Install the Windows Adapter

Setup Information is available for the Windows adapter on the Access Settings page. On the dashboard page, click the Access Settings tile to view the details.

The PMC client adapter installers can be found in the AdapterInstallers folder of the PMC deployment. Use the Windows Command Prompt to install the Windows PMC Adapter.

The adapters poll every 60 minutes by default. An additional delay is applied based on the CPU load of the node that the adapter is connected to. The minimum supported value for the adapter poll time is 5 minutes.

You must install the Privilege Management adapters using this process. You can optionally choose to automatically assign endpoints to groups and authorize them in one step using the GroupID parameter for the adapters. This is detailed in the following sections.

When Privilege Management agents are managed by the operating system, the PMC adapter is responsible for delivering policies and events between the endpoint and PMC servers.

If not using the GroupID to automatically assign and authorize computer groups, you can assign and authorize endpoints in PMC.

You can install and automatically authorize Windows machines to connect to PMC using the command line.

There are five parameters for the PMC Adapter:

  • TenantID: Obtain this value from PMC. Click Administration > Access Settings. Copy the Tenant ID for this script.
  • InstallationID: Obtain this value from PMC. Click AdministrationAccess Settings. Copy the Installation ID for this script.
  • InstallationKey: Obtain this value from PMC. Click AdministrationAccess Settings. Copy the Installation Key for this script.
  • ServerURI: This is the URL for PMC. For example, https://<customerhost>-services.pm.beyondtrust.cloud.com, where customerhost is the DNS name for PMC.

Do not include a port number or slash character on the end of the ServerURI.

For example, neither https://test.pm.beyondtrustcloud.com/ nor https://test.pm.beyondtrustcloud.com:8080/ will work.

  • GroupID: (Optional). If supplied, this automatically authorizes the endpoint and assigns it to the specified group. If that group does not exist, the computer remains in the pending state. Obtain this value from PMC. Click the group you want to use. The Group ID is shown in the Details page for the script. Copy the Group ID for this script.

Prerequisite

.NET 4.6.2

To install adapters:

Include the GroupID to automatically group and authorize the endpoint.

  1. Navigate to the location of the adapter installer. By default this is the AdapterInstallers folder.
  1. Enter the command line with the required attributes and press Enter. The adapter installer launches. Proceed through the installation wizard as required.
The line breaks must be removed before you run the script.
msiexec.exe /i "PrivilegeManagementConsoleAdapter_x64.msi" 
TENANTID="<TenantID_GUID>" INSTALLATIONID="<InstallationID>" INSTALLATIONKEY="<InstallationKey>" SERVICEURI="<PMC URL>" GROUPID="<PMC GroupID GUID>"

Add the following argument if you don't want the adapter service to start automatically. This option is useful when Privilege Management for Windows and the PMC adapter are being installed on an image that will be reused to create many individual computers. If the adapter is not disabled in this scenario, the PMC adapter will immediately join the PMC instance indicated.

SERVICE_STARTUP_TYPE=Disabled 

You can start the IC3Adapter service manually later in the Services.

msiexec.exe /i "PrivilegeManagementConsoleAdapter_x64.msi" TENANTID="6b75f647-d3y7-4391-9278-002af221cc3f" INSTALLATIONID="08A1CD8F-FAE4-479F-81B4-00751A55EEB8" INSTALLATIONKEY="ABCDEFGHIJKLMNO" SERVICEURI="https://CUSTOMERHOST-services.pm.beyondtrustcloud.com" GROUPID="e531374a-55b9-4516-g156-68f5s32f5e57"
SERVICE_STARTUP_TYPE=Disabled 

CUSTOMERHOST = the hostname. For example, if the hostname were test, the desired input would be:

https://test-services.pm.beyondtrustcloud.com

For information on how to automatically assign and authorize computer groups, please see Privilege Management Console Computers.

Configure the Windows PMC Adapter

When the PMC Adapter communicates with the PMC portal, it uses HTTPS. If there is a proxy in place that this communication goes through, it must be configured for the PMC Adapter user account, which is separate from the logged on user account.

The endpoint must be configured to use proxy settings for the machine rather than the individual user. The following registry key needs to be edited to make this change:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]

The Data value must read 0. This specifies the machine (1 specifies per user).

Name Type Data
ProxySettingsPerUser REG_DWORD 0

Ensure the iC3Adapter User Has the "User Can Log on as a Service" Right

When you install the PMC Adapter, a user account called iC3Adapter is created. The iC3Adapter user is granted the right to Log on as a Service by the installation process. If you have a group policy in place that revokes this permission, ensure the iC3Adapter user is excluded, as it requires the Log on as a Service right.

For more information, please see the Microsoft Knowledgebase article Add the Log on as a service Right to an Account.

msiexec.exe /i "PrivilegeManagementConsoleAdapter_x64.msi" TENANTID="6b75f647-d3y7-4391-9278-002af221cc3f" INSTALLATIONID="08A1CD8F-FAE4-479F-81B4-00751A55EEB8" INSTALLATIONKEY="ABCDEFGHIJKLMNO" SERVICEURI="https://CUSTOMERHOST-services.pm.beyondtrustcloud.com" GROUPID="e531374a-55b9-4516-g156-68f5s32f5e57"
SERVICE_STARTUP_TYPE=Disabled 

CUSTOMERHOST = the hostname. For example, if the hostname were test, the desired input would be:

https://test-services.pm.beyondtrustcloud.com