Windows & MacOS

The following articles were published last week. New Knowledge Base Articles: KB0022837 - Sailpoint Identity Security Cloud integration with EPM Cloud KB0022929 - Best Practices when using the Server Roles policy template

Hi, I need to analyze all event logs and see which ones belong to end users who used privileged elevations to categorize them into the high-flex category. The filters in the Analytics tab seem limited and there are a lot of event logs.How can I quickly go about identifying which users belong in the high flex category?  Thanks all!

Hi Everyone, I have the following use case:How can i target the git command in the terminal?The Git binary was installed by the user via Homebrew.I’ve tried matching File / Folder Name criteria with git, and also using the absolute path /usr/local/Cellar/git/2.51.1/bin/git in the Application Groups, but it still didn’t work.I tried matching it with parent process and even using the hash (SHA-256).I tested sample commands like ls -la, as shown in the documentation website, and the ls -la were successfully captured.The git command filtering is only work when i use a sudo command application type. i.e. if i type sudo git pull...But the case i want is not using sudo.Does EPM-M only process binary that are signed by Apple?Because the git from homebrew is not signed. I’m using macOS 13 Ventura and PMC 25.6.580 Thanks

We have a requirement in our environment wherein we want to restrict users from modifying certain registry keys/ hives. We want to know:whether we can enforce this using EPM policies or do we need to use group policies for this?Will EPM Policy be able to block users from modifying registry values within their respective endpoints? Can Avecto Defendpoint Service identify such events related to registry modifications i.e. will we see event logs (in Event Viewer and BT EPM cloud console) related to every unique registry key/ hive?

Hi,Has anyone seen issues with Win11 AutoPilot laptops and PatchMyPC where EPM is now prompting users trying to install anything in Company Portal.I found thisPreviously: EPM probably trusted these scripts through a Publisher rule or Parent process allow rule.Now: After a recent Patch My PC update (around Oct 2025), the background script is signed or launched differently, possibly under the System Functions policy group, and no longer matches the older rule conditions.Anyone any ideas?

The following articles were published last week. New Knowledge Base Articles: KB0021582 - mTLS Adapter and the upcoming Endpoint Privilege Management Cloud 24.6 KB0022881 - Cloud Adapter is logging more events after upgrade to 25.5 or higher KB0022995 - Unable to pass UAC when elevating Remote Support Customer Client with EPM installed KB0022999 - Siemens TIA portal crashes when opening or saving a project KB0023009 - Servers with EPM-W agent onboarded as an Asset are missing IP addresses KB0023018 - Unable to type in any fields on Oracle application form in Microsoft Edge with EPM-W installed KB0023019 - How is role assignment configured when using both OpenID and RBAC?

I have a hybrid environment where my on-prem AD group accounts are created and then later on syncd to Entra ID. When I add one of the syncd groups, the filter does not get applied at all. Does anybody know how EPM checks for which group a user belongs to? I tried creating a separate Entra ID cloud group and added myself as a member, got the sync completed via the API, then added an account filter using this group, still does not get applied. What am I missing?

The following articles were published last week. New Knowledge Base Articles: KB0022810 - Windows Terminal prompts UAC instead of EPM-W message KB0022978 - What is the Matched as Child Process filter? KB0022987 - Message name updates for previous events in Analytics KB0022988 - Entra ID group filters are not applying after upgrading to EPM Cloud 25.7

Hi guys,We want to achieve this Use-case on MAC: Allow whitelisted Installers and let all other installers go through an approval process.We want to trigger a JIT message for all installers other than Whitelisted ones.So we created 2 rules, one to allow whitelisted installers and other rule to request.Coming to request all other installers (other than whitelisted ones), we placed .dmg and .pkg in application rules under binary and package applications, dmg is not getting any JIT message and we are able to proceed with installation and when it comes to .pkg, JIT request message is populating but in the middle of Installation process, it is asking for username and password again. These rules are being applied for standard users only. So is there a way to make all .dmg and .pkg files go through JIT when the user hits other installers other than whitelisted ones.

Hey everyone,I often find myself referring back to some of the same EPM-W KB articles over and over again, so I thought I'd share below some of my most commonly visited KBs to keep in your back pocket. EPM-W troubleshooting guide: https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0017077This one is a great starting point for any EPM-W related troubleshooting steps. EPM-W has three primary components to consider up front, each acting as a variable when troubleshooting an issue. These are:Defendpoint Service PGHook (user space) PGDriver (kernel space)While I plan to create a separate post in the future to review each of these components and what their roles are, the primary goal of this KB article is to help you with component isolation. In other words, which of the above three components is involved in the issue?If we can isolate which component of EPM is related to the issue at hand, we can focus our attention on the relevant piece and resolve the pro

The following articles were published last week. New Knowledge Base Articles: KB0021537 - EPM-W rule not matching Sublime Text Editor when using publisher in definition KB0021655 - EPM-M endpoint not recieving policy - Error Domain=NSOSStatusErrorDomain Code=-67901 KB0021662 - When filtering Analytics in separate tabs they are not independantly honored KB0021663 - EPM-M configuration profile 2.2.1 - Sequoia vs Sonoma and lower KB0021694 - Error 1603 when installing CCH Axcess via an EPM-W elevated application rule KB0021703 - Changes to the EPM-W QuickStart policy to address Microsoft Narrator behavior

Hi Everyone , I need one help wherein my requirement is for mac machine , if user tries install or uninstall anything on mac device , he should get the message (allow message select reason ) from EPM. Can you please suggest what change I should make to my policy to get it implemented thanks in advance.  Regards,Imran Aliyani

Hi All.As I have done quite a few implementation of PS Cloud and PM Cloud, lots of people curse the filter option or start typing a searching in the wrong field, or get interrupted by the partial typing search. So, I was thrilled to see the new insights and looking at the connector view. Is there any reason why we can’t have a similar filter option in PM Cloud Analytics or PS Cloud etc. So much easier to sort and filter data with. Add Column, first line filter option.. even has reverse filter option etc. What is your all thoughts about a filter option like that, compared to current?It almost feel like legacy from the good old SSRS reports.

