Install Privilege Management for Windows

Privilege Management for Windows requires that Windows short file name creation be enabled.

Client Packages

To install Privilege Management for Windows, run the appropriate installation package:

  • For 32-bit (x86) systems, run PrivilegeManagementForWindows_x86.exe.
  • For 64-bit (x64) systems, run PrivilegeManagementForWindows_x64.exe.

The installation prompts you to install missing prerequisites.

Privilege Management for Windows may be installed manually, but for larger installations we recommend you use a suitable third-party software deployment system.

There is no license to add during the client installation, as this is deployed with the Privilege Management for Windows Workstyles, so the client may be installed silently.


As of version 5.5, all releases of Privilege Management for Windows are signed only with a SHA-256 code signing certificate. Previous versions were dual signed with SHA-1 and SHA-256 certificates. The decision to drop SHA-1 certificates was made to avoid weaknesses in the SHA-1 algorithm and to align to industry security standards. For more information, please see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

If you intend to deploy Privilege Management for Windows 5.5 to Windows 7 or Windows Server 2008 R2 machines, you must ensure the following KBs are installed prior to installation of this product:

We strongly recommend you keep your systems up to date with the latest Windows security updates.

Bad Image exception

Installing this release on a system which does not support SHA-256 code signing verification results in "Bad Image" exceptions referring to PGHook.dll.


Unattended Client Deployment

When deploying Privilege Management for Windows with automated deployment technologies, such as System Center Configuration Manager (SCCM), you can deploy the client silently and postpone the computer from restarting.

To install the client executable silently, without a reboot, use the following command line (the double quotes are required and the syntax must be copied exactly):

PrivilegeManagementForWindows_x86.exe /s /v" /qn /norestart"

To install the client MSI package silently, without a reboot, use the following command line:

Msiexec.exe /i PrivilegeManagementForWindows_x86.msi /qn /norestart

Privilege Management for Windows will not be fully operational until a reboot. To perform an unattended deployment with a reboot, omit the /norestart switch.

Configure an Alternate Event Log Location

You can configure an alternate event log location in the following ways:

  • From the client installer (initial installation or upgrade)
  • In Windows registry after installation

Privilege Management for Windows event log locations in the Event Viewer

The default location is Windows Logs\Application. The alternate location is Application and Services Logs\BeyondTrust Privilege Management.


Set the Event Log Location Using the Installer

When running the installer, enter the parameter and value as shown:

msiexec.exe /i PrivilegeManagementForWindows_x64.msi APPEVENTLOGTYPE=1


PrivilegeManagementForWindows_x64.exe /v"APPEVENTLOGTYPE=1"

Change the Event Log Location in Windows Registry

If the client is already installed, set the value in the registry.

Run regedit.exe with elevated privileges and navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Avecto\Privilege Guard Client



0: Windows Logs\Application

1: Application and Services Logs\BeyondTrust Privilege Management

You must restart the service after changing the value.