Deploy Endpoint Privilege Management for Windows Policy

This section provides information on the ways to deploy Endpoint Privilege Management for Windows policy to your endpoints, including the following:

  • Group Policy Management Console (GPMC)
  • Standalone Policy Editor
  • PowerShell API
  • Web services

Deploy Workstyles Using GPMC

Endpoint Privilege Management for Windows is implemented as an extension to Group Policy, enabling policy settings to be managed using GPMC. GPMC is the standard tool for managing Group Policy Objects (GPOs).

Endpoint Privilege Management for Windows also supports:

  • Local Computer Policy which can be edited in the Group Policy Editor. This is only recommended for small environments or for test purposes.
  • Advanced Group Policy Management (AGPM ) from versions 2.5 to 4.0.

Create Endpoint Privilege Management for Windows Settings

You can add Endpoint Privilege Management for Windows settings to existing GPOs or create new GPOs.

When working in GPMC, the Endpoint Privilege Management Settings are available in both the Computer Configuration and the User Configuration nodes, which allow you to set either computer or user settings, respectively.

  • Computer settings are updated when a computer starts up.
  • User settings are updated when a user logs on.

By default, a background refresh occurs every 90 minutes which will update settings while the user is logged on.

To edit a GPO from the GPMC:

In the GPMC, double click Group Policy Objects in the forest and domain containing the GPO you want to edit

  1. Launch the GPMC (gpmc.msc).
  2. In the GPMC tree, double-click Group Policy Objects in the forest and domain containing the GPO you want to edit.
  3. Right-click the GPO and click Edit. The Group Policy Management Editor appears.

 

Once a client updates its Endpoint Privilege Management for Windows settings through Group Policy, the settings are applied dynamically. Any logged on users do not need to log off for the changes to take effect.

Endpoint Privilege Management Settings will either appear directly under the Computer Configuration and User Configuration nodes, or under the Policies sub-node, if it exists.

To create Endpoint Privilege Management for Windows settings for a GPO:

  1. In the Group Policy Management Editor, select the Endpoint Privilege Management Settings node for either the Computer Configuration or the User Configuration section.
  2. On the Group Policy Management Editor Action menu, click Create Endpoint Privilege Management Settings.
  3. Right-click the Workstyles node and select Create Workstyle. Choose a controlling or a blank Workstyle.
  4. Click Finish.

For information about Workstyles, please see Workstyles.

Endpoint Privilege Management Settings Scope

When deploying Endpoint Privilege Management for Windows settings with Active Directory Group Policy, there are two factors to consider:

  • The management scope of the GPO you selected.
  • The user or group accounts listed on the account filter section of a Workstyle.

When you create a Workstyle, you can apply a filter that either targets Standard users only or Everyone, including administrators.

Add account filters to refine a subset of users that the Workstyle targets. Define filters on the Filters tab of the Workstyle where you add groups and users (domain or local). A Workstyle applies to everyone if the account filters are empty.

Add multiple account filters to a Workstyle if you need to add AND logic to your filtering. For example, to target a user who is a member of GroupA AND GroupB, add two account filters to an account filter, and select the box All items below must match.

You can also use computer filters to apply the Workstyle to specific computers and connecting client devices. These can be used in combination with account filters to provide more specific targeting of user and computer combinations, if required.

For more information, please see Filters.

GPO Precedence and Inheritance Rules

Endpoint Privilege Management for Windows settings are associated with an Active Directory GPO and are distributed to all the computers and users under the management scope of the GPO. As a result, Endpoint Privilege Management for Windows settings are subject to the same Group Policy processing and precedence rules as standard Active Directory GPOs.

Order of Processing

Group Policy settings are processed in the following order:

  1. Local Group Policy Object: Each computer has exactly one GPO that is stored locally. This applies to both computer and user Group Policy processing.
  2. Site: Any GPOs that are linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
  3. Domain: Processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
  4. Organizational Units: GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed.

At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.

This order means the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts.

Endpoint Privilege Management for Windows merges settings so settings with a higher precedence will be processed first. Once an application matches a Workstyle, no further Workstyles will be processed for that application, so it is important to keep this in mind when multiple GPOs are applied.

Exceptions to Default Order of Processing

The default order for processing settings is subject to the following exceptions:

  • A GPO link may be enforced, or disabled, or both. By default, a GPO link is neither enforced nor disabled.
  • A GPO may have its user settings disabled, its computer settings disabled, or all settings disabled. By default, neither user settings nor computer settings are disabled on a GPO.
  • An organizational unit or a domain may have a Block Inheritance set. By default, Block Inheritance is not set.

