Windows & MacOS

Does anyone know how to implement this remediation - the instructions are very vague. BT23-08 | BeyondTrust

Dear colleagues,I have a bunch of feature requests on the ideas portal, which I would like to get some traction on.So, if you agree with me on any of these give them a vote so BT can start making things happen.https://beyondtrust-public.ideas.aha.io/ideas/T2EPM-I-2180https://beyondtrust-public.ideas.aha.io/ideas/T2EPM-I-2167https://beyondtrust-public.ideas.aha.io/ideas/T2EPM-I-1922https://beyondtrust-public.ideas.aha.io/ideas/T2EPM-I-2161

The following articles were published last week. New Knowledge Base Articles: KB0021755 - How to enable the policy cache for Endpoint Privilege Management for Mac KB0021847 - EPM-W client failing to install "Error 2738. Could not access VBScript run time for custom action" KB0022165 - Application group rule filter is not working for Entra ID groups

Hi all,Good day. I have a question regarding the EPM agent for macOS. For this test case, I have two types of endpoints, one Windows and one macOS.I have learned about the agent installation for the Windows endpoint. This one is straightforward for my case since I only have one Windows endpoint for product evaluation. All I need to do is download the package manager and run the command to install it.But, I am still unsure about macOS. Please note that Im not familiar with macOS and this is my first time working with it for a product evaluation. My question is, for macOS, can I use the same method for the agent installation? I mean using a package manager similar to the Windows endpoint since I only have a single macOS machine.Appreciate it if someone could provide the proper guideline and advise on this.Thanks again.

Hi Team,How to block dmg file installation in EPM-M we are unable to block installation for dmg file as well as package installer. The blocking rule is ineffective for application installations, whereas the actions related to allowing or requesting installations are functioning as intended.

The following articles were published last week. New Knowledge Base Articles: KB0021792 - Wrong application type displayed in Analytics reports - Executable instead of Management Console KB0023108 - Settings menu fails to load or crashes on Windows 11 25H2 using EPM-W

Employees with EPM installed are having issues printing with Excel and I cant seem to figure out what is holding that up when printing works fine with everything else. 

Hi  I would like to see if we can block commands in CMD for Windows Platform.If yes, how can we do a sample would help for building it.RegardsNaveen

The following articles were published last week. New Knowledge Base Articles: KB0023078 - Error when installing EPM-W - The system administrator has set policies to prevent this installation KB0023096 - Performance issues with EPM-W and Symantec

Hello,We have a on-demand rule for Command prompt for a set of users . This rule allows running of child processes with Basic Admin token for Windows Command Prompt - Run-As-Admin action.For same set of users , when they try to install another application using Run-As-Admin option , based on quick-start rules it gets Admin token which gets applied to child processes as well. But at one point in installation Command Prompt is launched by the installer , this results in additional prompt for the user . Logs show that it is hitting the Command Prompt on-demand rule. I think as the application is triggering the Command Prompt and it has application name as parent process, it should ideally get the admin token and not hit the CMD on-demand rule ?

The following articles were published last week. New Knowledge Base Articles: KB0022233 - Events not showing in Reports after PMR upgrade in an Active Passive setup KB0023075 - EPM-W icon missing from system tray after install KB0023082 - Preview of messages are missing the message header and OK and Cancel buttons

We have a requirement in our environment wherein we want to restrict users from modifying certain registry keys/ hives. We want to know:whether we can enforce this using EPM policies or do we need to use group policies for this?Will EPM Policy be able to block users from modifying registry values within their respective endpoints? Can Avecto Defendpoint Service identify such events related to registry modifications i.e. will we see event logs (in Event Viewer and BT EPM cloud console) related to every unique registry key/ hive?

