Windows & MacOS

Hi There,we often create a blanc Test-Policy by importing the productive policy, make changes and test them there. However we expirience some unconsistencies when rolling back to the productive policy. In fact OnDemand processes are not being recognized. So if i start powershell as Administrator, it hits the default any uac (not OnDemand) This is most likely due to a cache issue or sth. On a machine which did not have the test-policy assigned, the productive-policy is working as expected and OnDemand rules are applied correctly.Multiple Computer restarts did not solve the problem. A few hours later, it just worked again without any changes.Is there a way to troubleshoot this? Many Thanks

Hi,I have a problem with the Avecto Defendpoint Service (client version 25.8.12.0).When I restart a Windows 11 notebook, the service is running, but EPM does not work correctly.To resolve the issue, I have to restart the Avecto Defendpoint Service manually, after which everything works as expected.If I set the service startup type to Delayed Start, it starts after about two minutes and then works fine.Has anyone else experienced this issue?Thank you.Kind regards,Thien

Hello All,Is there a way to notify (some sort of pop up) the users that the JIT request has been approved via BT EPM app/agent for a better user experience ? PMC has been integrated with SNOW.

The following articles were published last week. New Knowledge Base Articles: KB0022887 - JIT requests stuck in the pending status in ServiceNow

Hey everyone,Checking to see if anyone has seen this before, I have multiple servers in an environment that all point to the same proxy.  On a handful of these servers, I can see where package manager is downloading and attempting to install the adapter and client.  However, on others I’m seeing where it cannot download the package.  It tries 5 times, gives up and says I can find more information on the agent with a specific ID (looks like the computer ID).  Anyone have a location for that log? I’ve looked in the standard ones with no luck.I’ll attach an example from the event viewer logs so you can see where it downloads and tries to install the adapter with a 1603 error on one (this I’m trying to fix with workarounds) and on the other it can’t download at all.  

Does anyone know if it is possible to include multiple domains in a management rule filter?  For an example, we need to setup rules to move multiple domains to single computer groups after a certain length of time.  Currently, I have over 20 management rules in place to do this functionality, however I would like to cut that down if possible.  

EPM-W is blocking some of the functionality of ZoomText screen reader. How do we get around that and allow all functions of ZoomText to run? zt.exe and child processes have been whitelisted already.

Hi All I have been looking arround for a document that can help in building the Beyondinsight Using UVM for Privilege Management for Windows & Mac in Active Active mode for DC & DR. What are the prerequisites and how to establish the DC & DR scenarios, what are the things that we should be really looking into for the deployment. My another query is how does the Agent understand the DC & DR scenario as if we need to deploy 1 Management node in DC and 1 Management node in DR with 2 Event worker nodes in DC and 2 Event Worker nodes in DR. Where in DC we have SQL in Cluster with Always ON Availability Group and Same deployed seprately in DR too. Can some one explain as how it works and what are the precautionary measurements we need to take care of.

The following articles were published last week. New Knowledge Base Articles: KB0022215 - Privilege Management for Mac client app bundle continually verifiying package KB0022295 - How to create replacement definitions for PGNetworkAdapterUtil, PGPrinterUtil and PGProgramsUtil KB0023279 - EPM-M Defendpointd memory leak causing high RAM usage

Hello,I am working on creating a new BT EPM policy for our Win 10 and 11 system in our environment. I created an application group and added it under Low Flex workstyle. I am trying to create a policy that will block all the applications except the ones i have approved in SCCM Software Center and InTune. My problem is that i have a list of couple of hundred of approved apps and i don’t want to add them in the application group manually one by one. is there a way to import them from an excel list if i populate the excel with publisher and product name and whatever else i might need. or is there any API i can use for that.Thank You

Has anyone else gotten the 26.1 agent upgrade yet? We have been waiting for a few weeks now, and it is still not available to us. I don’t know if we should put in a ticket to find out why it hasn’t been pushed to us yet, or if it is just taking that long.  We’re looking forward to the AAD refresh capability that’s built into it. 

On our systems we’ve deployed beyondtrust to, if I do a Microsoft sentinel or KQL search for local admin login events, I’m seeing a lot of accounts that start with lenovo_tmp. After some searching, it appears that these are used by the lenovo system updater software to run updates with elevated privileges when a user is not admin. This concerns me because it seems to violate the tamper protection of beyondtrust that disallows the creation of other admin accounts. (lenovo forum for context).Is anyone else seeing this? If you can run KQL advanced hunting queries, look at the DeviceLoginEvents t

The following articles were published last week. New Knowledge Base Articles: KB0022184 - ServiceNow ticket for JIT request does not show username in 'Caller' field KB0022206 - NVDA screen reader does not correctly activate on Secure Desktop KB0022208 - QuickStart Template Changes Regarding Microsoft Narrator

The following articles were published last week. New Knowledge Base Articles: KB0023082 - Preview of messages are missing the message header and OK and Cancel buttons KB0023133 - EPM-W 26.1 policy behavior change - Uninstallation with Challenge/Response messages KB0023385 - Identity Authentication feature in EPM FAQ and how to configure it

We have a EPM workstyle dedicated to the service desk, which takes effect at the start of Beyond Trust remote session. This makes use of Audit scripting / Rule scripting to sense the initiation of the session and change the effective workstyle until the session completes. During the session, support technician is able to elevate the application through Prompt.We have observed that this script provided by BT for this use case is executing the rule only once, when another application is open during the same session, the end user workstyle (Medium Flexibility prompt) is getting applied and application is not elevated. Please let us know, how to fix this.

