Create and Edit Signed Settings

To digitally sign Endpoint Privilege Management for Windows settings, a PFX file containing an appropriate certificate and private key must be supplied, alongside the corresponding password for the PFX file.

For settings to be correctly signed, the certificate must have an OID that is specific to BeyondTrust Endpoint Privilege Management for Windows. The chain of trust and revocation status is also checked by Endpoint Privilege Management for Windows. If the settings have been tampered with since signing, the settings also fail the signing check.

To digitally sign the Endpoint Privilege Management for Windows settings:

Select the BeyondTrust Settings node.
Right-click and select Digitally Sign.
The Digitally sign your BeyondTrust Settings wizard appears.
Check the Sign the settings with the following private key option.
Click the Select key button and browse for the PFX file that contains the digital certificate.
Enter the password for the PFX file.
Click Finish.

To remove the digital signature from the Endpoint Privilege Management for Windows settings:

Select the Endpoint Privilege Management Settings node.
Right-click and click Digitally Sign.
The Digitally sign your Endpoint Privilege Management Settings wizard appears.
Select the Do not sign the settings option.
Click Finish.

Once the Endpoint Privilege Management for Windows settings are digitally signed, the Endpoint Privilege Management Policy Editor prompts the administrator for the corresponding PFX password when the settings are opened.

To modify the signed settings, you must enter a valid password for the PFX. Alternatively, you can select to remove the certificate from the settings, or open the settings in Read Only mode. Canceling this prompt automatically opens the settings in Read Only mode.

For more information about creating certificates suitable for use with Endpoint Privilege Management for Windows, see Create a PFX File for Use With Endpoint Privilege Management for Windows.