Configure Privilege Management Endpoints

You need to install Privilege Management on the target operating system as well as the PMC adapter.

 

Install Privilege Management first and then the adapter. Failure to do so in this order results in specific events not being generated which PMC needs. Should you happen to install the client and the adapter out of order, you can restart the adapter service to force it to detect the client.

The adapters poll every 60 minutes by default. An additional delay is applied, based on the CPU load of the node that the adapter is connected to. The minimum supported adapter poll time is 5 minutes.

For more information on endpoint management, please see the PMC Administration Guide at https://www.beyondtrust.com/docs/privilege-management/windows/index.htm.

Privilege Management Clients

You need to choose your Privilege Management client as described below.

  • For 32-bit (x86) systems, run PrivilegeManagementForWindows_x86.exe.
  • For 64-bit (x64) systems, run PrivilegeManagementForWindows_x64.exe.

You can also install the Privilege Management for Windows MSI in silent mode with the PMC switch enabled:

Msiexec.exe /i PrivilegeManagementForWindows_x.xxx.x.msi IC3MODE=1 /qn /norestart

		

This will install the Windows client in silent mode with the PMC switch enabled.

  • Run PrivilegeManagementConsoleMacOSAdapter.dmg.

For compatible versions, please see the Release Notes.

Privilege Management Adapters

You can choose to automatically assign endpoints to groups and authorize them in one step using the GroupID parameter for the Windows adapters. PMC computer groups should be created in PMC prior to installing agents on a large scale. You should work with your implementation consultant to determine the best computer grouping approach for your needs.

The Privilege Management adapters are installed using the command prompt in Windows or the terminal for Mac.

 

As of version 2.4, all releases of Privilege Management are signed only with a SHA-256 code signing certificate. Previous versions were dual signed with SHA-1 and SHA-256 certificates. The decision to drop SHA-1 certificates was made to avoid weaknesses in the SHA-1 algorithm and to align to industry security standards. For more information, please see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

If you intend to deploy Privilege Management version 2.4 or later to Windows 7 or Windows Server 2008 R2 machines, you must ensure the following KBs are installed prior to installation of this product:

We strongly recommend you keep your systems up to date with the latest Windows security updates.

For more information, please see Install the Windows Adapter for PMC.

Install the Windows Adapter for PMC

 

As of version 2.4, all releases of Privilege Management are signed only with a SHA-256 code signing certificate. Previous versions were dual signed with SHA-1 and SHA-256 certificates. The decision to drop SHA-1 certificates was made to avoid weaknesses in the SHA-1 algorithm and to align to industry security standards. For more information, please see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

If you intend to deploy Privilege Management version 2.4 or later to Windows 7 or Windows Server 2008 R2 machines, you must ensure the following KBs are installed prior to installation of this product:

We strongly recommend you keep your systems up to date with the latest Windows security updates.

The PMC client adapter installers can be found in the AdapterInstallers folder of the PMC deployment. You need to use the Windows Command Prompt to install the Windows PMC Adapter.

You can install and automatically authorize Windows machines to connect to PMC using the command line.

You must uninstall any existing PMC Windows adapter prior to installing a new Windows adapter for PMC.

There are five parameters for the PMC adapter, one of which is optional:

  • TenantID: For Windows Directory and LDAPS, this GUID is generated for you by the deployment tool and you should already have a note of it.
  • InstallationID: You get this from the PMC portal. Click Administration > Agent Installation. Copy the Installation ID for this script.
  • InstallationKey: You get this from the PMC portal. Click Administration > Agent Installation. Copy the Installation Key for this script.
  • ServiceURI: This is the URL for your PMC portal.

There is no port number or slash character at the end of this URL. For example, neither https://test.pmc.example.com/ nor https://test.pmc.example.com:8080/ will work.

  • GroupID (Optional): If supplied, this will auto-authorize the endpoint and assign it to the specified group. If that group doesn't exist, the computer will remain in the pending state. You get this from PMC. Click the group you want to use. The Group ID is shown in the Summary page. Copy the Group ID for this script.

To install adapters:

Include the GroupID to automatically group and authorize the endpoint.

  1. Navigate to the location of the adapter installer. By default, this is the AdapterInstallers folder.
  1. Enter the command line with the required attributes and press enter. The adapter installer launches. Proceed through the installation wizard as required.
Below is an example command line. The line breaks must be removed before you run the script.
msiexec.exe /i "PrivilegeManagementConsoleAdapter_x64.msi" 
TENANTID="<TenantID_GUID>" INSTALLATIONID="<InstallationID>" INSTALLATIONKEY="<InstallationKey>" SERVICEURI="<PMC URL>" GROUPID="<PMC GroupID GUID>"

Add the following argument if you don't want the adapter service to start automatically. This option is useful when Privilege Management and the PMC Adapter are being installed to an image that will be reused to create many individual computers. If the adapter is not disabled in this scenario, the PMC Adapter will immediately join the PMC instance indicated.

SERVICE_STARTUP_TYPE=Disabled 

You can start the IC3Adapter service manually later in the Services.

msiexec.exe /i "PrivilegeManagementConsoleAdapter_x64.msi" TENANTID="6b75f647-d3y7-4391-9278-002af221cc3f" INSTALLATIONID="08A1CD8F-FAE4-479F-81B4-00751A55EEB8" INSTALLATIONKEY="ABCDEFGHIJKLMNO" SERVICEURI="https://test.pmc.avecto.com" GROUPID="fcc4022e-12fa-4246-87w8-0de9a1483a68"
SERVICE_STARTUP_TYPE=Disabled 

For instructions on getting this GUID for Microsoft Azure authentication, please see Directory ID.

Configure the Windows PMC Adapter

When the PMC Adapter communicates with the PMC portal, it uses HTTPS. If there is a proxy in place that this communication goes through, it must be configured for the PMC Adapter user, which is separate from the logged on user account.

The endpoint needs to be configured to use proxy settings for the whole machine rather than the individual user. The following registry key needs to be edited to make this change:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]

The Data value must read 0. This specifies the whole machine (1 specifies per user).

Name Type Data
ProxySettingsPerUser REG_DWORD 0

Ensure the iC3Adapter User Has the "User Can Log on as a Service" Right

When you install the PMC Adapter it creates a user called iC3Adapter as part of the installation process. The iC3Adapter user is granted the rights to Log on as a Service by the installation process. If you have a Group Policy in place that revokes this permission, you need to ensure the iC3Adapter user is excluded, as it needs the Log on as a Service right.

For more information, please see Add the Log on as a service Right to an Account.

The computers with Privilege Management and Privilege ManagementPMC adapter installed with the Installation ID and Installation Key will now appear in the Computers grid in PMC.