Privilege Management for Windows 21.3 Release Notes

May 27, 2021


  • Microsoft .NET Framework 4.0 (required to use Activity Viewer, Power Rules, PowerShell audit scripts, and PowerShell API)
  • PowerShell 3.0 (required to use Power Rules, PowerShell audit scripts, and PowerShell API)
  • Microsoft SQL Server Compact 4.0 (required on the endpoint that will run the Activity Viewer console)
  • McAfee Agent (required if you are installing the Privilege Management client with switch EPOMODE=1)
The executable version of the client package includes all necessary prerequisites (excluding .NET Framework 4.0) and automatically installs them as necessary. If you use the MSI or ZIP package, you must manually install any necessary prerequisites.

New Features and Enhancements:

  • Updated the way we use our DLLs, improving performance and removing possible compatibility issues with other security software, Symantec Endpoint Protection (SEP) in particular.
  • Added support to force a BeyondInsight and/or PM Cloud policy update from the end user system tray icon. This eliminates the need for users to have to wait for the regular 60-90 minute cycle of policy updates to be applied to their endpoint.
  • Policy Editor:
  • We have added the ability to authenticate a user against your existing Identity Provider before they execute an application. You will find a new authentication method in the message configuration.

Clients prior to v21.3 do not understand this feature and treat an MFA-only gate as Yes / No.

For this reason we recommend that if you choose to roll out MFA messages to your estate and it has clients earlier than 21.3, that you do it in combination with another message gate that the older client already recognizes, for example, Challenge/Response, which provides a secure fallback.

  • Greatly improved the number of attack vectors that Trusted Application Protection (TAP) can help to protect against. Privilege Management for Windows is now able to better track the origin of application launches (including WMI and COM) to ensure that they are legitimate and block those that appear to be malicious.
If you are a TAP policy user prior to upgrading to Endpoint Privilege Management for Windows 21.3, and the policy was created using the Endpoint Privilege Management for Windows Policy Editor 21.2 or earlier, then to take advantage of the Advanced Parent Tracking feature, you must add two new rules to the TAP workstyle. For more information, please see Use Advanced Parent Tracking section of Trusted App Protection (TAP).

Issues Resolved:

  • Resolved issue in which an application crash was caused by a hook exclusion.
  • Resolved issue that caused the product icon in the toast notification to appear blurry.
  • Resolved issue in which the source URL was not always populated in MSI files when added in PM Policy Editor.
  • Resolved issue in which the TraceConfig tool displayed an Insufficient system resources exist to complete the requested service message and did not add error entries to the log file.
  • Corrected wording to ensure the MMC snap-in matches PM Cloud.


  • Privilege Management Policy Editor 21.3 (recommended), 21.2, 5.2+
  • Privilege Management ePO Extension 21.1 (recommended), 5.2+
  • Privilege Management Console Windows Adapter 21.2 (recommended), 21.1
  • BeyondInsight/Password Safe 21.1 (recommended), 7.2
  • McAfee Agent 5.7 (recommended), 5.6+
  • McAfee ePO Server 5.10 (recommended), 5.9

Supported Operating Systems:

  • Windows 10
    • 21H1
    • 20H2
    • 2004
    • 1909
    • 1809
    • LTSB 2015
    • LTSB 2016
    • LTSC 2019
  • Windows 8 / 8.1
  • Windows 7
  • Server
    • 2019
    • 2016
    • 2012R2
    • 2012

For more information about compatibility, please see Privilege Management for Windows and Mac: Supported Versions and Operating System Compatibility.