Upgrade Privilege Management for Windows

Before upgrading any versions of Privilege Management for Windows software or existing settings, we recommend you test your deployment in a preproduction environment. This will help mitigate any unforeseen compatibility issues, and avoid disruption to the business. In addition, you should export your policies for backup purposes prior to an upgrade.

All Privilege Management for Windows MSI and EXE installers automatically remove old versions of BeyondTrust software when installed. Therefore, it is not necessary to manually remove old versions prior to installation.

If you previously installed Privilege Management for Windows with a switch, you must ensure you upgrade Privilege Management for Windows with the same switch. If you do not use the same switch, the new installation parameters apply and any functionality relating to the previous installation are lost.

Privilege Management for Windows guarantees backward compatibility with previous versions, but does not guarantee forward compatibility. Therefore, we recommend all Privilege Management for Windows installations to be upgraded before rolling out new versions.

When upgrading BeyondTrust software, it may be necessary for a reboot in order to complete the installation. When installing in silent mode, a reboot will occur automatically. Therefore, we recommend that upgrades be performed out of core business hours, or during scheduled maintenance windows, to avoid loss of productivity.

Use Policy Precedence in a Migration Scenario

During any migration from one Privilege Management platform to another, you can use the POLICYPRECEDENCE parameter to provide policy redundancy. For example, you are migrating from BeyondTrust's ePO platform to BeyondInsight or PMC, and want to ensure there is zero policy downtime during the migration.

Add the POLICYPRECEDENCE parameter to the client install syntax. Existing policy continues to apply until superseded by the new platform policy.

 POLICYPRECEDENCE="WEBSERVICE,GPO,LOCAL"
POLICYPRECEDENCE="WEBSERVICE,EPO,LOCAL"
POLICYPRECEDENCE="WEBSERVICE,BEYONDINSIGHT,LOCAL"
POLICYPRECEDENCE="WEBSERVICE,WEBSERVER,LOCAL"
The complete install syntax may look something like this:
Msiexec.exe /i PrivilegeManagementForWindows_x.xxx.x.msi IC3MODE=1 POLICYPRECEDENCE="WEBSERVICE,GPO,LOCAL" /qn /norestart

Recommended Steps

 

As of release 5.5, all releases of this product are signed with BeyondTrust Corporation, rather than Avecto, as the software publisher name. If prior to 5.5 you used the QuickStart Policy Template as a starting point, it is likely that your configuration will include Application Groups which target our own applications based on a publisher match to Avecto. An upgrade to 5.5 or beyond requires you to update your configuration so that it continues to match the versions of the applications and tools that you use. We recommend one of the following two options:

Option 1

Add a copy of any existing application definitions which target Avecto and update those copies to target BeyondTrust Corporation instead; the presence of both sets of application definitions ensure they continue to match both new and existing versions during the implementation of 5.5. This option has an advantage over Option 2, in that it also targets any application definitions that you may have created yourself that target the Avecto publisher.

Option 2

You may copy fragments of the QuickStart policies in version 5.5 to your existing application definitions.

For either option, it is critical that you roll out your configuration changes before you update your Privilege Management for Windows software to version 5.5 or later.

Step 1: Upgrade the Privilege Management Policy Editor

For steps to upgrade the Privilege Management Policy Editor, please see Install the Privilege Management Policy Editor.

Step 2: Upgrade Application Groups to Match Publisher Name BeyondTrust Corporation (When Upgrading to Version 5.5)

  1. Locate all Avecto matches:
    • Select the Application Groups node.
    • Type Avecto into the Search applications box to filter.

Search application groups in an upgrade scenario

  1. Create a copy of all definitions in each Application Group found that contain a publisher match on Avecto:
    • Copy and paste the existing definitions.

Copy application groups in an upgrade scenario

Rename one of the copies to OLD, so it’s easy to tell which to delete after the new application definitions take effect. OLD can be deleted once the 5.5 upgrade is complete.

  1. Update the new application definitions to match publisher BeyondTrust Corporation.
  2. Test the updated configuration against the new 5.5 applications.
  1. Ensure that Hidden Groups are visible by right-clicking the Privilege Management Settings node. Enable Show Hidden Groups.
  2. Copy the following text:
    <ClipboardText><ClipboardResources><Config/></ClipboardResources><ClipboardItems><Application ID="95402cc1-3301-49ec-8108-7ee359c55018" Type="exe" Description="BeyondTrust Privilege Management ETW Trace Formatter" OpenDlgDropRights="true" CheckFileName="true" FileName="TraceFormat.exe" FileStringMatchType="Contains" UseSourceFileName="true" ProductName="BeyondTrust Privilege Management" ProductDesc="BeyondTrust Privilege Management ETW Trace Formatter" CheckCertificate="true" Certificate="BeyondTrust Corporation" CertificateStringMatchType="Exact"/><Application ID="d30f3395-2f7f-4a2e-b8e5-6d3073976dc0" Type="exe" Description="Performance Log Utility" OpenDlgDropRights="true" CheckFileName="true" FileName="logman.exe" FileStringMatchType="Contains" UseSourceFileName="true" ProductName="Microsoft® Windows® Operating System" ProductDesc="Performance Log Utility" CheckCertificate="true" Certificate="Microsoft Windows" CertificateStringMatchType="Exact"/></ClipboardItems></ClipboardText>
  3. Paste into a text editor and replace new lines with single spaces. Copy the text again.
  4. Create an Application Group (Default) Child Processes of TraceConfig.exe.
  5. Select the middle pane and paste what you have copied.