Many organizations face the same challenging questions in their initial deployment of the EPM tool.Where do I even start with for the policy design? How can I use EPM to allow and block applications? How do I find local administrators privileges on the endpoints? How can I prevent users from running applications outside of these trusted folders (Windows, Program Files)EPM is designed with the flexibility to control and elevate applications, many of the above questions can be achieve with the out-of-the box QuickStart policy template that combines BeyondTrust best practices into a set of rules that make it easy to get started with proactive endpoint protection. Out-of-the-box, the user’s security level is immediately improved without degrading the user experience or by “locking them down”. This is designed to be successful even with very little knowledge of the applications installed in an environment before deployment.

This doc is a quick guide of finding potential instances of OpenClaw (aka Clawdbot, Moltbot) by using EPM Analytics. Please refer to Using Endpoint Privilege Management with local AI agents in our public docs. Where this worksThis works in the cases where:The application group is set up to log to EPM-SaaS The target system has the name as standard, and not obfuscated the tool with a renameQuick Analytics ChecksIn EPM SaaS, or in your SIEM / log aggregator of choice, search for Events → Filter by: Command Line → Search for any contains `openclaw`, `moltbot`, or `clawdbot` In EPM SaaS, or your SIEM / log aggregator of choice, I would recommend using the Custom Views options to save this for rechecks Y

Hi All.I have identified two functions that are still missing in PM Cloud, and the available APIs force you into workarounds to accomplish some of these tasks.Moving a list of computer hostnames into a specific group.Overcoming two API hurdles: partial name matching, and the requirement to fetch computer IDs before using the CSV import option—since it does not support hostnames directly. 😖When you need to move computers between groups, doing it manually becomes a tedious process.In the classic Policy Editor MMC Snap-in, we had the advantage of browsing for a file and automatically pulling in its metadata. This capability has not yet been added to PM Cloud either.How have you resolved these options and are there any functions that you see missing in addition?I addressed these gaps, by creating a WebApp that handles both challenges, plus an application scanner for bulk ru

The following articles were published last week. New Knowledge Base Articles: KB0022135 - EPM Cloud (SaaS) client, adapter and Package Manager FAQ KB0022207 - JAWS screen reader does not narrate 'Select Reason' drop-down KB0022214 - Is Privilege Management for Windows Web Policy Editor affected by CVE-2025-24813?

I tried to install my EPM for Windows Local AD connector on a server but it failed on the activation part.Error is:[ERR] [BT.LocalAdConnector.Services.ActivationService] [9] Activation failed.System.Net.Http.HttpRequestException: No such host is known. (xxxxxx-xxxxxxxxx-services.pm.beyondtrustcloud.com:443) ---> System.Net.Sockets.SocketException (11001): No such host is known. My server is connected to my proxy server for external access and I have the policy opened from my server to xxxxxx-xxxxxxxxx-services.pm.beyondtrustcloud.com but it is not getting triggered at all. Am I missing something here? do I need any additional URL for the activation of the AD connector?

My Security Team wants to do unauthenticated scans with Rapid 7 on our Privileged Management on-prem appliances.  I dont see why this would be an issue, but wanted to check if anyone has any experience with this or any issues that they have run into.  Or if anyone from Beyond Trust has any info also that would be great.

I am getting several users complaining about their Avecto Defendpoint Service just stopping all of a sudden. May I ask what is the best way to troubleshoot and find out what is causing the service to stop?I ran a PGCaptureConfig extract and looking at the Avecto IC3 client log, I can see the warning about the “Defendpoint agent service is not running”. I have looked at the Windows event log but it does not really say anything what might have caused the service to stop.

Good day everyone! So recently we have begun to ingest EPM log into MS Sentinel, and I have noticed a difference in the data we see in the console Analytics vs Sentinel. Firstly the integration was simple and straight forward.  Once configured we began to see information flow into Sentinel.  This is not a problem and seems to be working well, we used the CIM format.What we are seeing is good, but it is nowhere near the information we see in the console analytics.Example I will use is logons.  We can see logons in both the analytics and Sentinel, however there is information missing in the information we see in Sentinel, namely privilege. So in the analytics I can see and search on the client privilege, and status of the account (domain, local), but in Sentinel I am not.I just wanted to start a conversation with others who are using a SIEM with EPM or plan too int he near future.  We could compare experiences and possibly see what in store for the f

We have defender for endpoint and since past couple of days, we are most of powershell scripts are trying to elevate. Earlier they were running in passive mode. Also many applications including intune pushed scripts are giving Yes/No Promts (Configured in policy). As it was working fine earlier and suddenly started this issue. Anyone else facing the same?