Installation Information for BeyondInsight and Privilege Management for Windows

Create and Deploy the BeyondInsight Client Certificate for Privilege Management for Windows

To establish communication between BeyondInsight and Privilege Management for Windows clients, a client certificate must be generated from BeyondInsight, and installed on every client needing to transmit information to BeyondInsight. We recommend installing the BeyondInsight client certificate prior to the Privilege Management for Windows client.

You do not need to generate a client certificate if there is already a certificate for PowerBroker for Windows Endpoint Protection Platform or BeyondInsight Network Security Scanner. You can use the existing client certificate for your Privilege Management for Windows assets.

Generate Client Certificate MSI

Image of the Retina CS directory highlighting the REMEMConfig.exe file.

  1. On the BeyondInsight server, go to C:\Program Files (x86)\eEye Digital Security\Retina CS.
  2. Run REMEMConfig.exe, which opens the BeyondInsight Configuration Tool.
  3.  

    Image of the BeyondInsight Configuration Tool highlighting Generate Certificate.msi

  4. Click on the Generate Certificate.msi link. A command prompt opens, indicating the MSI is being generated.
  5.  

    Image of the certinstaller.msi file.

  6. Once the prompt closes, the MSI appears in the C:\Program Files (x86)\eEye Digital Security\Retina CS\Utilities\msi directory.

 

Deploy the Certificate MSI for Privilege Management for Windows

After you have generated the certinstaller.msi from BeyondInsight, you must deploy and install the MSI on each machine you wish to communicate with BeyondInsight, using administrator rights. You may deploy the MSI using the following methods:

Command Prompt Already Running as Administrator

  1. Add a copy of the certinstaller.msi to the machine
  2. Run cmd.exe as administrator
  3. Run the following command: msiexec /i certinstaller.msi

Group Policy

Use the Group Policy Management Console (GPMC) to deploy certificate packages to your client computers.

  1. To deploy the certificate MSI package, copy the certificate MSI package to an accessible location.
  2. Click Start > Control Panel > Administrative Tools > Group Policy Management to open the GPMC. If the GPMC is not already installed, it can be downloaded from www.microsoft.com/en-us/download.
  3. In the GPMC, click Forest > Domains > Mydomain > Group Policy Objects.
  4. To create a new GPO, right-click Group Policy Objects, and click New.
  5. Enter a name for the GPO and click OK. Alternatively, you can add configurations to an existing GPO.
  6. Right-click the GPO and click Edit to launch the Group Policy Management Editor to configure settings for the GPO.
  7. In the Group Policy Management Editor, click Computer Configuration > Policies > Software Settings.
  8. Right-click Software Installation and click New > Package.
  9. Select the certificate MSI installer package, and click Open.
  10. Select Assigned and click OK. After a brief delay, the name of the software to be installed is displayed in the Details pane of the Group Policy Management Editor.
    • If the name does not appear, right-click Software Installation and click Refresh until it does.
    • To modify installation settings, double-click the item name in the display pane.
    • To remove an item, right-click the item name and select All Tasks > Remove.

Restart each client computer to initiate the installation. T'his can be done manually or by using Group Policy mechanisms.

An Enterprise Software Management Tool of Your Choice, For Example, SCCM.

Be sure to consult the guides for the management tool you use.

After you have deployed the client certificate, confirm it is on the system, following the steps below.

Screenshot of the Add/Remove Snap-in option in the Policy Editor

  1. Run the Microsoft Management Console (MMC) as administrator.
  2. Go to File > Add/Remove Snap-in.
  3.  

    Image of the Certificate Snap-in and Account selection

  4. From the Snap-in menu, select Certificates, and click Add >.
  5. In the Certificates snap-in dialog, select Computer account.
  6.  

    Image of the Select Computer dialog box

  7. Choose Local computer: (The computer this console is running on). Click Finish.
  8.  

    Privilege Management for Windows client certificate in the Personal store

  9. In the MMC Console, expand Console Root > Certificates (Local Computer).
  10. Expand both the Personal > Certificates directory and the Trusted Root Certification Authorities directory to ensure the eEyeEmsClient client certificate is listed.

If the certificates are not present, it is possible they were incorrectly installed in the Certificates (Current User) store. If you find them there, delete them and uninstall certinstaller.msi from Programs & Features (appwiz.cpl) before repeating these steps.

Privilege Management for Windows Installation

For BeyondInsight integration with Privilege Management for Windows, you must set the BIMODE installer variable to 1. In the majority of cases, only the URL of your BeyondInsight Event Service must be specified. For context, example installation strings are provided below.

PrivilegeManagementForWindows_x64.exe /v"BIMODE=1
BEYONDINSIGHTURL=https://example.com/EventService/Service.svc"
msiexec.exe /i PrivilegeManagementForWindows_x64.msi BIMODE=1
BEYONDINSIGHTURL="https://example.com/EventService/Service.svc"

If you are using a custom certificate or workgroup, you can specify non-default values as additional install variables, as shown in the following examples.

PrivilegeManagementForWindows_x64.exe /v"BIMODE=1
BEYONDINSIGHTURL=https://example.com/EventService/Service.svc BEYONDINSIGHTCERTNAME=CertExample
BEYONDINSIGHTWORKGROUP=BeyondTrustWorkGroup"
msiexec.exe /i PrivilegeManagementForWindows_x64.msi BIMODE=1
BEYONDINSIGHTURL="https://example.com/EventService/Service.svc" BEYONDINSIGHTCERTNAME="CertExample"
BEYONDINSIGHTWORKGROUP="BeyondTrustWorkGroup"

The following table details the available installer variables and their default values:

Location Name Default Installer Variable Name
HKEY_LOCAL_MACHINE\SOFTWARE\Avecto\Privilege Guard Client BeyondInsightUrl [Empty] - You must specify this BEYONDINSIGHTURL
BeyondInsightCertName eEyeEmsClient BEYONDINSIGHTCERTNAME
BeyondInsightWorkgroup BeyondTrust Workgroup BEYONDINSIGHTWORKGROUP
BeyondInsightHeartbeatIntervalMins 720  
BeyondInsightPolicyIntervalMins 90  

The default values of BeyondInsightPolicyIntervalMins and BeyondInsightHeartbeatIntervalMins can be shortened for testing purposes (low numbers of machines). Be aware that decreasing these values increases load on the BeyondInsight Event Service server.

 

When updating the clients on an existing deployment of BeyondInsight and Privilege Management for Windows, the registry keys from the previous install will be removed. Any previously specified variables in the install string must be restated in an upgrade.

After deploying your Privilege Management for Windows endpoints, you should ensure that BeyondInsight is receiving heartbeats and information from them. Once they check in, the endpoints are shown as entries on the Assets grid in BeyondInsightas well as the Endpoint Privilege Management Agents grids.

An example of assets on the BeyondInsight Assets page