Windows & MacOS

Hello,I am working on creating a new BT EPM policy for our Win 10 and 11 system in our environment. I created an application group and added it under Low Flex workstyle. I am trying to create a policy that will block all the applications except the ones i have approved in SCCM Software Center and InTune. My problem is that i have a list of couple of hundred of approved apps and i don’t want to add them in the application group manually one by one. is there a way to import them from an excel list if i populate the excel with publisher and product name and whatever else i might need. or is there any API i can use for that.Thank You

Hi All I have been looking arround for a document that can help in building the Beyondinsight Using UVM for Privilege Management for Windows & Mac in Active Active mode for DC & DR. What are the prerequisites and how to establish the DC & DR scenarios, what are the things that we should be really looking into for the deployment. My another query is how does the Agent understand the DC & DR scenario as if we need to deploy 1 Management node in DC and 1 Management node in DR with 2 Event worker nodes in DC and 2 Event Worker nodes in DR. Where in DC we have SQL in Cluster with Always ON Availability Group and Same deployed seprately in DR too. Can some one explain as how it works and what are the precautionary measurements we need to take care of.

The following articles were published last week. New Knowledge Base Articles: KB0023082 - Preview of messages are missing the message header and OK and Cancel buttons KB0023133 - EPM-W 26.1 policy behavior change - Uninstallation with Challenge/Response messages KB0023385 - Identity Authentication feature in EPM FAQ and how to configure it

We have a EPM workstyle dedicated to the service desk, which takes effect at the start of Beyond Trust remote session. This makes use of Audit scripting / Rule scripting to sense the initiation of the session and change the effective workstyle until the session completes. During the session, support technician is able to elevate the application through Prompt.We have observed that this script provided by BT for this use case is executing the rule only once, when another application is open during the same session, the end user workstyle (Medium Flexibility prompt) is getting applied and application is not elevated. Please let us know, how to fix this.

Many organizations face the same challenging questions in their initial deployment of the EPM tool.Where do I even start with for the policy design? How can I use EPM to allow and block applications? How do I find local administrators privileges on the endpoints? How can I prevent users from running applications outside of these trusted folders (Windows, Program Files)EPM is designed with the flexibility to control and elevate applications, many of the above questions can be achieve with the out-of-the box QuickStart policy template that combines BeyondTrust best practices into a set of rules that make it easy to get started with proactive endpoint protection. Out-of-the-box, the user’s security level is immediately improved without degrading the user experience or by “locking them down”. This is designed to be successful even with very little knowledge of the applications installed in an environment before deployment.

This doc is a quick guide of finding potential instances of OpenClaw (aka Clawdbot, Moltbot) by using EPM Analytics. Please refer to Using Endpoint Privilege Management with local AI agents in our public docs. Where this worksThis works in the cases where:The application group is set up to log to EPM-SaaS The target system has the name as standard, and not obfuscated the tool with a renameQuick Analytics ChecksIn EPM SaaS, or in your SIEM / log aggregator of choice, search for Events → Filter by: Command Line → Search for any contains `openclaw`, `moltbot`, or `clawdbot` In EPM SaaS, or your SIEM / log aggregator of choice, I would recommend using the Custom Views options to save this for rechecks Y

Hi All.I have identified two functions that are still missing in PM Cloud, and the available APIs force you into workarounds to accomplish some of these tasks.Moving a list of computer hostnames into a specific group.Overcoming two API hurdles: partial name matching, and the requirement to fetch computer IDs before using the CSV import option—since it does not support hostnames directly. 😖When you need to move computers between groups, doing it manually becomes a tedious process.In the classic Policy Editor MMC Snap-in, we had the advantage of browsing for a file and automatically pulling in its metadata. This capability has not yet been added to PM Cloud either.How have you resolved these options and are there any functions that you see missing in addition?I addressed these gaps, by creating a WebApp that handles both challenges, plus an application scanner for bulk ru

The following articles were published last week. New Knowledge Base Articles: KB0022135 - EPM Cloud (SaaS) client, adapter and Package Manager FAQ KB0022207 - JAWS screen reader does not narrate 'Select Reason' drop-down KB0022214 - Is Privilege Management for Windows Web Policy Editor affected by CVE-2025-24813?

I tried to install my EPM for Windows Local AD connector on a server but it failed on the activation part.Error is:[ERR] [BT.LocalAdConnector.Services.ActivationService] [9] Activation failed.System.Net.Http.HttpRequestException: No such host is known. (xxxxxx-xxxxxxxxx-services.pm.beyondtrustcloud.com:443) ---> System.Net.Sockets.SocketException (11001): No such host is known. My server is connected to my proxy server for external access and I have the policy opened from my server to xxxxxx-xxxxxxxxx-services.pm.beyondtrustcloud.com but it is not getting triggered at all. Am I missing something here? do I need any additional URL for the activation of the AD connector?

My Security Team wants to do unauthenticated scans with Rapid 7 on our Privileged Management on-prem appliances.  I dont see why this would be an issue, but wanted to check if anyone has any experience with this or any issues that they have run into.  Or if anyone from Beyond Trust has any info also that would be great.

I am getting several users complaining about their Avecto Defendpoint Service just stopping all of a sudden. May I ask what is the best way to troubleshoot and find out what is causing the service to stop?I ran a PGCaptureConfig extract and looking at the Avecto IC3 client log, I can see the warning about the “Defendpoint agent service is not running”. I have looked at the Windows event log but it does not really say anything what might have caused the service to stop.

