Privilege Management for Windows Application Templates

Privilege Management for Windows ships with some standard application templates to simplify the definition of applications that are part of the operating system, common ActiveX controls, and software updaters.

The standard application templates are split into categories:

  • Privilege Management for Windows Utilities
  • Browsers
  • COM Classes for 3rd Party Software
  • Com Classes for file, folder and drive operations
  • COM Classes for general Windows operations
  • COM Classes for security features and configurations
  • COM Classes for software installation, uninstallation and updates
  • COM Classes for network device settings, sharing options and configurations
  • Common ActiveX controls
  • Content Handler Untrusted
  • Content Handlers
  • Installers for common printer driver manufacturers
  • Software updaters
  • Tools and utilities for administrators and developers
  • Windows 10 Default Apps
  • Windows 7/8 and Windows Server 2008 R2 / 2012 / 2012 R2
  • Windows 8.0 Default Apps
  • Windows 8.1 Default Apps
  • Windows Server 2008 R2

Each category then has a list of applications for that category. Picking an application causes the application or ActiveX control dialog boxes to be prepopulated with the appropriate information.

Creating Custom Application Templates

On other Windows versions the application templates are stored in:

%ALLUSERSPROFILE%\Avecto\Privilege Guard Templates\

The standard application templates are stored in a single file named OSXTemplates.xmlWindowsTasks.xml, and we strongly recommend that you do not change these templates.

Instead, you should create your own XML template files. Application templates are a set of Application Groups that have been exported from the Privilege Management Policy Editor as an XML file.

We recommend that you create templates on a computer that is not running Privilege Management for Windows, as you will rely on Privilege Management for Windows’ standalone Policy Editor to create the application templates.

To run the Privilege Management Policy Editor in standalone mode:

  1. Launch mmc.exe.
  2. Select File > Add/Remove Snap-in > Privilege Management Settings and click Add, then OK.

The Privilege Management Policy Editor is now running in standalone mode and is not connected to a Group Policy Object (GPO). However, it saves any settings locally, and these are picked up by the client, if it has been installed.

To create a set of application templates, create some Application Groups and populate the Application Groups with applications. The Application Groups become the categories, and the applications in each Application Group are the list of applications for that category.

Once you have defined your application templates, export the settings to an XML file:

  1. Select the Privilege Management Settings node.
  2. Right-click and select Export.

The XML file that you export must be saved with a prefix of OSX, for example, OSX_My_Templates.xml or Windows, for example, Windows*.xml.

To import an application template file back into the Policy Editor for editing:

  1. Select the Privilege Management Settings node.
  2. Right-click and click Import.
  3. When prompted click No to overwrite the current Workstyles.

Remember to re-export your application templates once you’ve modified them.

The final step is to copy your application templates to the application templates directory on any machines where the Policy Editor is being used to create Privilege Management settings. The Policy Editor automatically loads all of the application templates in the application templates directory and merges them to create a single list of categories.