Configure Privilege Management Endpoints
You need to install Privilege Management on the target operating system as well as the PMC adapter.
Install the Privilege Management client first and then the adapter. Failure to do so in this order results in specific events not being generated which PMC needs. Should you happen to install the client and the adapter out of order, you can restart the adapter service to force it to detect the client.
The adapters poll every 60 minutes by default. An additional delay is applied based on the CPU load of the node that the adapter is connected to. The minimum supported adapter poll time is 5 minutes.
For more information on the management of your endpoints using PMC, please see the PMC Administration Guide.
Install the Windows Adapter for PMC
As of version 2.4, all releases of Privilege Management are signed only with a SHA-256 code signing certificate. Previous versions were dual signed with SHA-1 and SHA-256 certificates. The decision to drop SHA-1 certificates was made to avoid weaknesses in the SHA-1 algorithm and to align to industry security standards. For more information, please see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.
If you intend to deploy Privilege Management version 2.4 or later to Windows 7 or Windows Server 2008 R2 machines, you must ensure the following KBs are installed prior to installation of this product:
We strongly recommend you keep your systems up to date with the latest Windows security updates.
The PMC client adapter installers can be found in the AdapterInstallers folder of the PMC deployment. You need to use the Windows Command Prompt to install the Windows PMC Adapter.
You can install and automatically authorize Windows machines to connect to PMC using the command line.
You must uninstall any existing PMC Windows Adapter prior to installing a new Windows adapter for PMC.
There are five parameters for the PMC Adapter, one of which is optional:
- TenantID: For Windows Directory and LDAPS, this GUID is generated for you by the deployment tool and you should already have a note of it.
- InstallationID: You get this from the PMC portal. Click Administration > Agent Installation. Copy the Installation ID for this script.
- InstallationKey: You get this from the PMC portal. Click Administration > Agent Installation. Copy the Installation Key for this script.
- ServiceURI: This is the URL for your PMC portal.
There is no port number or slash character at the end of this URL. For example, neithernor will work.
- GroupID (Optional): If supplied, this will auto-authorize the endpoint and assign it to the specified group. If that group doesn't exist, the computer will remain in the pending state. You get this from PMC. Click the group you want to use. The Group ID is shown in the Summary page. Copy the Group ID for this script.
To install adapters:
Include the GroupID to automatically group and authorize the endpoint.
- Navigate to the location of the adapter installer. By default, this is the AdapterInstallers folder.
- Enter the command line with the required attributes and press enter. The adapter installer launches. Proceed through the installation wizard as required.
msiexec.exe /i "
TENANTID="<TenantID_GUID>" INSTALLATIONID="<InstallationID>" INSTALLATIONKEY="<InstallationKey>" SERVICEURI="<PMC URL>" GROUPID="<PMC GroupID GUID>"
Add the following argument if you don't want the adapter service to start automatically. This option is useful when Privilege Management and the PMC Adapter are being installed to an image that will be reused to create many individual computers. If the adapter is not disabled in this scenario, the PMC Adapter will immediately join the PMC instance indicated.
You can start the IC3Adapter service manually later in the Services.
msiexec.exe /i "
PrivilegeManagementConsoleAdapter_x64.msi" TENANTID="6b75f647-d3y7-4391-9278-002af221cc3f" INSTALLATIONID="08A1CD8F-FAE4-479F-81B4-00751A55EEB8" INSTALLATIONKEY="ABCDEFGHIJKLMNO" SERVICEURI="https://test.pmc.avecto.com" GROUPID="fcc4022e-12fa-4246-87w8-0de9a1483a68" SERVICE_STARTUP_TYPE=Disabled
For more information on getting the GUID for Microsoft Azure authentication, please see Create the Microsoft Azure AD Tenant.
Configure the Windows PMC Adapter
When the PMC Adapter communicates with the PMC portal, it uses HTTPS. If there is a proxy in place that this communication goes through, it must be configured for the PMC Adapter user, which is separate from the logged on user account.
The endpoint needs to be configured to use proxy settings for the whole machine rather than the individual user. The following registry key needs to be edited to make this change:
The Data value must read 0. This specifies the whole machine (1 specifies per user).
Ensure the iC3Adapter User Has the "User Can Log on as a Service" Right
When you install the PMC Adapter it creates a user called iC3Adapter as part of the installation process. The iC3Adapter user is granted the rights to Log on as a Service by the installation process. If you have a Group Policy in place that revokes this permission, you need to ensure the iC3Adapter user is excluded, as it needs the Log on as a Service right.
For more information, please see Add the Log on as a service Right to an Account.
The computers with Privilege Management and the Privilege ManagementPMC adapter installed with the Installation ID and Installation Key will now appear in the Computers grid in PMC.