The following articles were published last week. New Knowledge Base Articles: KB0022951 - EPM prompt authentication fails for entra-joined machines "Logon failure the user has not been granted the requested logon type at this computer"

Hi all,I am struggling to figure out why EPM is not correctly following rule priority within a workstyle. Our current policy was provided to us by BeyondTrust during our configuration sessions. I have added an application to policy via the “add to policy” button on the analytics page, to a rule that targets the application group “Add Basic Admin - High Flexibility”. In the application definition, I only use the product name as well as the publisher (provided by “add to policy” button).The problem is, when I try to launch the application, I don’t get the intended behaviour. I then check the analytics and I see the event was matched to a rule within the same workstyle with much lower priority.What’s going on?

The following articles were published last week. New Knowledge Base Articles: KB0022724 - When 'Requires Elevation' is set in app definition EPM-W does not match, UAC is prompted KB0022907 - Refresh Button flicker and freeze in BT.app on macOS Tahoe KB0022919 - How to allow or block removable media such as USB using EPM-W KB0022924 - How to create an EPM-M rule to allow the Capture Config tool

Hi team,I am pursing with course endpoint-privilege-management-windows-bcie . Under this course, I am doing the LAB part. I was trying to complete the LAB 2 Installing the Package Manager. Under this LAB I followed all the steps as mentioned in document .  However after installation I am not able to see the below services under services .msc1.Avecto IC3 Adapter 2. Privilege Guard ClientI could only see PMC PackageManager under location  C:\Program Files\Avecto and other 2 services are not visible. Under services also I only see BeyondTrust Privilege Management Package Manager and other services 2 services BeyondTrust Privilege Management Cloud Adapter and Avecto Defendpoint Service  are not present. Under system tray I don’t see BT icon. Under installed software I see the software is installed though. I have restarted LAB01 multiple times, tried to uninstall and install multiple times. But no luckI am sharing all the relevant share shots for reference . can any please check and help me

Given macOS Tahoe is around the corner, I thought I'd create a post to share any known issues we've found so far. We have been testing EPM with all macOS Tahoe betas which we have available to us as a member of the Apple Developer Program. During this testing, we’ve identified a few minor issues. Below, you’ll find details of the problems, workarounds (where available), and planned resolutions.Issue 1: Incorrect OS Name and Version Displayed in PM CloudDescription: In PM Cloud, the macOS Tahoe version is reported incorrectly. Where to See: Home → Computer → Details → OS → the “Name” and “Version” fields show incorrect values. Workaround: None. Resolution: This will be fixed in 25.8 release, where the OS will correctly display as macOS Tahoe (26.0).Issue 2: Refresh Button Flicker and Freeze in BT.appDescription: When users click the Refresh button in BT.app, the button flickers. If “Pending” data is present, selecting Refresh causes the dialog to become unresponsive, and the “Pending” s

The following articles were published last week. New Knowledge Base Articles: KB0022879 - Package Manager not preserving proxy settings KB0022887 - JIT requests stuck in the pending status in ServiceNow KB0022894 - Cannot see any EPM policys in BeyondInsight "No records to display" KB0022905 - Incorrect OS name, description and version displayed in EPM Cloud for macOS Tahoe KB0022906 - Dark Mode issue in JIT Admin request for EPM-M on macOS Tahoe KB0022907 - Refresh Button flicker and freeze in BT.app on macOS Tahoe

getting error of failed to install performance counter while installing privilege management console adapter application. Does anyone know how to resolve this issue

Hi all, has anyone seen the following issue we have been experiencing?Autopilot pre-provisioning has problems in the final stages if the EPM agent is installed during the Hybrid build and the OS level is Windows 11 23H2 July 2025.The Avecto driver (PGDriver.sys) seems to be clashing with the Autopilot final OOBE stage preventing the device from finishing on the correct Windows logon screen

The following articles were published last week. New Knowledge Base Articles: KB0021603 - Meta Oculus install fails with EPM-W 24.3 and higher KB0021609 - Visual Studio NVIDIA installs fail when EPM-W admin token is used KB0021617 - Unable to run client project in debug mode after updating to Xcode 16 KB0022874 - How to downgrade EPM-W for troubleshooting KB0022878 - Access Denied when elevating some COM classes with EPM-W KB0022881 - Cloud Adapter is logging more events after upgrade to 25.5 or higher

Howdy folks, It’s been a little over a week since the new JIT Admin feature was released and so I wanted to share a little bit of what I’ve learned while using it.  What is JIT Admin?JIT Admin is a new feature in EPM (SaaS) 24.7, where a standard user can submit a JIT Admin request directly to the Privilege Management Console. Once approved, the standard user is put directly into the BUILTIN\Administrators group on their system, becoming a ‘true’ admin for a specified amount of time.This feature is available on both Windows and Mac.  How do I enable JIT Admin?​@Jens Hansen made a nice GIF in his post here which is probably the quickest way to see how simple it is to enable JIT admin within PMC. I’ll add documentation at the bottom, but at a high level, enabling JIT admin requires three things:“JIT Admin Access Integration” is enabled under Configuration > Just-in-Time (JIT) Access Settings > Admin Access tab JIT admin is activated on a workstyle via policy OS > Workstyles >