Good day everyone! So recently we have begun to ingest EPM log into MS Sentinel, and I have noticed a difference in the data we see in the console Analytics vs Sentinel. Firstly the integration was simple and straight forward.  Once configured we began to see information flow into Sentinel.  This is not a problem and seems to be working well, we used the CIM format.What we are seeing is good, but it is nowhere near the information we see in the console analytics.Example I will use is logons.  We can see logons in both the analytics and Sentinel, however there is information missing in the information we see in Sentinel, namely privilege. So in the analytics I can see and search on the client privilege, and status of the account (domain, local), but in Sentinel I am not.I just wanted to start a conversation with others who are using a SIEM with EPM or plan too int he near future.  We could compare experiences and possibly see what in store for the f

We have defender for endpoint and since past couple of days, we are most of powershell scripts are trying to elevate. Earlier they were running in passive mode. Also many applications including intune pushed scripts are giving Yes/No Promts (Configured in policy). As it was working fine earlier and suddenly started this issue. Anyone else facing the same?

Hello Team,We will be moving/migrating our on-prem EPM to the cloud in the upcoming months and I was just looking for any insights or things to look out for during or after the migration.Thank you for anything you can share.

Dear all,I am seeking your assistance regarding a challenge we are facing in our current project to present events generated by the EPM-W Agent in PowerBI.As you are aware, the GUI allows us to download up to 5 million records, but this process is often time-consuming, especially when the data size reaches several gigabytes. Additionally, I recently learned that the API has a limit of only 10,000 events per request, which is insufficient for our environment. We generate approximately 455,882,549 events over a 30-day period. While I am actively working to reduce the number of events, this is our current situation.Your advice on how to efficiently process and visualize such large datasets in PowerBI would be greatly appreciated. Specifically, if there are ways to increase the API limit or alternative best practices for handling this scale of data, please let me know.

For those who are looking to start out on building block lists for EPM, below are some tips and resources available. Analytics can shift this exercise from ‘blocking by vibes’ to data-informed changes. Tips for Implementing a Block Rule: Check your analytics for application definitions that match your anticipated block rule This can help determine estimated impact Check your policy for allow rules that may match your block (either on purpose or by accident) If so, then your allow or block may need to be altered to not conflict Block Rules are the only time you’re going to want to be more generic, and typically the widest net possible. It’s the opposite of allow rules where we recommend more than one definition Examples: One rule for the Publisher

Can anybody let me know what are the BeyondTrust certifications on Endpoint Privilege Management and how can I get those certifications?I am unsure of all the certifications and the process involved in acquiring them. So, any help would be greatly appreciated. 

I’m posting this to see if anyone has run into this situation to see what their outcome was. We currently have two devices that do not show an active policy on the client, the platform shows a policy and that it is connected, but the device will not pull a policy. We have tried using the agentprotectionutility to generate a token but that token does not work. We have tried this with several computers, verified the token does work on a device that is not having the issue. Now we’ve tried moving that device to a test policy with agentprotectionstate set to 0, requested update from the device through the BT platform, rebooted the device, same issue. This device will not show a BT prompt for anything, UAC for everything, unable to modify any registry settings regarding BT, token does not work, moving to another policy with agentprotection disabled didn’t change anything. Reinstalling the agent doesn’t change anything. At this point it seems like there

The following articles were published last week. New Knowledge Base Articles: KB0022077 - EPM Cloud not authenticating after changing OIDC settings from Azure B2B to another provider KB0023327 - Apple's SecurityAgent is stealing keyboard focus when EPM-M is installed KB0023330 - EPM-M (macOS) device with Windows Defender installed fails to wake up from sleep

The following articles were published last week. New Knowledge Base Articles: KB0022038 - EPM-W Cloud policy refresh using EndpointUtility error - Received unexpected status code 500 KB0022052 - Analytics full raw data not sent to Splunk

While I was going through documentation looking to find out some specific information regarding Computer Logs vs Command Logs and trying to determine how they might be useful to troubleshoot issues with various machines from what I’m seeing on a select few vs that of the many machines in the same group, I came across this part. One thing I have noticed that is different than what is written, there does not appear to be any means to download “Command Logs” like the write-up states. And to that point, the only “Command” I have ever seen listed in this tab is when I Request Computer logs from a machine. Are there other types of “Commands” that show up here?  As to “Request Logs” from the Computer Logs section, you only really get 2 files.AvectoiC3Adapter25.8.840.msi-Installation-11-02-2026-0905.log PrivilegeGuardClient25.8.12.0.msi-Installation-11-02-2026-0906.logI think the documentation could use some improvement in this regard,

Apologies in advanced if this is common knowledge, I mainly support our Windows environment but I’m wanting to learn more about EPM on Mac.  Most of our Mac end users utilize an Active Directory group that we grant elevated privileges with.  A discussion came up recently about Homebrew, and I asked our support techs the current process for when they swap out machines for developers on Mac.  What I’m being told, is that possibly in the past EPM used to be able to allow standard users to install Homebrew via EPM for Mac however I’m being told Homebrew is incompatible with EPM for Mac.  End users are being added as local admin as part of the process which I’m not understanding why.If anyone has documentation, KB, or first-hand knowledge of using EPM for Mac and utilizing Homebrew without having to add users to local admin, it would be much appreciated.Example of what I’m being told from my End User Computing support team about the troubleshooting cadence of Homebrew

After success fully installed EPM windows application to the user machine still user unable get the elevated access properly.

The following articles were published last week. New Knowledge Base Articles: KB0021821 - PMR Database error - The database collation cannot be changed if a schema-bound object depends on it KB0022000 - Sophos blocks elevation of Remote Support via EPM-W - Sophos is terminating this process KB0023067 - SCCM Lawgic installation stuck at install in progress when EPM-W c