Troubleshoot

Resultant Set of Policy

Endpoint Privilege Management for Windows provides support for Resultant Set of Policy (RSoP). RSoP is usually accessed through the Group Policy Management Console (GPMC).

The GPMC supports the following mode of operation for RSoP: Group Policy Results (RSoP logging mode)

RSoP can be used to establish which policy applies to a particular user or computer to aid troubleshooting. Detailed HTML reports are generated, which may also be exported to aid policy documentation.

Group Policy Results

To run a Group Policy Results query (RSoP logging), perform the following steps from the GPMC:

  1. Double-click the forest in which you want to create a Group Policy Results query.
  2. Right-click Group Policy Results and click Group Policy Results wizard.
  3. In the Group Policy Results wizard click Next and enter the appropriate information.
  4. After completing the wizard, click Finish.
  5. Right-click the node for the completed query in the console tree, and click Advanced View to launch the Resultant Set of Policy window.
  6. Select the Endpoint Privilege Management Settings node under the Computer Configuration node or the User Configuration node to view the RSoP HTML report for Endpoint Privilege Management for Windows.

Endpoint Privilege Management also appears in the Summary tab of the Group Policy Results node. Expand the Component Status section of the HTML report to find out whether RSoP data has been collected for Endpoint Privilege Management for Windows.

Endpoint Privilege Management does not appear in the Settings tab of the Group Policy Results node, as third-party Group Policy extensions are not detailed in this HTML report. You must use the Advanced View, as outlined above, to view Endpoint Privilege Management for Windows Workstyles for an RSoP query.

Check Endpoint Privilege Management for Windows is Installed and Functioning

If you are having problems, the first step is to check that you installed the client and the client is working.

  • BeyondTrust Endpoint Privilege Management System Tray: The UI of Endpoint Privilege Management for Windows on the system tray for messages and end user interaction.
  • Avecto Defendpoint Service: The Endpoint Privilege Management for Windows service that manages interaction with PGDriver.
  • PGDriver: A kernel driver that communicates with Avecto Defendpoint Service.

The easiest way to determine the client is installed and working is to check for the existence of the Avecto Defendpoint Service in the Services app provided by Windows. Ensure this service is both present and started. The Avecto Defendpoint Service is installed by Endpoint Privilege Management for Windows and should start automatically.

The Endpoint Privilege Management for Windows service requires MSXML6 to load the Endpoint Privilege Management for Windows settings, but the service still runs even if MSXML6 is not present.

Check Settings are Deployed

Assuming Endpoint Privilege Management for Windows is installed and functioning, the next step is to check that you deployed settings to the computer or user.

You can use RSoP logging mode to determine whether the computer has received settings. Assuming the RSoP query shows that Endpoint Privilege Management for Windows settings are applied, you should check the contents of the settings (including licensing and Workstyle precedence).

Check Endpoint Privilege Management for Windows is Licensed

One of the most common reasons for Endpoint Privilege Management for Windows not functioning is the omission of a valid license from the Endpoint Privilege Managementfor Windows settings. If you are creating multiple GPOs, then you must ensure the computer or user receives at least one GPO that contains a valid license. To avoid problems, it is simpler to add a valid license to every set of Endpoint Privilege Management for Windows settings that you create.

Check Workstyle Precedence

Assuming Endpoint Privilege Management for Windows is functioning and licensed, most other problems are caused by configuration problems or Workstyle precedence problems.

Once an application matches an Application Group entry in the Application Rules or the On-Demand Application Rules, processing does not continue for that application. Therefore, it is vital you order your entries correctly:

  • If you create multiple Workstyles, Workstyles higher in the list have a higher precedence.
  • If you have multiple rules in the Application Rules and the On-Demand Application Rules sections of a Workstyle, entries higher in the list have a higher precedence.

Application Rules are applied to applications that are launched either directly by the user or by a running process. On-Demand Application Rules are only applied to applications that are launched from the Endpoint Privilege Management for Windows shell menu (if enabled).

If you have multiple GPOs applying to a user and/or computer, you should ensure GPO precedence rules are not causing the problem. If multiple GPOs are applied to a computer or user, Endpoint Privilege Management for Windows merges the computer GPOs and user GPOs by following Group Policy precedence rules. Once merged, the user Workstyles take precedence over the computer Workstyles. In other words, the computer Workstyles are only processed if an application does not match an entry in the user Workstyles.

For this reason, we strongly recommended you do not create over-complex rules that rely on the merging of many GPOs, as this can become difficult to troubleshoot. If, however, it makes sense to split rules over multiple GPOs, you should make use of RSoP to ensure Workstyles are combined correctly. You must also remember that computer and user Workstyles are processed separately, with user Workstyles always processed ahead of computer Workstyles, if both exist.