Windows & MacOS

We have defender for endpoint and since past couple of days, we are most of powershell scripts are trying to elevate. Earlier they were running in passive mode. Also many applications including intune pushed scripts are giving Yes/No Promts (Configured in policy). As it was working fine earlier and suddenly started this issue. Anyone else facing the same?

Hello Team,We will be moving/migrating our on-prem EPM to the cloud in the upcoming months and I was just looking for any insights or things to look out for during or after the migration.Thank you for anything you can share.

Dear all,I am seeking your assistance regarding a challenge we are facing in our current project to present events generated by the EPM-W Agent in PowerBI.As you are aware, the GUI allows us to download up to 5 million records, but this process is often time-consuming, especially when the data size reaches several gigabytes. Additionally, I recently learned that the API has a limit of only 10,000 events per request, which is insufficient for our environment. We generate approximately 455,882,549 events over a 30-day period. While I am actively working to reduce the number of events, this is our current situation.Your advice on how to efficiently process and visualize such large datasets in PowerBI would be greatly appreciated. Specifically, if there are ways to increase the API limit or alternative best practices for handling this scale of data, please let me know.

For those who are looking to start out on building block lists for EPM, below are some tips and resources available. Analytics can shift this exercise from ‘blocking by vibes’ to data-informed changes. Tips for Implementing a Block Rule: Check your analytics for application definitions that match your anticipated block rule This can help determine estimated impact Check your policy for allow rules that may match your block (either on purpose or by accident) If so, then your allow or block may need to be altered to not conflict Block Rules are the only time you’re going to want to be more generic, and typically the widest net possible. It’s the opposite of allow rules where we recommend more than one definition Examples: One rule for the Publisher

I tried to install my EPM for Windows Local AD connector on a server but it failed on the activation part.Error is:[ERR] [BT.LocalAdConnector.Services.ActivationService] [9] Activation failed.System.Net.Http.HttpRequestException: No such host is known. (xxxxxx-xxxxxxxxx-services.pm.beyondtrustcloud.com:443) ---> System.Net.Sockets.SocketException (11001): No such host is known. My server is connected to my proxy server for external access and I have the policy opened from my server to xxxxxx-xxxxxxxxx-services.pm.beyondtrustcloud.com but it is not getting triggered at all. Am I missing something here? do I need any additional URL for the activation of the AD connector?

Can anybody let me know what are the BeyondTrust certifications on Endpoint Privilege Management and how can I get those certifications?I am unsure of all the certifications and the process involved in acquiring them. So, any help would be greatly appreciated. 

I’m posting this to see if anyone has run into this situation to see what their outcome was. We currently have two devices that do not show an active policy on the client, the platform shows a policy and that it is connected, but the device will not pull a policy. We have tried using the agentprotectionutility to generate a token but that token does not work. We have tried this with several computers, verified the token does work on a device that is not having the issue. Now we’ve tried moving that device to a test policy with agentprotectionstate set to 0, requested update from the device through the BT platform, rebooted the device, same issue. This device will not show a BT prompt for anything, UAC for everything, unable to modify any registry settings regarding BT, token does not work, moving to another policy with agentprotection disabled didn’t change anything. Reinstalling the agent doesn’t change anything. At this point it seems like there

The following articles were published last week. New Knowledge Base Articles: KB0022077 - EPM Cloud not authenticating after changing OIDC settings from Azure B2B to another provider KB0023327 - Apple's SecurityAgent is stealing keyboard focus when EPM-M is installed KB0023330 - EPM-M (macOS) device with Windows Defender installed fails to wake up from sleep

The following articles were published last week. New Knowledge Base Articles: KB0022038 - EPM-W Cloud policy refresh using EndpointUtility error - Received unexpected status code 500 KB0022052 - Analytics full raw data not sent to Splunk

While I was going through documentation looking to find out some specific information regarding Computer Logs vs Command Logs and trying to determine how they might be useful to troubleshoot issues with various machines from what I’m seeing on a select few vs that of the many machines in the same group, I came across this part. One thing I have noticed that is different than what is written, there does not appear to be any means to download “Command Logs” like the write-up states. And to that point, the only “Command” I have ever seen listed in this tab is when I Request Computer logs from a machine. Are there other types of “Commands” that show up here?  As to “Request Logs” from the Computer Logs section, you only really get 2 files.AvectoiC3Adapter25.8.840.msi-Installation-11-02-2026-0905.log PrivilegeGuardClient25.8.12.0.msi-Installation-11-02-2026-0906.logI think the documentation could use some improvement in this regard,

Apologies in advanced if this is common knowledge, I mainly support our Windows environment but I’m wanting to learn more about EPM on Mac.  Most of our Mac end users utilize an Active Directory group that we grant elevated privileges with.  A discussion came up recently about Homebrew, and I asked our support techs the current process for when they swap out machines for developers on Mac.  What I’m being told, is that possibly in the past EPM used to be able to allow standard users to install Homebrew via EPM for Mac however I’m being told Homebrew is incompatible with EPM for Mac.  End users are being added as local admin as part of the process which I’m not understanding why.If anyone has documentation, KB, or first-hand knowledge of using EPM for Mac and utilizing Homebrew without having to add users to local admin, it would be much appreciated.Example of what I’m being told from my End User Computing support team about the troubleshooting cadence of Homebrew

After success fully installed EPM windows application to the user machine still user unable get the elevated access properly.

