Windows Policy Configuration Precedence

Privilege Management for Windows supports a variety of deployment methods, and accepts multiple simultaneous configurations from any combination of the following:

  • McAfee ePO Policy: A configuration that is stored within McAfee ePO, configured using the Privilege Management for Windows ePO Extension in the ePO Policy Catalog.
  • Webservice Policy: A configuration that is served from an iC3 webservice using HTTPS.
  • Webserver Policy: A configuration located on a web server, accessible using HTTP(s) or FTP.
  • Group Policy: Configurations that are stored in Group Policy Objects, configured using Active Directory Group Policy (GPMC) and GPEdit (Local Group Policy). Group Policy based configurations are evaluated according to GPO precedence rules.
  • Local Policy: A standalone configuration, which is stored locally and has been configured using the Privilege Management Management Console snap-in for the Microsoft Management Console.

Privilege Management for Windows uses the following default precedence to evaluate each configuration for matching rules:

ePO > Webservice > Webserver > GPO > Local

Configuration precedence settings can be configured either as part of the client installation, or using the Windows Registry once the client has been installed.

To modify the configuration precedence at installation, use one of the following command lines to install Privilege Management for Windows with a specific configuration precedence:

msiexec /i PrivilegeManagementForWindows_xx (XX).msi POLICYPRECEDENCE="EPO,WEBSERVICE, WEBSERVER,GPO,LOCAL"PrivilegeManagementForWindows_x(XX).exe /s /v" POLICYPRECEDENCE=\"EPO,WEBSERVICE, WEBSERVER,GPO,LOCAL\""

In the command lines above, (XX) represents 86 or 64 in relation to the 32-bit or 64-bit installation respectively.

To modify your configuration precedence using the Windows Registry, run regedit.exe with elevated privileges and an anti-tamper token disabled. Navigate to the following key and edit the string as required:

HKEY_LOCAL_MACHINE\Software\Avecto\Privilege Guard Client
REG_SZ PolicyPrecedence = "EPO,WEBSERVICE,WEBSERVER,GPO,LOCAL"

Only deployment methods listed in the Privilege Management for Windows engineering key PolicyEnabled are applied, irrespective of the order listed in the PolicyPrecedence key. Both keys are located in the same place in the Windows registry.