Windows & MacOS

Hi there,We have set up MFA-Messages to authenticate admins when installing software on a client. This also needs to be done on “user-clients”. The problem is that you actually can use the admin mfa session to access various ressources such as microsoft admin portal if youre not actively sign out or do the authentication in private-tab.I already tried to use the following in my entra application, but this does not seem to work: Has anyone setup an MFA-Authentication in Messages for EPM-W and may assist?Many Thanks!

has EPM-W in BeyondInsight Software, Now its eol.We need to migrate to UVM based appliance in Active Active with DC-DR, I need assistance in understanding what all should be considered before the migration.1. How do i make sure the software based deployment which has DB should be moved to the new UVM deployment in Active active.2. How do I make sure I deploy UVM in Active Active in DC & DR where I should deploy 3 UVM in DC and 3 UVM in DR so I get them running active active all the time.3. How many maximum machines do we can connect using this kind of deployment for EPM-W4. Also Wanted to understand for EPM what the load Balancer configuration should be.

I was recently asked if there were any best practices uses the challenge response tool with EPM where there’s the software and the key. While we do have some documentation around how to use it, I feel this warranted a quick notes of practices I recommend based on seeing this live in some environments. Tip 1: Put the shared key in a vaultThe shared key is something that should be protected as anyone with the response code generator tool can generate the code. That’s by design, so please protect the shared keys in a vault. Or other encrypted method that’s not in the company’s documentation portal.  Tip 2: Restrict who can run the response code generatorEven though the response code generator needs access to get the installer, it’s good to restrict who can run the response code generator as a layer of friction in the policy. Ideally limited to the service desk only.  Other documentsThis is a quick tips on the response

Trying to install BeyondTrust during a Windows Autopilot deployment, the application installs, but it's not fully setup to handle elevation prompts until after a considerable amount of time and a reboot. Is there a guide on how to install Beyond Trust EPM during Autopilot that improves this experience?

The following articles were published last week. New Knowledge Base Articles: KB0022288 - What does the ManageSystemProcesses registry key do? KB0022296 - EPM-M limitation with Keychain Access KB0022297 - JetBrains Toolbox update fails using EPM-M elevation

Hi There,we often create a blanc Test-Policy by importing the productive policy, make changes and test them there. However we expirience some unconsistencies when rolling back to the productive policy. In fact OnDemand processes are not being recognized. So if i start powershell as Administrator, it hits the default any uac (not OnDemand) This is most likely due to a cache issue or sth. On a machine which did not have the test-policy assigned, the productive-policy is working as expected and OnDemand rules are applied correctly.Multiple Computer restarts did not solve the problem. A few hours later, it just worked again without any changes.Is there a way to troubleshoot this? Many Thanks

Hi,I have a problem with the Avecto Defendpoint Service (client version 25.8.12.0).When I restart a Windows 11 notebook, the service is running, but EPM does not work correctly.To resolve the issue, I have to restart the Avecto Defendpoint Service manually, after which everything works as expected.If I set the service startup type to Delayed Start, it starts after about two minutes and then works fine.Has anyone else experienced this issue?Thank you.Kind regards,Thien

Hello All,Is there a way to notify (some sort of pop up) the users that the JIT request has been approved via BT EPM app/agent for a better user experience ? PMC has been integrated with SNOW.

The following articles were published last week. New Knowledge Base Articles: KB0022887 - JIT requests stuck in the pending status in ServiceNow

Hey everyone,Checking to see if anyone has seen this before, I have multiple servers in an environment that all point to the same proxy.  On a handful of these servers, I can see where package manager is downloading and attempting to install the adapter and client.  However, on others I’m seeing where it cannot download the package.  It tries 5 times, gives up and says I can find more information on the agent with a specific ID (looks like the computer ID).  Anyone have a location for that log? I’ve looked in the standard ones with no luck.I’ll attach an example from the event viewer logs so you can see where it downloads and tries to install the adapter with a 1603 error on one (this I’m trying to fix with workarounds) and on the other it can’t download at all.  

Does anyone know if it is possible to include multiple domains in a management rule filter?  For an example, we need to setup rules to move multiple domains to single computer groups after a certain length of time.  Currently, I have over 20 management rules in place to do this functionality, however I would like to cut that down if possible.  

EPM-W is blocking some of the functionality of ZoomText screen reader. How do we get around that and allow all functions of ZoomText to run? zt.exe and child processes have been whitelisted already.

Hi All I have been looking arround for a document that can help in building the Beyondinsight Using UVM for Privilege Management for Windows & Mac in Active Active mode for DC & DR. What are the prerequisites and how to establish the DC & DR scenarios, what are the things that we should be really looking into for the deployment. My another query is how does the Agent understand the DC & DR scenario as if we need to deploy 1 Management node in DC and 1 Management node in DR with 2 Event worker nodes in DC and 2 Event Worker nodes in DR. Where in DC we have SQL in Cluster with Always ON Availability Group and Same deployed seprately in DR too. Can some one explain as how it works and what are the precautionary measurements we need to take care of.

