as required.

The line breaks must be removed before you run the script.

msiexec.exe /i "PrivilegeManagementConsoleAdapter_x64.msi" 
TENANTID="<TenantID_GUID>" INSTALLATIONID="<InstallationID>" INSTALLATIONKEY="<InstallationKey>" SERVICEURI="<PMC URL>" GROUPID="<PMC GroupID GUID>"

Add the following argument if you don't want the Adapter service to start automatically. This option is useful when Privilege Management for Windows and the PMC adapter are being installed to an image that will be reused to create many individual computers. If the adapter is not disabled in this scenario, the PMC adapter will immediately join the PMC instance indicated.

SERVICE_STARTUP_TYPE=Disabled 

You can start the IC3Adapter service manually later in the Services.

msiexec.exe /i "PrivilegeManagementConsoleAdapter_x64.msi" TENANTID="6b75f647-d3y7-4391-9278-002af221cc3f" INSTALLATIONID="08A1CD8F-FAE4-479F-81B4-00751A55EEB8" INSTALLATIONKEY="ABCDEFGHIJKLMNO" SERVICEURI="https://CUSTOMERHOST-services.pm.beyondtrustcloud.com" GROUPID="e531374a-55b9-4516-g156-68f5s32f5e57"
SERVICE_STARTUP_TYPE=Disabled 

CUSTOMERHOST = the hostname. For example, if the hostname were "test", the desired input would be https://test-services.pm.beyondtrustcloud.com.

Configure the Windows PMC Adapter

When the PMC Adapter communicates with the PMC Portal, it uses HTTPS. If there is a proxy in place that this communication goes through, it must be configured for the PMC Adapter user which is separate from the logged on user account.

The endpoint needs to be configured to use proxy settings for the machine rather than the individual user. The following registry key needs to be edited to make this change:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]

The Data value must read 0. This specifies the machine (1 specifies per user).

Name Type Data
ProxySettingsPerUser REG_DWORD 0

Ensure the iC3Adapter User Has the "User Can Log on as a Service" Right

When you install the PMC Adapter, a user account is created called iC3Adapter. The iC3Adapter user is granted the right to Log on as a Service by the installation process. If you have a group policy in place that revokes this permission, you need to ensure the iC3Adapter user is excluded, as it needs the Log on as a Service right.

For more information, please see the Microsoft Knowledgebase article Add the Log on as a service Right to an Account.

msiexec.exe /i "PrivilegeManagementConsoleAdapter_x64.msi" TENANTID="6b75f647-d3y7-4391-9278-002af221cc3f" INSTALLATIONID="08A1CD8F-FAE4-479F-81B4-00751A55EEB8" INSTALLATIONKEY="ABCDEFGHIJKLMNO" SERVICEURI="https://CUSTOMERHOST-services.pm.beyondtrustcloud.com" GROUPID="e531374a-55b9-4516-g156-68f5s32f5e57"
SERVICE_STARTUP_TYPE=Disabled 

CUSTOMERHOST = the hostname. For example, if the hostname were "test", the desired input would be https://test-services.pm.beyondtrustcloud.com.