Sign Endpoint Privilege Management for Windows Settings

The Endpoint Privilege Management for Windows settings may be digitally signed. Endpoint Privilege Management for Windows can either enforce or audit the loading of signed settings.

Endpoint Privilege Management for Windows Installation Mode Parameters

Endpoint Privilege Management for Windows verifies the certificate on any signed settings that it loads, regardless of where those settings originate. The verification process includes:

Checking that the contents of the settings have not been altered
Establishing a chain of trust
Checking the certificate used to sign the settings contains the Endpoint Privilege Management for Windows configuration Signing OID in its Enhanced Key Usage extension
Checking for revocation where network connectivity allows

Should the signature verification process fail for any reason, the course of action to take depends on the mode of operation. There are three modes of operation in Endpoint Privilege Management for Windows. The mode is set via a command line option during installation:

Parameter	Description
CERT_MODE=0	Standard Mode The loading of unsigned settings is audited as information events (event 200). Signed settings are audited as information events (event 200) if they are correctly signed and as warning events (event 201) if they are incorrectly signed. Endpoint Privilege Management for Windows is installed in Standard Mode by default.
CERT_MODE=1	Certificate Warning Mode The loading of unsigned settings is audited as warning events (event 201). Signed settings are audited as information events (event 200) if they are correctly signed and as warning events (event 201) if they are incorrectly signed.
CERT_MODE=2	Certificate Enforcement Mode Unsigned or incorrectly signed settings are not loaded and audited as error events (event 202). Signed settings are audited as information events (event 200) if they are correctly signed.

Parameter

Description

CERT_MODE=0

Standard Mode

The loading of unsigned settings is audited as information events (event 200). Signed settings are audited as information events (event 200) if they are correctly signed and as warning events (event 201) if they are incorrectly signed.

Endpoint Privilege Management for Windows is installed in Standard Mode by default.

CERT_MODE=1

Certificate Warning Mode

The loading of unsigned settings is audited as warning events (event 201). Signed settings are audited as information events (event 200) if they are correctly signed and as warning events (event 201) if they are incorrectly signed.

CERT_MODE=2

Certificate Enforcement Mode

Unsigned or incorrectly signed settings are not loaded and audited as error events (event 202). Signed settings are audited as information events (event 200) if they are correctly signed.

To install the client MSI package silently in Certificate Warning Mode, use the following command line (the syntax must be copied exactly):

MSIEXEC.exe /i PrivilegeManagementForWindows_x64.msi /qn CERT_MODE=1

MSIEXEC.exe /i PrivilegeManagementForWindows_x86.msi /qn CERT_MODE=1

To install the client executable silently in Certificate Warning Mode, use the following command line (the syntax must be copied exactly):

PrivilegeManagementForWindows_x64.exe /s /v" /qn CERT_MODE=1"

PrivilegeManagementForWindows_x86.exe /s /v" /qn CERT_MODE=1"