Hey ​@ThienT 

I would check the logs to see for any signs that could prevent the service from starting, or if we see a failed start of the service.

Then I would validate if there is a potential conflict with other 3rd party security apps?
https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0017099

vice versa if you need to exclude EPM from touching your other security products, use HookExlusions and or DriverHookExclusion.
HookExclusion
https://beyondtrustcorp.service-now.com/csm?id=csm_kb_article&sysparm_article=KB0017569
DriverHookExclusion
https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0020102

Do read the KBs as they can have unintended consequences. 

Kind regards
Jens

Hello Jens,

thanks for your help. The Logs in the events says the Service is resumed/started. I did try it with the Configuration as an Exception in the Windows Defender. Also I set the RegKey DriverHookExclusions but somehow neither of the Solutions works. Do you have another Solution for the Problem?

Thank you Kind Regards

Thien

How many clients do you have the issue on and how many total clients?

If 1 out of 1000 have the issue, redeploy/reimage the system

DriverHookExclusion is for the EPM client not to tamper with whatever you excluded, it will lose the ability to control the excluded process completely.

What did you add to your exclusion for driverhookexclusion?

In the other 3rd party tools NOT epm, did you add all the recommended exclusion?

Windows exclusions

Excluded folders for real-time and AV scanning protection:

• C:\Windows\system32\DRIVERS\PGDriver.sys
• C:\Program Files\Avecto\Privilege Guard Client\
• C:\Program Files (x86)\Avecto\Privilege Guard Client\
• C:\ProgramData\Avecto\
• C:\Program Files\Avecto\Avecto IC3 Adapter\ 1
• C:\Program Files\Avecto\PMC PackageManager\ 2

Exclusion of processes:

• C:\Program Files\Avecto\Privilege Guard Client\DefendpointService.exe 
• C:\Program Files\Avecto\Avecto IC3 Adapter\Avecto.IC3.Client.Host.exe 1
• C:\Program Files\Avecto\PMC Package Manager\PMC.PackageManager.exe 2
• C:\Program Files\Avecto\Privilege Guard Client\DefendpointBeyondInsightAdapter.exe 3
• C:\Program Files\Avecto\Privilege Guard Client\PasswordSafeService.exe 4
• C:\Program Files (x86)\Avecto\Privilege Guard Client\PGEPOService.exe 5

If managed by:
1 - For EPM Cloud
2 - For EPM Package Manager
3 - For EPM integrated with BeyondInsight 
4 - For EPM integrated with Password Safe
5 - For EPM integrated with Trellix ePO

KR
Jens

I use this registry DriverHookExclusions Key

As an additiional Info, when i change a rule or do changes via Webconsole and then “Refresh all policies” it enables the EPM functions again. Then when i restart i doesn´t works anymore. 

The Windows Exclusions does not working also. 

I did already tried to reiinstall the computer with the BeyondTrust Privilege Management Package Manager but it didnt helped either.

Kind Regards Thien

Sorry this is to exclude other processes from EPM, not EPM from itself.

So if you had Cylance, Trellix, DLP Clients etc. those should be the paths to use.
The list I added above for EPM Folder goes in as exclusions in your AV tools, to avoid conflict of AV attempting to tamper with EPM. Some AV’s support to exclude signing certificates you can grab from the EPM Processes to exclude.

Then DriverHookExclusions requires the full path and filename in any lower version than 26.1, were as hookexclusions you can do a path wildcard.

Please thoroughly read the KBs
And be aware of what the implications of implementing these are.

Kind regards
Jens

Hi Jens,

ah ok thanks for the Information with the DriverHook. We use Windows Defender as AV and i tried to do the exclusion but somehow it doesnt works.

Do you know if theres a Problem with Windows 11 25h2?

Thank you for your support

Kind Regards Thien

Hi ​@ThienT 

Another KB to run over. But 25.8 should be fully compatible.
https://beyondtrustcorp.service-now.com/csm?id=csm_kb_article&sysparm_article=KB0017101

I would suggest raising a ticket with BT, but do a traceconfig with reboot option to capture why the service is not starting. once done finish with a captureconfig and write up your ticket issue, and include both logs created.

Ensure you try with version 26.1 also. and collect the logs using latest version.

KR Jens

Hi Jens,

thank you for your Suggestion just one more Question. I did some more tests and as it seems without Network Connection the EPM does not work. So my Question is does the Cloud Version always needs a Internet Connection? Or are there settings that enables the use of EPM even without Internet connection?

Thank you Kind Regards Thien

No, Then EPM Client works fine without internet connection.

The key to functions is the XML Policy file that gets downloaded to your client computer.
It will not work without that file. 

You will not be able to update policy without internet connection, along with auditing can’t be send to PM Cloud. 

Thanks for your answer. Sorry for bothering you. I did see that the Client has the XML Policy but somehow it doesn’t works when the network is shutoff. It seems so that the Client only works when it is connected to the Internet. Do you know if i have to configure something in the Backend or should it work out of the box that the client realizes when PC no Network use the local XML Policy. Thank you Jens. 

Kind Regards Thien

one more Question maybe im Trying something thats not possible. My Idea was that it is possible for an user to use EPM even, when they are somewhere without Internet. So as example User is logged 1 Day online and get the Policies. The next day the user starts the Client without Internet Connection and is not possible to get an Internet Connection. Is this possible?

I will repeat here.

The EPM Client only needs Internet access to download policy and send Event/Analytics to the PM Cloud.

If the client have valid functioning Policy present the EPM Client does not need internet connection.

if it has internet it will do heartbeats to the PM Cloud for Policy changes, and send Events to your Analytics. If no internet, the client will remain on the same policy, and store events until it has intenet connection again.

Again EPM will work if it has downloaded a policy, even without a internet connection.

Kind regards
Jens

​@ThienT, for what it’s worth your original workaround of setting the Adapter to “Delayed Start” is referenced in (KB0019606) Unable to refresh policies from tasktray icon in Windows. That KB also explains how to increase the timeout period if needed as well.

To reiterate what Jens has explained: an EPM endpoint only needs connectivity to PMC for a.) pulling policy and b.) sending events. Once a policy file has been downloaded to the local endpoint, the EPM client is able to use that cached XML file and enforce policy on the endpoint regardless of whether it has an internet connection. Once connectivity is restored, the client will begin sending events in batches to Analytics and will also download any policy delta that exists.
 

Thanks to you guys for the explanation. Somehow it doesn’t works with the downloaded Policy without Internet Connection. I just opened a support Case because I think i am missing something in the Configuration. Thank you