Privilege Management for Windows 22.7 Release Notes

September 15, 2022

Requirements:

  • Microsoft .NET Framework 4.0 (required to use Activity Viewer, Power Rules, PowerShell audit scripts, and PowerShell API)
  • Microsoft .NET Framework 4.6.2 (required to use Agent Protection)
  • Microsoft .NET Framework 4.8 (required to use Multifactor Authentication with an OIDC provider)
  • PowerShell 3.0 (required to use Power Rules, PowerShell audit scripts, and PowerShell API)
  • Microsoft SQL Server Compact 4.0 (required on the endpoint that will run the Activity Viewer console)
  • McAfee Agent (required if you are installing the Privilege Management client with switch EPOMODE=1)
The executable version of the client package includes all necessary prerequisites (excluding .NET Framework) and automatically installs them as necessary. If you use the MSI or ZIP package, you must manually install any necessary prerequisites.

New Features and Enhancements:

  • Continues efforts to remove the need to always reboot after upgrading Endpoint Privilege Management for Windows. All functions of the product will continue to work as expected after performing an upgrade from 22.7 to newer versions.

Although a reboot will no longer be mandatory when upgrading from 22.7 to newer versions, it is still recommended and there may be future features where it is required to get new functionality.

  • On endpoints that have agent protection enabled, the registry keys for the Endpoint Privilege Management for Windows product can not be modified by any user, further protecting our product from tampering by any malicious actors. If there is any legitimate need to manually alter any Endpoint Privilege Management for Windows registry keys, you must first disable agent protection on that endpoint.

Policy Editor

  • Updated the QuickStart policy to protect some Explorer functions with a Challenge Response message. These are: Edit Security, File Operation, and Permissions editor for files and folders.
  • Added two new fields to the MFA options on a message: Additional Scopes and max_age. These can be used by your identity provider to provide additional functionality or customize the MFA flow.

For an example of using Additional Scopes and max_age with Azure AD, please see KB0018586.

We strongly recommend that if you already use our TAP policy, that you update the Browser and Content Handler rules at your earliest convenience to ensure that those applications are using the appropriate permissions.

  • Adds a new Access token type to the rules configuration that retains the same process permissions (same as the passive token) but also adds some additional context to the token so that our anti-tamper protections and Advanced Parent Tracking work correctly, while also ensuring that a sandboxed process such as Chrome is not given permissions it does not need. This replaces the Enforce User’s Default Rights token in our TAP policy for Browser and Content Handler Rules and a new version of the TAP polices are available in this version.
  • You can now specify AAD groups as designated users on messages, which allows any user who is in the specified groups to authorize a message.

Issues Resolved:

  • Resolved issue that prevented the software installation in some circumstances.
  • Resolved issue in which UpdateTrustedSites.exe was not being matched correctly in Endpoint Privilege Management for Windows rules.
  • Resolved a compatibility issue found with some Windows updates that were released mid-year 2022, which could cause application crashes.
  • Resolved issue in which permission was denied when trying to set a name pipe.
  • Resolved issue in which Updatetrustedsites was not matching rules correctly.
  • Resolved issue in which no token or audience was provided to Azure AD for MFA.
  • Resolved IdP issue for Azure MFA conditional access policy.

Compatibility:

  • Privilege Management Policy Editor 22.7 (recommended), 5.7+
  • Privilege Management ePO Extension 21.2 (recommended), 5.2+
  • Privilege Management Console Windows Adapter 22.5 (recommended), 21.1
  • BeyondInsight/Password Safe 22.2 (recommended), 7.2
  • McAfee Agent 5.7 (recommended)
  • McAfee ePO Server 5.10 (recommended), 5.9

Supported Operating Systems:

  • Windows 11
    • 21H2
  • Windows 10
    • 21H2
    • 21H1
    • 20H2
    • 1909
    • LTSB 2015
    • LTSB 2016
    • LTSC 2019
  • Windows 8.1
  • Server
    • 2022
    • 2019
    • 2016
    • 2012R2
    • 2012

For more information about compatibility, please see Privilege Management for Windows and Mac: Supported Versions and Operating System Compatibility.

Notes:

  • Endpoint Privilege Management for Windows 22.7 supports upgrades from Endpoint Privilege Management for Windows 5.2+.