For information about the above modifications to default behavior, please see Managing inheritance of Group Policy.

A computer that is a member of a Workgroup processes only the local GPO.

Endpoint Privilege Management Settings Storage and Backup

Endpoint Privilege Management for Windows stores its settings within Active Directory’s SYSVOL folder, within the storage area for the relevant GPOs, which are identified by their GUIDs. The settings are stored in an XML file and Active Directory is then used as the distribution mechanism.

Endpoint Privilege Management for Windows settings can be backed up by one of the following methods:

  1. A standard System State backup which organizations should be performing as part of their standard backup routines.
  2. Manually backing up a GPO from the GPMC which backs up the GPO settings and Endpoint Privilege Management for Windows XML files.
  3. Manually exporting and saving to a location of your choice.

For more information on how to perform an export or import of policies, please see Export.

Disconnected Users

Disconnected users are fully supported by Endpoint Privilege Management for Windows. When receiving its settings from a GPO, Endpoint Privilege Management for Windows automatically caches all the information required to work offline, so the settings are still applied if the client is not connected to the corporate network. Any changes to the policy are not propagated to the disconnected computer until it reconnects to the domain and receives a Group Policy refresh. This behavior is identical to most of the standard Microsoft Group Policy settings.

Endpoint Privilege Management for Windows also supports a completely standalone configuration mode, where the settings are configured by a Local Group Policy for that machine, or deployed in a standalone XML configuration file. These settings contain all of the information required to apply these policies offline.

Deploy Workstyles Using Standalone Policy Editor

Although the Endpoint Privilege Management Policy Editor is implemented as a Group Policy extension, it also supports a standalone mode, which is independent of Group Policy.

Use the Standalone mode to deploy the Endpoint Privilege Management for Windows settings with an XML file. You need a suitable deployment mechanism to distribute the XML file to your client computers.

To run the Endpoint Privilege Management Policy Editor in standalone mode:

  1. Launch mmc.exe.
  2. Select Add/Remove Snap-in from the File menu.
  3. Select Endpoint Privilege Management Settings from the available snap-ins and click Add.
  4. Click OK.

The Endpoint Privilege Management Policy Editor is now running in standalone mode and is not connected to a Group Policy Object (GPO).

On Windows 7 onwards, the Endpoint Privilege Management for Windows settings will be saved to the following local XML file:

%ALLUSERSPROFILE%\Avecto\Privilege Guard\PrivilegeGuardConfig.xml

If you installed Endpoint Privilege Management for Windows when you installed the Endpoint Privilege Management Policy Editor, then the client will automatically apply the policies in this XML file. For this reason we strongly recommend you do not install the client if you will use the policy editor in standalone mode, unless you want the settings to be applied to your management computer. This may be the case if you are evaluating Endpoint Privilege Management for Windows.

The Endpoint Privilege Management for Windows settings are edited in the same way as when editing GPO based policies. To distribute the XML file to multiple clients, you will need to export the policies to an XML file and then deploy it to the location specified above. Endpoint Privilege Management for Windows monitors this directory and will automatically load the XML file.

You must name the settings file PrivilegeGuardConfig.xml once it is deployed, otherwise Endpoint Privilege Management for Windows will not load the settings. If you make changes to the Endpoint Privilege Management for Windows settings, redeploy the modified XML file and Endpoint Privilege Management for Windows will automatically reload the settings.

Deploy Workstyles Using PowerShell API

Use the Endpoint Privilege Management for Windows PowerShell API to configure Endpoint Privilege Management for Windows using PowerShell scripts. This enables integrations with external systems, and provides an alternative to using the BeyondTrust management consoles.

You can create and modify Endpoint Privilege Management for Windows configuration within Domain Group Policy, Local Group Policy, or any local configuration. The PowerShell API is available on any computer where the Endpoint Privilege Management Policy Editor or Endpoint Privilege Management for Windows is installed.

For more information, please see:

Windows PowerShell Execution Policy

The default PowerShell execution policy is Restricted, which stops any scripts running. To set the execution policy:

  1. Open PowerShell as an elevated application.
  2. Navigate to the Deployment folder in the EPM package.
  3. Run Set-ExecutionPolicy unrestricted -scope CurrentUser -f

For information on how to configure the setting using Group Policy, please see the Microsoft document Set-ExecutionPolicy.