The following articles were published last week. New Knowledge Base Articles: KB0022215 - Privilege Management for Mac client app bundle continually verifiying package KB0022295 - How to create replacement definitions for PGNetworkAdapterUtil, PGPrinterUtil and PGProgramsUtil KB0023279 - EPM-M Defendpointd memory leak causing high RAM usage

Hello,I am working on creating a new BT EPM policy for our Win 10 and 11 system in our environment. I created an application group and added it under Low Flex workstyle. I am trying to create a policy that will block all the applications except the ones i have approved in SCCM Software Center and InTune. My problem is that i have a list of couple of hundred of approved apps and i don’t want to add them in the application group manually one by one. is there a way to import them from an excel list if i populate the excel with publisher and product name and whatever else i might need. or is there any API i can use for that.Thank You

Has anyone else gotten the 26.1 agent upgrade yet? We have been waiting for a few weeks now, and it is still not available to us. I don’t know if we should put in a ticket to find out why it hasn’t been pushed to us yet, or if it is just taking that long.  We’re looking forward to the AAD refresh capability that’s built into it. 

On our systems we’ve deployed beyondtrust to, if I do a Microsoft sentinel or KQL search for local admin login events, I’m seeing a lot of accounts that start with lenovo_tmp. After some searching, it appears that these are used by the lenovo system updater software to run updates with elevated privileges when a user is not admin. This concerns me because it seems to violate the tamper protection of beyondtrust that disallows the creation of other admin accounts. (lenovo forum for context).Is anyone else seeing this? If you can run KQL advanced hunting queries, look at the DeviceLoginEvents t

The following articles were published last week. New Knowledge Base Articles: KB0022184 - ServiceNow ticket for JIT request does not show username in 'Caller' field KB0022206 - NVDA screen reader does not correctly activate on Secure Desktop KB0022208 - QuickStart Template Changes Regarding Microsoft Narrator

The following articles were published last week. New Knowledge Base Articles: KB0023082 - Preview of messages are missing the message header and OK and Cancel buttons KB0023133 - EPM-W 26.1 policy behavior change - Uninstallation with Challenge/Response messages KB0023385 - Identity Authentication feature in EPM FAQ and how to configure it

We have a EPM workstyle dedicated to the service desk, which takes effect at the start of Beyond Trust remote session. This makes use of Audit scripting / Rule scripting to sense the initiation of the session and change the effective workstyle until the session completes. During the session, support technician is able to elevate the application through Prompt.We have observed that this script provided by BT for this use case is executing the rule only once, when another application is open during the same session, the end user workstyle (Medium Flexibility prompt) is getting applied and application is not elevated. Please let us know, how to fix this.

Many organizations face the same challenging questions in their initial deployment of the EPM tool.Where do I even start with for the policy design? How can I use EPM to allow and block applications? How do I find local administrators privileges on the endpoints? How can I prevent users from running applications outside of these trusted folders (Windows, Program Files)EPM is designed with the flexibility to control and elevate applications, many of the above questions can be achieve with the out-of-the box QuickStart policy template that combines BeyondTrust best practices into a set of rules that make it easy to get started with proactive endpoint protection. Out-of-the-box, the user’s security level is immediately improved without degrading the user experience or by “locking them down”. This is designed to be successful even with very little knowledge of the applications installed in an environment before deployment.

This doc is a quick guide of finding potential instances of OpenClaw (aka Clawdbot, Moltbot) by using EPM Analytics. Please refer to Using Endpoint Privilege Management with local AI agents in our public docs. Where this worksThis works in the cases where:The application group is set up to log to EPM-SaaS The target system has the name as standard, and not obfuscated the tool with a renameQuick Analytics ChecksIn EPM SaaS, or in your SIEM / log aggregator of choice, search for Events → Filter by: Command Line → Search for any contains `openclaw`, `moltbot`, or `clawdbot` In EPM SaaS, or your SIEM / log aggregator of choice, I would recommend using the Custom Views options to save this for rechecks Y

Hi All.I have identified two functions that are still missing in PM Cloud, and the available APIs force you into workarounds to accomplish some of these tasks.Moving a list of computer hostnames into a specific group.Overcoming two API hurdles: partial name matching, and the requirement to fetch computer IDs before using the CSV import option—since it does not support hostnames directly. 😖When you need to move computers between groups, doing it manually becomes a tedious process.In the classic Policy Editor MMC Snap-in, we had the advantage of browsing for a file and automatically pulling in its metadata. This capability has not yet been added to PM Cloud either.How have you resolved these options and are there any functions that you see missing in addition?I addressed these gaps, by creating a WebApp that handles both challenges, plus an application scanner for bulk ru