A localized space to talk about EPM, specifically for Windows And Mac OS's.
Recently active
A Security Researcher’s Guide to Understanding Copilot Studio AI AgentsInside Copilot Studio: Architecture, Control Planes, and Injection VectorsWith new techniques for agentic AI prompt injection being released daily, attackers and defenders are reliving the old days of SQL injections. Pwns to AI agents can range from dumping business data to taking full C2 control of critical infrastructure.BeyondTrust Phantom Labs™ has spent months reverse engineering Copilot Agents, aiming to uncover how they work, what existing Microsoft services they are built from, and how their control planes function. This blog post covers our findings, getting red and blue teams alike up to speed on: Copilot Studio's implementation of AI agents The deeper Microsoft architecture these agentic workflows were built from Prompt Injection techniques Copilot Studio agents are prone to The maker credentials anti-pattern Continue reading HERE Customer Case Studyivision: How ivision Simplifies and Scales Identit
We are experiencing an issue where the Support Desk (Challenge/Response) prompt disappears within 1–3 seconds, preventing users from entering a response code and elevating applications.EnvironmentEPM-M Version: 26.1.0.120 OS: macOS Tahoe 26.4 Users sometimes receive a "Deadline Reached" notificationWe reviewed KB0020349, but the issue is documented as fixed in 23.7.1+, and our clients are already on 26.1.0.120.A comparison between working and affected devices showed no significant differences other than hardware (M2 vs M3 Pro and different Mac models).BeyondTrust advised that newer macOS versions may limit the prompt display time to approximately 10–14 seconds and suggested Challenge/Response or JIT Application Requests as workarounds. However, in our case, the prompt disappears in only 1–3 seconds, which seems abnormal. As soon as message gets disappeared, users get attached message :- BeeKeepers, please let me know :- Has anyone seen this behavior on EPM-M 26.1 ? Are there any know
After installing the BeyondTrust EPM agent in Windows, on a few support user’s machine, the service desk team is unable to copy and paste any text from their machine to a remote session machine. They are using Team viewer for the remote session.We have already followed this KB article and create customer token and separate rule for team viewer:- https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0021340&source=community This issue occurs across applications such as Word, Notepad, and other tools. The issue is completely blocking the support user’s ability to perform work in remote sessions. List of apps/functions tried : Windows UAC, Word, Notepad, Browser. After uninstalling EPM agents, the issue was resolved. Client version :- 26.1.59.0Adaptor version :- 26.1.1495.0OS :- Microsoft Windows 11 Enterprise Please share your experience on this. If you have any solution please let us know.
We are currently working on creating a Power BI (PBI) report to capture the details of On-demand feature usage. Everything has been configured and is functioning as expected. In the existing PBI report, we would like to include the "User Reason" field. However, we are unable to identify the exact API that provides the "User Reason" field data. Could you please guide us on how to retrieve this information via API?
Hello! Does the EPM W Package Manager automatically update itself or we can control it . I see we can control the adapter and client version while using the Package Manager but don’t see a setting to control the version of PM .
The following articles were published last week. New Knowledge Base Articles: KB0022621 - How to allow NI Package Manager with EPM-W KB0023064 - Add to policy from Analytics has incorrect product description for VLC KB0023065 - Powershell definitions does not work if using parameters name in the command KB0023327 - Apple's SecurityAgent is stealing keyboard focus when EPM-M is installed KB0023543 - Add to Policy from Analytics v2 creates definition that does not work KB0023576 - Logstash does not truncate oversized fields for Azure Sentinel causing rejected batches with error 413 KB0023676 - VirusTotal Reputation Score tokens render as empty in JIT ticket-create webhook payloads
Hello all,I have a user that needs elevated privileges on multiple computers, but if I put them in a flexible workstyle then they will have that workstyle and the permissions that come with it, on any computer the user logs into. Is there a way to limit which computers this user will have elevate permissions on?Thanks for any guidance.-Joseph
