Behavior when Policy Certificate Verification Fails

When using signed Privilege Management for Windows settings, timely certificate revocation enforcement may be desired. This scenario is most common for clients unable to reach the CRL source since they are off the corporate network for extended periods of time.

By default, Privilege Management for Windows allows certificates whose revocation may not be confirmed with Microsoft Crypto APIs from either cached information, or directly from the CRL source.

If agent protection is configured, you must first disable agent protection on the machine before you can change settings in the Registry Editor.

The following registry configuration may be used to change the default behavior:

HKEY_LOCAL_MACHINE\SOFTWARE\Avecto\Privilege Guard Client\ DWORD "CRLNetworkErrorFailOpen" = 0

Failure to retrieve CRL is deemed an error and policy is not loaded.

DWORD "CRLNetworkErrorFailOpen" = 1

Failure to retrieve CRL is deemed a warning and policy is still loaded. This is the default behavior if this registry setting has not been configured.

The CRL is cached when downloaded and honored until its Time To Live (TTL) has expired (standard Microsoft CryptoAPI behavior). The Certificate Authority may be configured according to requirements. Microsoft Group Policy provides centralized configuration in this area. Security and usability need to be balanced according to your organization's risk tolerance.

Prior settings from the same source type (GPO, HTTP, etc) is deleted before the newly acquired settings are verified. This could lead to no policy in effect on the endpoint in the case that invalid settings are delivered, and no valid settings from other sources are in place.