The following articles were published last week. New Knowledge Base Articles: KB0021743 - EPM-M tray icon missing after install KB0021997 - EPM-W COM class elevation rule fails when 'EnableSvchostMitigationPolicy' is involved KB0022850 - Prevent sudo sudo commands - EPM-M Quick Start policy changes

Hi, I need to analyze all event logs and see which ones belong to end users who used privileged elevations to categorize them into the high-flex category. The filters in the Analytics tab seem limited and there are a lot of event logs.How can I quickly go about identifying which users belong in the high flex category?  Thanks all!

Hi Everyone, I have the following use case:How can i target the git command in the terminal?The Git binary was installed by the user via Homebrew.I’ve tried matching File / Folder Name criteria with git, and also using the absolute path /usr/local/Cellar/git/2.51.1/bin/git in the Application Groups, but it still didn’t work.I tried matching it with parent process and even using the hash (SHA-256).I tested sample commands like ls -la, as shown in the documentation website, and the ls -la were successfully captured.The git command filtering is only work when i use a sudo command application type. i.e. if i type sudo git pull...But the case i want is no

The following articles were published last week. New Knowledge Base Articles: KB0022837 - Sailpoint Identity Security Cloud integration with EPM Cloud KB0022929 - Best Practices when using the Server Roles policy template

Hi,Has anyone seen issues with Win11 AutoPilot laptops and PatchMyPC where EPM is now prompting users trying to install anything in Company Portal.I found thisPreviously: EPM probably trusted these scripts through a Publisher rule or Parent process allow rule.Now: After a recent Patch My PC update (around Oct 2025), the background script is signed or launched differently, possibly under the System Functions policy group, and no longer matches the older rule conditions.Anyone any ideas?

The following articles were published last week. New Knowledge Base Articles: KB0021582 - mTLS Adapter and the upcoming Endpoint Privilege Management Cloud 24.6 KB0022881 - Cloud Adapter is logging more events after upgrade to 25.5 or higher KB0022995 - Unable to pass UAC when elevating Remote Support Customer Client with EPM installed

I have a hybrid environment where my on-prem AD group accounts are created and then later on syncd to Entra ID. When I add one of the syncd groups, the filter does not get applied at all. Does anybody know how EPM checks for which group a user belongs to? I tried creating a separate Entra ID cloud group and added myself as a member, got the sync completed via the API, then added an account filter using this group, still does not get applied. What am I missing?

The following articles were published last week. New Knowledge Base Articles: KB0022810 - Windows Terminal prompts UAC instead of EPM-W message KB0022978 - What is the Matched as Child Process filter? KB0022987 - Message name updates for previous events in Analytics

Hi guys,We want to achieve this Use-case on MAC: Allow whitelisted Installers and let all other installers go through an approval process.We want to trigger a JIT message for all installers other than Whitelisted ones.So we created 2 rules, one to allow whitelisted installers and other rule to request.Coming to request all other installers (other than whitelisted ones), we placed .dmg and .pkg in application rules under binary and package applications, dmg is not getting any JIT message and we are able to proceed with installation and when it comes to .pkg, JIT request message is populating but in the middle of Installation process, it is asking for username and password again. These rules are being applied for standard users only. So is there a way to make all .dmg and .pkg files go through JIT when the user hits other installers other t

Hey everyone,I often find myself referring back to some of the same EPM-W KB articles over and over again, so I thought I'd share below some of my most commonly visited KBs to keep in your back pocket. EPM-W troubleshooting guide: https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0017077This one is a great starting point for any EPM-W related troubleshooting steps. EPM-W has three primary components to consider up front, each acting as a variable when troubleshooting an issue. These are:Defendpoint Service PGHook (user space) PGDriver (kernel space)While I plan to create a separate post in the future to review each of these components and what their roles are, the primary goal of this KB article is to help y

The following articles were published last week. New Knowledge Base Articles: KB0021537 - EPM-W rule not matching Sublime Text Editor when using publisher in definition KB0021655 - EPM-M endpoint not recieving policy - Error Domain=NSOSStatusErrorDomain Code=-67901 KB0021662 - When filtering Analytics in separate tabs they are not independantly honored