With macOS Golden Gate being announced in WWDC, I thought I'd create a post to share any known issues we've found so far. We have been testing EPM with all macOS Tahoe betas which we have available to us as a member of the Apple Developer Program. During this testing, we’ve identified a few minor issues. Below, you’ll find details of the problems, workarounds (where available), and planned resolutions.Issue 1: Incorrect OS Name and Version Displayed in PM CloudDescription: In PM Cloud, the macOS Golden Gate version is reported incorrectly. Where to See: Home → Computer → Details → OS → the “Name” and “Version” fields show incorrect values. Workaround: None. Resolution: This will be fixed in 26.3.1 release, where the OS will correctly display as macOS Golden Gate (27.0). Issue 2: Apple Publisher Name Change for macOS 27 System ApplicationsDescription: In macOS 27 Golden Gate, Apple has changed the code-signing publisher name for system applications from "Software signing" to "macOS Soft
The following articles were published last week. New Knowledge Base Articles: KB0022551 - Frequent BSOD when Nerdio Manager software is used to manage AVDs KB0022576 - Error adding certificate to keychain EPM for Mac "SecTrustSettingsSetTrustSettings: The authorization was denied" KB0022588 - Unable to "Delete immediately" from Trash or Bin with EPM-M - prompted for admin credentials KB0022592 - Can EPM policy be configured to deactivate NTLM ? KB0022642 - Unable to upload changes via MMC - Unexpected communication error KB0023545 - Endpoint Utility connection test error - Unexpected communication error. Access to the path 'C:\...\EventService' is denied. KB0023676 - VirusTotal Reputation Score tokens render as empty in JIT ticket-create webhook payloads KB0023678 - BT-2026-June-EPM Cloud KB0023687 - EPM Cloud events sent to CrowdStrike through s3 bucket ingested incorrectly
I need to elevate a simple powershell script that copies a file to a directory in “C:\Program Files”. The problem is that if I put in the hash of the ps1 file, it does not trigger the elevation because EPM only seems to see the hash of powershell. I followed KB0019883 which seems to suggest it is possible to do this. I did try by right-clicking on the ps1 and selecting “Run with Powershell” but it does not work by hash. I do not want to approve by file name.Has anyone been able to elevate a powershell script by hash?
The following articles were published last week. New Knowledge Base Articles: KB0023609 - Child matched events using Any Application or have missing data KB0023663 - What is the URLCache used for? KB0023664 - Custom messages configured to show two lines with the BT PM App display all three KB0023668 - "Mail To" email sent from an EPM-W block message is missing file hash and publisher name
Hello All,Anyone gotten the Codex app working with admin sandbox? OpenAI has made the unfortunate decision to make their app an MS Store app. Users are prompted that “Couldn’t set up agent sandbox with admin permissions”, and they’re met with a vanilla UAC prompt.
Hi All.I have identified two functions that are still missing in PM Cloud, and the available APIs force you into workarounds to accomplish some of these tasks.Moving a list of computer hostnames into a specific group.Overcoming two API hurdles: partial name matching, and the requirement to fetch computer IDs before using the CSV import option—since it does not support hostnames directly. 😖When you need to move computers between groups, doing it manually becomes a tedious process.In the classic Policy Editor MMC Snap-in, we had the advantage of browsing for a file and automatically pulling in its metadata. This capability has not yet been added to PM Cloud either.How have you resolved these options and are there any functions that you see missing in addition?I addressed these gaps, by creating a WebApp that handles both challenges, plus an application scanner for bulk rule uploads.Move Computers to Group allows me to upload a CSV file containing a hostname column with hostnames listed
The following articles were published last week. New Knowledge Base Articles: KB0022499 - Windows startup issues with EPM-W - black screen after reboot KB0022506 - How to block WhatsApp install through the MS Store via EPM-W policy rule KB0023599 - EPM with BI integration - refresh groups fails with message KB0023642 - How to test performance with the TraceConfig.exe tool KB0023645 - Analytics Events page does not change content on first "next page" click
The following articles were published last week. New Knowledge Base Articles: KB0022528 - Is there a way to setup an email alert for JIT requests? KB0023521 - Admin Access Request API issues - after approval or denial response values are switched KB0023611 - Black screen at computer boot-up - Powershell, cmd.exe, and/or explorer.exe crash
We are currently using BeyondTrust EPM for Windows and macOS under a cloud subscription.On every device where the BT Agent and Adapter have been deployed, the devices stopped reporting back to Intune and the sync services are no longer functioning.Is anyone else experiencing this issue? We would greatly appreciate input from anyone who has faced a similar situation and can share guidance on resolving it as soon as possible.
