Endpoint Privilege Management for Windows 24.3 Release Notes

May 7, 2024

 

The EPM Windows client version 24.3.249 has been recalled and is no longer available due to an issue related to network shares. See the Knowledge Base article for more information.

Requirements:

  • Microsoft .NET Framework 4.6.2 (required to use Power Rules, PowerShell audit scripts, PowerShell API, and Agent Protection)
  • Microsoft .NET Framework 4.8 (required to use Multifactor Authentication with an OIDC provider)
  • PowerShell 3.0 (required to use Power Rules, PowerShell audit scripts, and PowerShell API)
  • Trellix (formerly McAfee) Agent (required if you are installing the Privilege Management client with switch EPOMODE=1)
The executable version of the client package includes all necessary prerequisites (excluding .NET Framework) and automatically installs them as necessary. If you use the MSI or ZIP package, you must manually install any necessary prerequisites.

VBScript Deprecation

Microsoft announced that VBScript is deprecated, and will be removed in a future Windows version. EPM-W uses VBScript as a script type in:

  • Audit scripts, where it is an available script type
  • The Windows Script application type

BeyondTrust will remove support for these types when it is removed by Microsoft in any of our supported operating systems.

To prepare for this change:

  • Convert existing audit scripts to one of the other script types available.
  • Remove any Windows Script application types in policy at your earliest convenience.

New Features and Enhancements:

  • In the EndpointUtility, improved the messaging to provide more helpful information and instruction on how to proceed when errors occur. Added the /DEBUG flag to produce improved diagnostic information.
  • Updated EndpointUtility to show the authentication method used for the BeyondInsight connection. OAuth details will be shown now when testing the connection to BeyondInsight.

Issues Resolved:

  • Resolved an issue with rules matching not working correctly with relative file paths. Improved relative path handling for processes launched via the ShellExecute API.
  • Resolved an issue that prevented the user from creating files or folders in a file dialog that was launched by an EPM elevated app with the Force standard user rights on file save/open dialog setting enabled.
  • Resolved an issue where the Get-DefendpointFileInformation cmdlet -recurse flag did not support the SilentlyContinue flag.
  • Resolved an issue where generated emails automatically filled in the Description field with the name of the application rather than leaving the field blank when a description is not available.
  • Resolved an issue where network paths were not being converted to the correct format, leading to the service failing to match certain rules in a policy. This has been addressed in this release, ensuring accurate path formatting and ensuring the underlying network path is resolved correctly.
  • Improved Anti-tamper performance. A restart is required to implement this update.

Security Updates:

  • Updated OLE DB Driver for SQL Server to 19.3.3.0, which has been updated with security updates from Microsoft.
  • Resolved an issue with QuickStart & Discovery policy templates where the templates contain an incorrectly defined application definition which may permit the launch of some restricted applications without the appropriate message or auditing. We recommend updating your QuickStart based policies following this KB: Changes to the EPM-W QuickStart and Discovery Policy to Address Incorrect Restricted Application Behavior.

Known Issues:

  • The Windows Events Viewer shows no results when matching on Source URL.

Compatibility:

  • Endpoint Privilege Management Policy Editor 24.1 (recommended), 22.1+
  • Endpoint Privilege Management ePO Extension 23.10 (recommended), 22.7+
  • Endpoint Privilege Management Console Windows Adapter 24.1 (recommended), 22.1+
  • BeyondInsight/Password Safe23.3 (recommended), 7.2+
  • Trellix Agent 5.7+
  • Trellix ePO Server 5.10 Service Pack 1 Update 1(recommended), Update 13+

Supported Operating Systems:

  • Windows 11
    • 23H2
    • 22H2
    • 21H2
  • Windows 10
    • 22H2
    • 21H2
    • LTSB 2015*
    • LTSB 2016
    • LTSC 2019
    • LTSC 2021

    * The introduction of OAuth connection to the BeyondInsight management platform in 24.3 requires .Net Framework 4.8+ which cannot be installed on Windows 10 1507 (LTSB 2015). Therefore, LTSB 2015 is no longer supported for EPM-W managed via BeyondInsight.

  • Server
    • 2022
    • 2019
    • 2016
    • 2012R2
    • Core 2016
    • Core 2019
    • Core 2022

For more information about compatibility, see Privilege Management for Windows and Mac: Supported Versions and Operating System Compatibility.

Notes:

None.