Launch the Privilege Management Policy Editor

The Privilege Management Policy Editor is accessed as a snap-in to the Microsoft Management Console.

From your administrator account, launch the Microsoft Management Console (MMC.exe). Type MMC into the Search Box from the Start Menu and press the Enter key.

You cannot edit policy in the Privilege Management Policy Editor and Privilege Management Cloud Policy Editor at the same time.

To add Privilege Management for Windows as a snap-in to the console:

  1. Select File from the menu bar and select Add/Remove Snap-in.
  2. Scroll down the list and select the Privilege Management Settings snap-in. Click Add and then click OK.
  3. Optionally, select File > Save as and save a shortcut for the snap-in to the desktop as Privilege Management.
  4. Select the Privilege Management Settings node in the left pane and select the operating system node to display the main screen in the details pane.

Navigate the Policy Editor

Navigate the Privilege Management for Windows Policy Editor

The left pane containing the Privilege Management Settings item is referred to as the Tree pane. The folders beneath Privilege Management Settings in the tree pane are referred to as Nodes. The middle pane, which displays content relevant to the selected node, is referred to as the Details pane.


When you expand the Privilege Management Settings node, three nodes display:

  1. Windows: Create Privilege Management policy for Windows endpoints.
  2. OS X: Create Privilege Management policy for macOS endpoints.
  3. Licensing: Manage Privilege Management licenses.

When you expand the Windows node, you see five nodes:

  1. Workstyles: Assign privileges to applications.
  2. Application Groups: Define logical groupings of applications.
  3. Content Groups: Define specific file content.
  4. Messages: Define end user messages.
  5. Custom Tokens: Define custom access tokens.

Once a Workstyle is created and selected in the tree pane, the Workstyle tabs are displayed in the details pane.

Automatic Save

By default, the Privilege Management Settings editor automatically saves any changes back to the appropriate GPO (or local XML file, if you are using the standalone console).

Automatic saving can be disabled, by deselecting the Auto Commit Settings menu option on the Privilege Management Settings node, but we do not recommend it unless you have performance issues. If you deselect the Auto Commit Settings option, then you must select the Commit Settings menu option to manually save any changes back to the GPO. The Auto Commit Settings option is persisted to your user profile, so it is set for all future editing of Privilege Management for Windows settings.