The following articles were published last week. New Knowledge Base Articles: KB0021821 - PMR Database error - The database collation cannot be changed if a schema-bound object depends on it KB0022000 - Sophos blocks elevation of Remote Support via EPM-W - Sophos is terminating this process KB0023067 - SCCM Lawgic installation stuck at install in progress when EPM-W c

Hi, We have an issue of manual policy from PMC console is not getting refreshed to latest version when trying to manually refresh the policy. Although all looks good on PMC console, if I try to manually refresh a policy on a machine in PMC console it will say that system is on latest assigned policy, I will also get a message that system is on latest revision but when I check in BT icon > right click the policy is still on older version.Automatic policy refresh works fine that is when system check-in with PMC console on its own the latest policy is applied without any issue.I have test policy group where the policy refresh is working perfectly fine only production policy group we are facing this issue.If anyone of you has encountered this issue, it will great help if you can suggest what could be the possible reason.  

The following articles were published last week. New Knowledge Base Articles: KB0021999 - How to configure AWS S3 bucket to work with EPM Cloud SIEM KB0022011 - Error "InvalidUser=1 error" "Credentials could not be used" when logging into EPM Cloud with PingOne KB0023265 - Random "Access denied" or "Oops" errors appear while navigating in Pathfinder

Hello We have EPM Windows agent 24.x version . When a user tries to install Notepad ++ Plugins it throws UAC prompt. I created a rule with all details shown in UAC prompt such as publisher and file name . Later I removed publisher and kept just the executable name , still I get the Windows prompt instead of EPM. Has anyone faced this issue?On 25.x EPM agent with same policy , EPM is able to detect it and elevate it with Notification message 

Is there anyone worked on some kind of powershell script to generate policies, application groups etc.?Trying to create some policy automic policy making process. 

Hey All.I’ve been working with the API for PM Cloud.Thanks to BT for making the Policy Editing API available for PM Cloud — it works great in this first iteration, but we do need some tweaks 🤔I’ve created a ticket with BeyondTrust because I ran into a limitation and would like to hear everyone’s thoughts.When creating applications through the API, we are limited to using “Product Description” as the unique identifier. This prevents us from uploading applications when multiple apps share the same Product Description, even though the File Name, SHA‑256, Product Name, Publisher, etc. are different. See the sample highlighted in purple below.Upload sampleMy view is that the only criterion that can guarantee a 100% certain duplicate is the SHA‑256 value. We need some additional logic to deter

The following articles were published last week. New Knowledge Base Articles: KB0021898 - EPM-W and BITS transfer - How to allow installation KB0022280 - BeyondInsight EPM Reporting issue - Transparent details pane when in "Match System Theme" KB0023253 - BeyondInsight EPM policies not applying on some endpoints

The following articles were published last week. New Knowledge Base Articles: KB0023244 - UseAlternateTokenLaunch - What it is and how to use it KB0023245 - Validate setting fails "Unable to Connect to the Microsoft Entra ID with the provided credentials" KB0023249 - Endpoint machines domain change not showing in EPM Cloud

The following articles were published last week. New Knowledge Base Articles: KB0021348 - EPM rule not matching after using an event (Add to Policy) to create the definition KB0022462 - EndpointUtility freezes when run from elevated cmd or PowerShell

The following articles were published last week. New Knowledge Base Articles: KB0021900 - EPM-M and third party system extensions

The following articles were published last week. New Knowledge Base Articles: KB0023197 - How to add Entra ID groups or users in BI Password Safe integrated WPE

The following articles were published last week. New Knowledge Base Articles: KB0021822 - Local passwords not rotating after upgrade to Endpoint Privilege Management for Mac 24.5.3 KB0021840 - How to add and use a local AD connector in EPM Cloud KB0021899 - How to block users from accessing Users & Groups with EPM-M

Hi,just a short question. Is there a need/ recommendation for the “recommended exclusions from 3rd party anti-virus - KB0017099 ” in combination with Microsoft Defender for Endpoint?We are asking this because at the moment we do not have set these exclusions and for us the Defender is not a typical “3rd party av”. Regards,Jens