Sign Privilege Management for Windows Settings

The Privilege Management for Windows settings may be digitally signed. Privilege Management for Windows can either enforce or audit the loading of signed settings.

Privilege Management for Windows Installation Mode Parameters

Privilege Management for Windows verifies the certificate on any signed settings that it loads, regardless of where those settings originate. The verification process includes:

  • Checking that the contents of the settings have not been altered
  • Establishing a chain of trust
  • Checking the certificate used to sign the settings contains the Privilege Management for Windows configuration Signing OID in its Enhanced Key Usage extension
  • Checking for revocation where network connectivity allows

Should the signature verification process fail for any reason, the course of action to take depends on the mode of operation. There are three modes of operation in Privilege Management for Windows. The mode is set via a command line option during installation:

Parameter Description
CERT_MODE=0 Standard Mode

The loading of unsigned settings is audited as information events (event 200). Signed settings are audited as information events (event 200) if they are correctly signed and as warning events (event 201) if they are incorrectly signed.

Privilege Management for Windows is installed in Standard Mode by default.

CERT_MODE=1 Certificate Warning Mode

The loading of unsigned settings is audited as warning events (event 201). Signed settings are audited as information events (event 200) if they are correctly signed and as warning events (event 201) if they are incorrectly signed.

CERT_MODE=2 Certificate Enforcement Mode

Unsigned or incorrectly signed settings are not loaded and audited as error events (event 202). Signed settings are audited as information events (event 200) if they are correctly signed.

To install the client MSI package silently in Certificate Warning Mode, use the following command line (the syntax must be copied exactly):
MSIEXEC.exe /i PrivilegeManagementForWindows_x64.msi /qn CERT_MODE=1

or

MSIEXEC.exe /i PrivilegeManagementForWindows_x86.msi /qn CERT_MODE=1
To install the client executable silently in Certificate Warning Mode, use the following command line (the syntax must be copied exactly):
PrivilegeManagementForWindows_x64.exe /s /v" /qn CERT_MODE=1"

or

PrivilegeManagementForWindows_x86.exe /s /v" /qn CERT_MODE=1"