Troubleshoot

A diagnostics tool, EndpointUtility.exe, is available with Privilege Management for Windows installed files. Using the tool, you can:

  • Diagnose the cause of connection problems. The tool offers actions to remedy the issue.
  • Request an immediate policy update from BeyondInsight.

The tool does not require any elevated rights to run; any authenticated user on the system can use the tool.

Use the EndpointUtility.exe Tool

Arguments

Management platform argument:

/bi: BeyondInsight

Task arguments:

/c: Test connection

/p: Force policy

Test Connection

Run the following commands to send a test message to the BeyondInsight instance. The test results are displayed in the console window.

The registry settings used to connect to BeyondInsight are displayed first, followed by the result of the test message.

If Privilege Management for Windows is installed in the default location, run the following from the command line:

"C:\Program Files\Avecto\Privilege Guard Client\EndpointUtility.exe" /bi /c

PowerShell:

& "C:\Program Files\Avecto\Privilege Guard Client\EndpointUtility.exe" /bi /c

Possible Test Connection Results

Result Remedy
Connection Successful NA
Defendpoint BeyondInsight Adapter cannot be contacted.

Reinstall BeyondTrust Privilege Management with BIMODE=1 and correct parameters for;

BEYONDINSIGHTURL (and optionally BEYONDINSIGHTCERTNAME and BEYONDINSIGHTWORKGROUP).

BeyondInsight Client Certificate Name could not be found. Check the value of BEYONDINSIGHTCERTNAME in the registry and verify that the certificate is installed in and accessible from the correct certificate store
BeyondInsight Connection refused.

Check the value of BEYONDINSIGHTURL in the registry and that you have installed the correct BeyondInsight client certificate.

BeyondInsight URL not specified Provide a value for BEYONDINSIGHTURL in the registry
BeyondInsight could not be contacted Check the value of BEYONDINSIGHTURL in the registry, and network and firewall settings

Force Policy

Run the following commands to force a policy update on endpoints from BeyondInsight.

If Privilege Management for Windows is installed in the default location, run the following command from the Windows command prompt:

"C:\Program Files\Avecto\Privilege Guard Client\EndpointUtility.exe" /bi /p

PowerShell:

& "C:\Program Files\Avecto\Privilege Guard Client\EndpointUtility.exe" /bi /p

Force Update Policy for End Users

End users are able to force a policy update to their computer from the system tray. This feature allows the end-user to request a new policy from their desktop, thus significantly reducing the time it takes to update a policy.

  1. In the system tray, click the Privilege Management icon.
  2. Click Check for Policy Update.

A notification appears with Update Finished to notify the user that a policy update has been applied to the client.

A notification appears with No Updates Found if the current policy is already up to date.

A notification appears with Unable to Check for Updates if the computer is unable to reach the management platform.

Use the Capture Config Utility

In Privilege Management for Windows 22.3, we have added the ability to run the BeyondTrust Capture Config Utility from the command line, both locally and remotely. It is initiated through EndpointUtility.exe (formerly diagnosticsCli.exe).

If you are running a version of Privilege Management for Windows earlier than 22.3, follow the steps described in KB0017213, .

Initiate the Capture Config Utility from the Command Line

If you are running this on a remote machine, proceed to Run Remotely and Silently Using PowerShell.

To initiate the utility:

  1. Open PowerShell as admin.
  2. Change directory (cd) to the Privilege Management for Windows install location. By default, this is C:\Program Files\Avecto\Privilege Guard Client (include the 's in your command, as below).
    cd 'C:\Program Files\Avecto\Privilege Guard Client'
  3. (Optional). Use the command below to create a new folder, or proceed to step 4 if you already have a folder created on the machine. Replace <Chosen Path> with the path you want the new folder to reside in, and replace <Chosen Name> with the preferred name for the folder. For example, the case reference number.
    $output = New-Item -Path <Chosen Path> -Name <Chosen Name> -ItemType directory
  4. Run the capture config script with the command below. Replace <Desired .zip name> with the preferred name for the logs, which will be exported to a ZIP file.

    If you opted to use a preexisting folder (or did not use the $output variable in the previous command), remove $output and type the path to the existing folder, and the desired name of the log file which will be exported to a new ZIP file with that name. See the examples below.

    .\EndpointUtility.exe /cc $output <Desired .zip name>

    OR

    .\EndpointUtility.exe /cc <Path to folder> <Desired .zip name>

    Replace <path to folder> with the path to the existing folder, and then replace <Desired .zip name> with the preferred name for the log export.

  5. A ZIP file will be output to the chosen location, with your specified reference or filename.

Run Remotely and Silently Using PowerShell

To produce the Config Capture on a remote session, use the PSSession commands as below:

  1. Launch PowerShell as admin.
  2. Run the command below (replace <machine name> with the name of the remote machine).
    Enter-PSSession -ComputerName <machine name>
  3. cd to the Privilege Management for Windows install location. By default, this is C:\Program Files\Avecto\Privilege Guard Client (include the 's in your command).
    cd 'C:\Program Files\Avecto\Privilege Guard Client\'
  4. (Optional). Use the command below to create a new folder on the remote machine, or proceed to step 5 if you already have a folder created on the remote machine. Replace <Chosen Path> with the path you would like the new folder to reside in, and then replace <Chosen Name> with the preferred name for the folder. For example, the case reference number.
    $output = New-Item -Path <Chosen Path> -Name <Chosen Name> -ItemType directory
  5. Run the capture config script with the command below. Replace <Desired .zip name> with the preferred name for the logs, which will be exported to a ZIP file.

    If you opted to use a preexisting folder (or did not use the $output variable in the previous command), remove $output and type the path to the existing folder, and the desired name of the log file which will be exported to a new ZIP file with that name. See the examples below.

    .\EndpointUtility.exe /cc $output <Desired .zip name>

    OR

    Replace <Path to folder> with the path to the existing folder, and then replace <Desired .zip name> with the preferred name for the log export.

    .\EndpointUtility.exe /cc <Path to folder> <Desired .zip name>

The screen PowerShell command will remain with the cursor "-" for a few minutes while the command is in progress This is normal; do not close the window.

    You will then see a success message.

  1. Open File Explorer and navigate to the remote directory you chose in steps 3 and 4, and then copy the ZIP folder to your machine.

 

If you run the command below without first copying the logs, you must re-do this process to collect the logs again.

  1. (Optional). To remove the logs from the remote machine once you have copied the ZIP file, run the command below.
    Remove-Item -Path $output -Force -Recurse

For more information, see KB0016797.