View or Edit Workstyle General Rules

  1. To view or edit the General Rules of a Workstyle, navigate to Windows > Workstyles > Workstyle Name > General Rules in the policy tree.
  2. Only General Rules that are enabled are listed on the Summary page. Choose between Not Configured, Enabled, or Disabled for each General Rule.

After you change the policy, click Submit and then Save to save the policy. In ePO 5.10 and later, if you have Trellix Approvals workflow enabled, this workflow can be modified to change the Save button to Submit for Review based on user permissions.

Collect User Information

This rule, when enabled, raises an audit event each time a user logs on to the client machine. The audit event collects the following information, which is reported through the Enterprise Reporting pack:

  • Logon Time: The date and time the user logged on.
  • Is Administrator: The client checks whether the user account has been granted local administrator rights either directly or through group membership.
  • Session Type: The type of logon session, for example, console, RDP, ICA.
  • Session Locale: The regional settings of the user session / profile
  • Logon Client Session Hostname: The hostname of the client the user is logging on from. This is either the local computer (for Console sessions) or the remote device name (for remote sessions).
  • Logon Client Session IP Address: The IP address of the client the user is logging on from. This is either the local computer (for console sessions) or the remote device name (for remote sessions).

For more information on user information reporting, please see the BeyondTrust Privilege Management Reporting guides.

Collect Host Information

This rule, when enabled, raises an audit event on computer start-up or when the Privilege Management for Windows service is started. The audit event collects the following information which is reported through the Reporting pack:

  • Instance ID: A unique reference identifying a specific service start event.
  • OS Version: The name and version of the operating system, including service pack.
  • Chassis Type: The type of chassis of the client, for example, workstation, mobile, server, VM.
  • Language: The default system language.
  • Location: The current region and time zone of the device.
  • Client Version: The version of the Privilege Management for Windows service.
  • Client Settings: The type of installation and current settings of the Privilege Management for Windows service.
  • System Uptime: Time since the computer booted.
  • Unexpected Service Start: Only added if the service has unexpectedly started (that is, a previous start was not preceded by a service stop).

An additional event is raised when the computer shuts down, or when the Privilege Management for Windows service is stopped:

  • Instance ID: A unique reference identifying the last service start event.
  • Computer Shutdown: Value identifying whether the service stopped as part of a computer shutdown event.

For more information on host information reporting, please see the BeyondTrust Privilege Management Reporting guides.

Prohibit Privileged Account Management

This rule, when enabled, blocks users from modifying local privileged group memberships. This prevents real administrators, or applications which have been granted administrative rights through Privilege Management for Windows from adding, removing, or modifying a privileged account.

The list of local privileged groups that are prohibited from modification when this rule is enabled is:

  • Built-in administrators
  • Power users
  • Account operators
  • Server operators
  • Printer operators
  • Backup operators
  • RAS servers group
  • Network configuration operators

This rule provides three options:

  • Not Configured: This Workstyle is ignored.
  • Enabled: The user is not be able to add, remove, or modify user accounts in local privileged groups.
  • Disabled: Default behavior based on the users rights or those of the application.

Enable Windows Remote Management Connections

This rule, when enabled, authorizes standard users who match the Workstyle to connect to a computer remotely via WinRM, which would normally require local administrator rights. This General Rule supports remote PowerShell command management, and must be enabled in order to allow a standard user to execute PowerShell scripts or commands.

In order to allow remote network connections, you may be required to enable the Windows Group Policy setting to Access this computer from the network.

For more information, please see the following: