PowerBroker for Windows

PowerBroker for Windows

Windows Privilege Management and Session Management

Protect end users, prevent and contain breaches, and reduce help desk calls on Microsoft® Windows desktops and servers. With PowerBroker, you remove excessive rights from end users, audit privileged sessions, and identify risky activity – without disrupting productivity.

Comprehensive Privilege and Session Management to Protect Windows Systems

The case for Windows privilege management is overwhelming. Consider the fact that 94% of critical vulnerabilities reported by Microsoft in 2016 can be mitigated by removing administrator rights from users. Whether hijacked by external attackers using phishing or ransomware, or simply misused by insiders, local and domain admin rights can facilitate devastating data breaches. These privileges are prized by attackers because they can afford freedom of movement and access beneath the radar of detection. However, wholesale removal of administrator rights can bring productivity to a grinding halt and overwhelm your IT help desk. That’s where PowerBroker for Windows comes into play.

PowerBroker for Windows is a privilege management solution that gives you unmatched visibility and control over physical and virtual desktops and servers.

  • Reduce attack surfaces by removing admin rights from end users and employing fine-grained policy controls for all privileged access, without disrupting productivity.
  • Monitor and audit sessions for unauthorized access and/or changes to files and directories. 
  • Analyze behavior to detect suspicious user, account and asset activity.

Whether you need simplified least privilege enforcement, patented application control, privileged activity logging, or file integrity monitoring, PowerBroker delivers the most comprehensive Windows privilege management capabilities available.

Enforce Least Privilege and Enable Productivity

Enforce Least Privilege and Enable Productivity

Eliminate user admin rights to close security gaps. Enable users to do their jobs by instead granting privileges to applications and tasks – without exposing administrator credentials.

Monitor and Audit User Behavior

Monitor and Audit User Behavior

Ensure accountability and maintain audit trails with event logging, plus optional file integrity checking and session monitoring. Capture and search keystrokes and screens.

Foil Phishing, Ransomware, and other External Attacks

Foil Phishing, Ransomware, and other External Attacks

Automatically block suspicious activity, such as software installation and configuration changes. Use application control to blacklist hacking tools, and leverage rules-based application greylisting.

Limit Applications on Vulnerable Systems

Limit Applications on Vulnerable Systems

Leverage patented technology to automatically scan applications for vulnerabilities at run time – triggering alerts, enforcing quarantine, reducing application privileges, or preventing launch altogether based on policy.

Monitor File Integrity

Monitor File Integrity

Ensure that system binaries, product binaries, and files have not been tampered with (optional). All changes are fully audited and reviewable.

Securely Elevate Remote Hosts

Securely Elevate Remote Hosts

Elevate privileges from a remote host, or utilize Password Safe credentials for Run-As access.

Share User Analytics and Reports

Share User Analytics and Reports

Gain unmatched visibility into Windows user activity with centralized analytics and reporting for executives, auditors, security and operational teams.

Leverage Flexible Deployment Options

Leverage Flexible Deployment Options

Implement on-premise software or hardware appliances, or host in Amazon Web Services, Azure Marketplace or Google Cloud.

Integrate with McAfee ePO

Integrate with McAfee ePO

Take a unified approach to endpoint security and privileged access management with McAfee ePolicy Orchestrator. Learn more about McAfee and BeyondTrust.

Common Criteria Certified

Common Criteria Certified

Common Criteria is an internationally recognized set of guidelines created to insure a high and consistent standard for evaluating information security products. You can have confidence in the security of the products that have earned this certification through extensive independent lab evaluations, and avoid the cost and complexity of additional testing. PowerBroker for Windows has earned Common Criteria Certification under an Evaluation Assurance Level (EAL)2+.


Eliminate administrator rights: Prevent intentional, accidental, and indirect misuse of privileges on Windows assets.

Block suspicious activity: Enforce restrictions on software installation, usage, and OS configuration changes.

Ensure compliance: Meet internal and external compliance needs by enforcing least-privilege identity management and monitoring privileged activities.

Ensure productivity: Default all users to standard privileges, while enabling elevated privileges for specific applications and tasks without requiring administrative credentials.

Protect file systems: Add optional file integrity monitoring to identify, and even deny, unauthorized changes.

Record sessions: Add optional session monitoring to capture screens of privileged user activity with keystroke logging to document all privileged changes to an asset.

Elevate applications: elevate application as logged on or another user, without exposing credentials.


Pinpoint suspicious activity: Monitor Windows Event Logs for anomalies and analyze through BeyondInsight Behavioral Analytics.

Maintain awareness: Monitor UAC events, application rules, requested elevations, denied applications, and more.

Ensure accountability: Add optional session monitoring for rules-based activity recording, including screenshots and searchable keystroke logs.

Understand and communicate risk: Leverage an interactive, role-based reporting and analytics console, backed by a centralized data warehouse for ongoing audits of user privilege management software activities.


Application Control: Blacklist hacking tools, whitelist approved applications, and greylist applications based on rules to keep systems safe.

Allow Admin where needed: Proactively identify applications and tasks that require administrator privileges – and automatically generate rules for privilege elevation.

Leverage Vulnerability-Based Application Management: Scan applications at runtime for vulnerabilities and allow, deny or alter privileges based on regulatory violations, vulnerability severity, and/or vulnerability age – based on the award-winning Retina vulnerability database.

Quarantine files: Leverage BeyondInsight Threat Analytics for malware confidence reporting, enabling better risk decision-making

Simplify application management: Rules-based approach eliminates the need to manage complex whitelists with thousands of signatures for complete application control.

Track trusted sources: make rules on tasks, processes, or applications based on the originating source.


Gain control over all accounts: Automatically discover and profile all Windows accounts, and quickly bring them under centralized management.

Ease policy creation and management: Set policies via Active Directory Group Policy or PowerBroker Web Services or McAfee ePO with support for air-gapped systems and non-domain assets.

Support one-time-passwords (OTPs): Support any multi-factor solution that utilizes the RADIUS protocol for additional verification that the user is the intended recipient of the elevation policy.

Ensure adoption and usability: Provide a modern, easy-to-use interface for end-users, plus an innovative dashboard for solution owners.

Reduce help desk costs: Reduce support costs 40% or more by removing Admin without raising barriers to end-user productivity.

Reducing User-Based Risk with PowerBroker for Windows

1 Implement Least Privilege Security

It’s difficult to strike the balance between security and enabling end users to do their jobs. PowerBroker for Windows, user privilege management software, enforces least privilege in an adaptive model, applying situational policies and elevating by application considering the target application’s vulnerability profile. The solution also transparently grants the rights they need to do their jobs without exposing the organization to unnecessary risk.

2 Limit Baseline / Image Drift

When users can change settings or self-install software, it compromises the baseline configuration settings, and leads to more work for the help desk and lost productivity for the user. PowerBroker for Windows, privilege identity management, ensures that only approved tasks can be launched. This dramatically reduces the amount of time it takes to re-image problem machines.

3 Stop Pirated Software Installs

PowerBroker for Windows, user privilege management software, can prevent unapproved software from being installed on a machine, report on the occurrence, the number of machines a piece of software is installed on, and even deny applications from running if they were already there. It puts control of the desktop, server, and laptop in the hands of IT, the folks ultimately responsible for the uptime and security of these endpoints.

4 Enable Efficient & Secure Run-as Access to Applications

Through its integration with PowerBroker Password Safe, PowerBroker for Windows privilege manager provides run-as access to applications in a completely automated manner, matching credentials and providing access without exposing credentials to the end user.

Related Resources: Get the most out of Windows Privilege Management and Session Management