Execute PowerShell Configurations

PowerShell scripts and commands which use the Get-DefendpointSettings, Set-DefendpointSettings, and Get-DefendpointFileInformation cmdlets must be executed with admin rights on the target computer. If you are elevating scripts and commands with the Endpoint Privilege Management for Windows Remote PowerShell API, you must ensure an Add Administrator Rights Custom Token has been assigned, and includes the following Groups settings:

  • Enable anti-tamper protection box is unchecked.
  • Make sure the users is always the token owner box is checked.

When using the PowerShell API to apply changes to Endpoint Privilege Management for Windows configurations stored in Active Directory Group Policy, you require domain level write access to the Group Policy Object.

Configurations created and edited with PowerShell are not backwards compatible with older Endpoint Privilege Management for Windows versions. We recommend only configurations targeting version 4.0 Clients are managed through PowerShell scripting.

Deploy Workstyles using Web Services

For instances where Active Directory Group Policy is not suitable, such as for clients outside of the corporate network, Endpoint Privilege Management for Windows configurations may be hosted on a webserver using HTTP or HTTPS. Endpoint Privilege Management for Windows can be configured to download configurations on a schedule.

Webserver configurations should be implemented as a complement to other configuration deployment methods. Workstyle precedence can be customized so that webserver configurations are evaluated with the correct priority. For more information, please see Workstyle Precedence.

Endpoint Privilege Management for Windows may be configured to pull an XML configuration from a webserver during the installation of the Client MSI or EXE, or for existing installations, can be configured using the Windows Registry.

For information on how to create an XML configuration for deployment from a webserver, please see the following:

Webserver Enabled Client Installation

To install Endpoint Privilege Management for Windows with webserver configurations enabled, use the following command line arguments:

Argument Description
WEBSERVERMODE= Enables webserver functionality (Required, 1 = Enabled)
WSP_URL= The full URL (including XML filename) to the webserver configuration (required)
WSP_INTERVAL= Refresh interval for new configuration check in minutes (optional, default 90 minutes)
WSP_LOGON= Check for new configuration at user logon (optional, default 1 = Enabled)
WSP_CERT= The Common Name for a webserver certificate. When added, restricts webserver downloads only if the common name matches the webserver certificate, and the certificate is valid.
WSP_CERTAUTHMODE=

The type of HTTPS authentication that is used:

0 = server authentication only (default)

1= client authentication and server authentication

When client authentication is used, Endpoint Privilege Management for Windows uses the FQDN of the machine to find the client certificate in the local machine certificate store.

DOWNLOADAUDITMODE= The level of auditing for attempts to download webserver configurations; 0 = No auditing, 1 = Failures only, 2 = Successes only, 3 = audit both (default)
POLICYENABLED=

The policy deployment methods which are enabled. Add this value to allow a webserver policy to be used by the Endpoint Privilege Management for Windows: WEBSERVER.

For more information, please see Deployment Methods.

Example:

Msiexec.exe /i PrivilegeManagementForWindows_x86.msi /qn /norestart WEBSERVERMODE=1 WSP_URL="http://MyWebServer.Internal/WebConfig.xml" WSP_INTERVAL=90 POLICYPRECEDENCE="WEBSERVER,GPO,LOCAL"
PrivilegeManagementForWindows_x86.exe /s /v" WEBSERVERMODE=1 WSP_URL=\"http://MyWebServer.Internal/WebConfig.xml\" WSP_INTERVAL=90 POLICYPRECEDENCE=\"WEBSERVER,GPO,LOCAL\""

Enable Webserver Policy Download Using the Registry

At any time after Endpoint Privilege Management for Windows is installed, webserver configuration may be set using the Windows registry. The following registry entries are valid:

HKEY_LOCAL_MACHINE\Software\Avecto\Privilege Guard Client\

Value Data Data
WebServerPolicyUrl REG_SZ Specifies the full URL (including xml filename) to the webserver configuration (Required)
WebServerPolicyRefreshIntervalMins DWORD Refresh interval for new configuration check in minutes (Optional, default 90 minutes)
WebServerPolicyRefreshAtUserLogon DWORD Check for new configuration at user logon (Optional, default 1 = Enabled)
WebServerCertificateDisplayName REG_SZ The Common Name for a webserver certificate. When added, restricts webserver downloads only if the common name matches the webserver certificate, and the certificate is valid.
WebServerCertificateAuthMode DWORD

The type of HTTPS authentication that is used:

0 = server authentication only (default)

1= client authentication and server authentication

When client authentication is used, Endpoint Privilege Management for Windows uses the FQDN of the machine to find the client certificate in the local machine certificate store.

