Installation Information for BeyondInsight and Privilege Management for Windows
Create and Deploy the BeyondInsight Client Certificate for Privilege Management for Windows
To establish communication between BeyondInsight and Privilege Management for Windows clients, a client certificate must be generated from BeyondInsight, and installed on every client needing to transmit information to BeyondInsight. We recommend installing the BeyondInsight client certificate prior to the Privilege Management for Windows client.
You do not need to generate a client certificate if there is already a certificate for PowerBroker for Windows Endpoint Protection Platform or BeyondInsight Network Security Scanner. You can use the existing client certificate for your Privilege Management for Windows assets.
Generate Client Certificate MSI
- On the BeyondInsight server, go to C:\Program Files (x86)\eEye Digital Security\Retina CS.
- Run REMEMConfig.exe, which opens the BeyondInsight Configuration Tool.
- Click on the Generate Certificate.msi link. A command prompt opens, indicating the MSI is being generated.
- Once the prompt closes, the MSI appears in the C:\Program Files (x86)\eEye Digital Security\Retina CS\Utilities\msi directory.
Deploy the Certificate MSI for Privilege Management for Windows
After you have generated the certinstaller.msi from BeyondInsight, you must deploy and install the MSI on each machine you wish to communicate with BeyondInsight, using administrator rights. You may deploy the MSI using the following methods:
Command Prompt Already Running as Administrator
- Add a copy of the certinstaller.msi to the machine
- Run cmd.exe as administrator
- Run the following command: msiexec /i certinstaller.msi
Use the Group Policy Management Console (GPMC) to deploy certificate packages to your client computers.
- To deploy the certificate MSI package, copy the certificate MSI package to an accessible location.
- Click Start > Control Panel > Administrative Tools > Group Policy Management to open the GPMC. If the GPMC is not already installed, it can be downloaded from www.microsoft.com/en-us/download.
- In the GPMC, click Forest > Domains > Mydomain > Group Policy Objects.
- To create a new GPO, right-click Group Policy Objects, and click New.
- Enter a name for the GPO and click OK. Alternatively, you can add configurations to an existing GPO.
- Right-click the GPO and click Edit to launch the Group Policy Management Editor to configure settings for the GPO.
- In the Group Policy Management Editor, click Computer Configuration > Policies > Software Settings.
- Right-click Software Installation and click New > Package.
- Select the certificate MSI installer package, and click Open.
- Select Assigned and click OK. After a brief delay, the name of the software to be installed is displayed in the Details pane of the Group Policy Management Editor.
- If the name does not appear, right-click Software Installation and click Refresh until it does.
- To modify installation settings, double-click the item name in the display pane.
- To remove an item, right-click the item name and select All Tasks > Remove.
Restart each client computer to initiate the installation. This can be done manually or by using Group Policy mechanisms.
An Enterprise Software Management Tool of Your Choice, For Example, SCCM.
Be sure to consult the guides for the management tool you use.
After you have deployed the client certificate, confirm it is on the system, following the steps below.
- Run the Microsoft Management Console (MMC) as administrator.
- Go to File > Add/Remove Snap-in.
- From the Snap-in menu, select Certificates, and click Add >.
- In the Certificates snap-in dialog, select Computer account.
- Choose Local computer: (The computer this console is running on). Click Finish.
- In the MMC Console, expand Console Root > Certificates (Local Computer).
- Expand both the Personal > Certificates directory and the Trusted Root Certification Authorities directory to ensure the eEyeEmsClient client certificate is listed.
If the certificates are not present, it is possible they were incorrectly installed in the Certificates (Current User) store. If you find them there, delete them and uninstall certinstaller.msi from Programs & Features (appwiz.cpl) before repeating these steps.
Privilege Management for Windows Installation
For BeyondInsight integration with Privilege Management for Windows, you must set the BIMODE installer variable to 1. In the majority of cases, only the URL of your BeyondInsight Event Service must be specified. For context, example installation strings are provided below.
PrivilegeManagementForWindows_x64.exe /v"BIMODE=1 BEYONDINSIGHTURL=https://example.com/EventService/Service.svc"
msiexec.exe /i PrivilegeManagementForWindows_x64.msi BIMODE=1 BEYONDINSIGHTURL="https://example.com/EventService/Service.svc"
If you are using a custom certificate or workgroup, you can specify non-default values as additional install variables, as shown in the following examples.
PrivilegeManagementForWindows_x64.exe /v"BIMODE=1 BEYONDINSIGHTURL=https://example.com/EventService/Service.svc BEYONDINSIGHTCERTNAME=CertExample BEYONDINSIGHTWORKGROUP=BeyondTrustWorkGroup"
msiexec.exe /i PrivilegeManagementForWindows_x64.msi BIMODE=1 BEYONDINSIGHTURL="https://example.com/EventService/Service.svc" BEYONDINSIGHTCERTNAME="CertExample" BEYONDINSIGHTWORKGROUP="BeyondTrustWorkGroup"
The following table details the available installer variables and their default values:
|Location||Name||Default||Installer Variable Name|
|HKEY_LOCAL_MACHINE\SOFTWARE\Avecto\Privilege Guard Client||BeyondInsightUrl||[Empty] - You must specify this||BEYONDINSIGHTURL|
The default values of BeyondInsightPolicyIntervalMins and BeyondInsightHeartbeatIntervalMins can be shortened for testing purposes (low numbers of machines). Be aware that decreasing these values increases load on the BeyondInsight Event Service server.
When updating the clients on an existing deployment of BeyondInsight and Privilege Management for Windows, the registry keys from the previous install will be removed. Any previously specified variables in the install string must be restated in an upgrade.
Ensure that Endpoints are Registered in BeyondInsight
After deploying your Privilege Management for Windows endpoints, ensure that BeyondInsight is receiving heartbeats and information from them. Once they check in, the endpoints are shown as entries on the Assets grid in BeyondInsight, as well as the Endpoint Privilege Management Agents grids.