Select the Hidden check box on an application group Properties dialog box.

  1. Right-click the Application Group, select Properties, and check the Hidden box.

 

  1. Copy the following text:
    <ClipboardText><ClipboardResources><Config/></ClipboardResources><ClipboardItems><Application ID="511e21b7-b059-42ca-bcfe-03ca4c5ecf58" Type="exe" Description="Privilege Management Config Capture Utility" ChildrenInheritToken="true" OpenDlgDropRights="true" CheckFileName="true" FileName="PGCaptureConfig.exe" FileStringMatchType="Contains" UseSourceFileName="true" ProductName="BeyondTrust Privilege Management" ProductDesc="BeyondTrust Privilege Management Config Capture Utility" CheckCertificate="true" Certificate="BeyondTrust Corporation" CertificateStringMatchType="Exact"/><Application ID="7995df95-0031-460f-a5e3-cfd2b12758d8" Type="exe" Description="Privilege Management TraceConfig" ChildrenInheritToken="true" OpenDlgDropRights="true" CheckFileName="true" FileName="TraceConfig.exe" FileStringMatchType="Contains" UseSourceFileName="true" ProductName="BeyondTrust Privilege Management" ProductDesc="BeyondTrust Privilege Management Config Capture Utility" CheckCertificate="true" Certificate="BeyondTrust Corporation" CertificateStringMatchType="Exact" ChildApplicationGroup="a1d8ab16-5b3d-42d1-a90d-e069d741f7b1"/></ClipboardItems></ClipboardText>
  2. Paste into a text editor and replace new lines with single spaces. Copy the text again.
  3. Select the Application Group (Default) Privilege Management Tools.
  4. Select the middle pane and paste what you have copied.
  5. Double-click the Privilege Management TraceConfig application definition..

Select the option: (Default) Child Processes of TraceConfig.exe.

  1. In the Allow child processes to match the application definition option in the Application dialog, choose (Default) Child Processes of TraceConfig.exe from the dropdown.

 

  1. Copy the following text:
    <ClipboardText><ClipboardResources><Config/></ClipboardResources><ClipboardItems><Application ID="52a1ef23-b71b-4c3b-836c-c228a7343e33" Type="msi" Description="Any Privilege Management Client Installer Package" ChildrenInheritToken="true" OpenDlgDropRights="true" FileName="*" FilePatternMatching="true" UseSourceFileName="true" CheckProductName="true" ProductName="Privilege Management" ProductNameStringMatchType="Contains" CheckCertificate="true" Certificate="BeyondTrust Corporation" CertificateStringMatchType="Exact"/></ClipboardItems></ClipboardText>
  2. Paste into a text editor and replace new lines with single spaces. Copy the text again.
  3. Select the Application Group Block - Blocked Apps.
  4. Select the middle pane and paste what you have copied.

Step 3: Upgrade Privilege Management for Windows Settings

Once the Privilege Management Policy Editor has been upgraded, the final step is to roll out new versions of the Privilege Management for Windows settings. Although Privilege Management for Windows is fully backwards compatible with older versions of Privilege Management for Windows settings, this step is required if you want to take advantage of any new features and enhancements in Privilege Management for Windows.

Privilege Management for Windows settings are automatically saved in the latest format each time a change is made. For details on editing Privilege Management for Windows settings, please see Deploy Privilege Management for Windows Policy.

Once Privilege Management for Windows settings have been upgraded, they cannot be downgraded. Therefore, we recommend an upgrade of Privilege Management for Windows settings is performed only after all instances of Privilege Management for Windows have been upgraded.

Step 4: Upgrade Privilege Management for Windows

To upgrade Privilege Management for Windows manually, double-click the client installation media for your operating system.

For larger deployments, Privilege Management for Windows supports mixed client environments, as it is fully backwards compatible with older versions of Privilege Management for Windows settings. This allows for phased roll-outs of Privilege Management for Windows, if preferred.

For steps to upgrade Privilege Management for Windows using a deployment mechanism, please see Install Privilege Management for Windows.

Step 5: Delete Old Application Definitions (Upgrade from 5.4)

Once all machines are running version 5.5, it is safe to delete any application definitions still matching the publisher Avecto from your configuration and to deploy that configuration.