Mastering the Modern Attack Surface: A Recap of Identity Security Insights Innovation in Q1 Enhanced speed and visibility at the identity perimeter As the first quarter of 2026 came to a close, the identity landscape continued to evolve at breakneck speed, highlighting the BeyondTrust Identity Security Insights® team’s imperative to keep innovating and evolving our offerings. For us, the mission continues to be clear: providing unprecedented visibility and radical simplification. From the launch of our first AI security assistant, to deeper Active Directory visibility and regional expansions, we’re giving security teams the tools to move from reactive defense to proactive mastery. Here is a comprehensive look at the major Identity Security Insights innovations delivered in Q1 2026. Continue reading Blog HERE Customer Case Studyivision: How ivision Simplifies and Scales Identity Security with BeyondTrust Latest Available VersionsEPM for Windows and Mac (Cloud and Pathfinder) v26.1.1495
Hi,i have got the issue, that i have some computers that don’t show an current logs in the analytics Audits. The Date is about 8 Days off but when i look in the Computer Section last connected is today as example.Do i have to configure something somewhere? I dont have the issue on all computers. Thank you kind Regards Thien
The following articles were published last week. New Knowledge Base Articles: KB0021615 - Policy is not recieved from BI after incorrect install order of EPM-M KB0022408 - Not able to validate settings for ServiceNow in JIT Access Settings KB0022429 - MSI installs using Package Manager fail "Error 1618 (Another installation is already running)" KB0022879 - Package Manager not preserving proxy settings KB0023599 - EPM with BI integration - refresh groups fails with message KB0023606 - Policy message header text remains visible in dialog boxes even after the "Show Header Text" option is disabled KB0023607 - Login delay from hibernate with EPM-W installed KB0023609 - Child matched events using Any Application or have missing data KB0023614 - Endpoint utility - Endpointutility explanation of commands (EPM-M)
I’m currently testing an agent provided by support to alleviate performance issues and the IC3Adapter service won’t start on the test laptop. Due to Agent Protection being enable I cannot manually start the service either. I’ve tried manually starting the service via command prompt and that does not work either. I’m about to go through the process of reinstalling using safe mode but I’m wondering if someone might have any input. Thanks.
Hey BeeKeepers! Welcome to another edition of suggesting AI EPM policy rules. This advice is geared at creating a separate AI Workstyle for the exact reason that the space is highly dynamic. This is an evolution from using the All Users workstyle for a global block, and then trying to navigate how to handle exceptions. Note: This space is still highly dynamic! The initial notes in Hunting for Lobsters in EPM Analytics - Openclaw (Clawdbot, Moltbot) | Community still stand. The goal isn’t artisanal policies, or boiling the ocean to catch a few lobsters - they will mutate before being totally captured anyways. 💡 There’s a whiteboard at the bottom of the post from my my analogue thinking to provide a visual of the logic. TLDRUse an AI workstyle rule to allow for faster changes than typically seen in policy updates All Users - AI - bypass some unintended consequences of AI block rules, or AI that’s actually for all users Block Rule - the default block without any exception handling Blo
The following articles were published last week. New Knowledge Base Articles: KB0022226 - Azure Files incompatibility with EPM-W features using Alternate Data Streams (ADS) KB0022378 - What is the difference between elevation and allowing an application? KB0022392 - How to block specific application installs via Homebrew using EPM-M KB0023521 - Admin Access Request API issues - after approval or denial response values are switched KB0023549 - Users still get Windows UAC prompts for credentials while in a JIT Admin session KB0023551 - Issue with JIT authorization approval via API – 'decision is not a valid value' KB0023565 - EPM-W policy does not work when computer is offline KB0023576 - Logstash does not truncate oversized fields for Azure Sentinel causing rejected batches with error 413
The following articles were published last week. New Knowledge Base Articles: KB0022403 - Issue with computer or adapter IDs (GUIDs) being overwritten KB0023505 - Trying to start the EPM cloud adapter results in Error 1053: The service did not respond to the start or control request in a timely fashion KB0023531 - Performance issue in EPM-M - Failed to look up group account KB0023543 - Add to Policy from Analytics v2 creates definition that does not work KB0023545 - Endpoint Utility connection test error - Unexpected communication error. Access to the path 'C:\...\EventService' is denied.
Hi there,We have set up MFA-Messages to authenticate admins when installing software on a client. This also needs to be done on “user-clients”. The problem is that you actually can use the admin mfa session to access various ressources such as microsoft admin portal if youre not actively sign out or do the authentication in private-tab.I already tried to use the following in my entra application, but this does not seem to work: Has anyone setup an MFA-Authentication in Messages for EPM-W and may assist?Many Thanks!
has EPM-W in BeyondInsight Software, Now its eol.We need to migrate to UVM based appliance in Active Active with DC-DR, I need assistance in understanding what all should be considered before the migration.1. How do i make sure the software based deployment which has DB should be moved to the new UVM deployment in Active active.2. How do I make sure I deploy UVM in Active Active in DC & DR where I should deploy 3 UVM in DC and 3 UVM in DR so I get them running active active all the time.3. How many maximum machines do we can connect using this kind of deployment for EPM-W4. Also Wanted to understand for EPM what the load Balancer configuration should be.
Already have an account? Login
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.