WebServerClientCertificateIssuers REG_MULTI_SZ List of Common Names of certificates that issued a client authentication certificate. When added, the issuer is also checked when retrieving the client certificate in the local machine certificate store against the given Common Names, ordered top to bottom.
DownloadAuditMode DWORD The level of auditing for attempts to download webserver configurations (0 = No auditing, 1 = Failures only, 2 = Successes only, 3 = audit both (default))
PolicyEnabled REG_SZ

The policy deployment methods which are enabled. Add this value to allow a webserver policy to be used by the Endpoint Privilege Management for Windows: WEBSERVER.

For more information, please see Deployment Methods.

Configuration Precedence

Endpoint Privilege Management for Windows can accept multiple simultaneous configurations from any combination of the supported deployment methods:

  • Group Policy: Configurations that are stored in Group Policy Objects, configured with GPMC (Active Directory Group Policy) and GPEdit (Local Group Policy). Group Policy based configurations are evaluated according to GPO precedence rules.
  • Local Policy: A standalone configuration, which is stored locally, configured with MMC.
  • Webserver Policy: A configuration located on a web server, accessible using HTTP, HTTPS, or FTP.
  • Trellis ePO Policy: A configuration that is stored within Trellis ePO, configured with the ePO policy catalog.
  • BeyondInsight: A web-based console where you configure and launch vulnerability assessment scans. As a scan completes, a report is automatically generated. Results can be navigated interactively in the console.

Endpoint Privilege Management for Windows uses a logical precedence to evaluate each configuration for matching rules. By default, the client applies the following precedence:

ePO Policy > BeyondInsight > Webserver Policy > Group Policy > Local Policy.

Configuration precedence settings can be configured either as part of the client installation or with the Windows Registry, once the client is installed.

To modify configuration precedence at client installation, use one of the following command lines to install Endpoint Privilege Management for Windows with a specific configuration precedence:

msiexec /i PrivilegeManagementForWindows_x(XX).msi POLICYPRECEDENCE="EPO,WEBSERVER,GPO,LOCAL"
PrivilegeManagementForWindows_x(XX).exe /s /v" POLICYPRECEDENCE=\"EPO,WEBSERVER,GPO,LOCAL\"" 

In the command line arguments above, (XX) represents 86 or 64 in relation to the 32-bit or 64-bit installation respectively.

To modify configuration using the Registry, run regedit.exe with elevated privileges (ensuring you are using an Endpoint Privilege Management for Windows token with anti-tamper disabled) and navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Avecto\Privilege Guard Client

REG_SZ PolicyPrecedence = "EPO,WEBSERVER,GPO,LOCAL"

Deployment Methods

Certain types of deployment methods may be enabled or disabled. By default, all deployment types are enabled.

To include or exclude a deployment method from evaluation, edit the entries in the registry value below. If this key does not already exist, the default behavior is to include all methods:

HKEY_LOCAL_MACHINE\Software\Avecto\Privilege Guard Client

REG_SZ PolicyEnabled = "EPO,BeyondInsight,WEBSERVER,GPO,LOCAL"

In the entry above, EPO,BeyondInsight,WEBSERVER,GPO,LOCAL are the available deployment methods.

For more information, please see:

  • Advanced Agent Settings to deploy Registry settings using the Advanced Agent Settings feature.
  • Configuration Precedence to apply a configuration deployment method using Advanced Agent Settings, the setting must be applied to a type of configuration that is already part of the configuration precedence order.

Automate the Update of Multiple GPOs

Use the PGUpdateGPO.exe command line utility to automate updates to Endpoint Privilege Management for Windows settings in multiple computer or user GPOs.

PGUpdateGPO.exe COMPUTER GPODSPath [SourceXMLFile]
PGUpdateGPO.exe USER GPODSPath [SourceXMLFile]

Where:

  • GPODSPath is the LDAP path to the GPO
  • SourceXMLFile is the location of the Endpoint Privilege Management for Windows settings XML file on disk

The following command shows how to copy an XML file from the current directory to the computer section of a GPO stored in BeyondTrust.test:

PGUpdateGPO.exe COMPUTER "LDAP://BeyondTrust.test/cn={97B1DB2E-D68B-45EA-98FF-D71F9971F44C},cn=policies,cn=system,DC=BeyondTrust,DC=test" PrivilegeGuardConfig.xml

Where:

  • {97B1DB2E-D68B-45EA-98FF-D71F9971F44C} is the GUID of the GPO.