Skip to main content

Can someone please assist with how to switch between policy distribution models?

I am trying to prepare for the EPM-W lab assessment, and one of the items states: Explain how to switch between the policy distribution models.

I have searched my notes from the training, the BeyondTrust Knowledge Base, support documentation, and all online resources I could find, including this forum, but I have not found any information on how to switch between the different policy distribution models.

Can someone provide information on how that would be done or where I can locate specific information on this?

Thank you in advance.

Hello ​@Angela, you can modify the policy distribution method of an endpoint by modifying the registry, in particular the ‘PolicyEnabled’ value; please find further details below:


Deploy EPM policy

Certain types of deployment methods may be enabled or disabled. By default, all deployment types are enabled. To include or exclude a method of deployment from evaluation, edit the entries in the registry value below. If this key does not already exist, then the default behavior is to include all methods:

 

HKEY_LOCAL_MACHINE\Software\Avecto\Privilege Guard Client

 

REG_SZ PolicyEnabled = "EPO,WEBSERVER,GPO,LOCAL"

 

Where EPO,WEBSERVER,GPO,LOCAL are the available deployment methods.

 

Registry settings may be deployed using Advanced Agent Settings. To apply a configuration deployment method, the setting must be applied to a type of configuration that is already part of the configuration precedence order.

Ref: https://docs.beyondtrust.com/epm-wm/docs/epo-user-guide#deploy-epm-policy

So does this mean that I just need to add or remove items from the PolicyEnabled key?

For example, if I wanted to deploy using GPO but not the PMC website, would I just remove WEBSERVER from the key value?

Also, if I wanted to switch back from using GPO to using PMC, would I just add WEBSERVER back as a value and remove GPO?

And is there anything else I need to do to ensure that the endpoint then receives the policy from the correct deployment method?

Hi ​@Angela, essentially yes but some entries, such as EPO or WEBSERVICE (the PMC value), must have been enabled at time of install (installer command line) to function, simply updating the registry will not enable their connectivity.

Also, you can configure custom precedence for policy processing by creating the registry value ‘PolicyPrecedence’ manually or at time of install; please see the below link: 

https://docs.beyondtrust.com/epm-wm/docs/gpo-deploy-epm-for-windows-policy#configuration-precedence

Finally, note the difference between WEBSERVICE and WEBSERVER; the former refers to PMC whereas the latter refers to an ability to download policy hosted upon a web server.
 

Reply


Badge Earners

  • BCA: Endpoint Privilege Management - Windows
    jchewhas earned the badge BCA: Endpoint Privilege Management - Windows
  • BCIE: Password Safe
    ravi.bisramhas earned the badge BCIE: Password Safe
  • BCIE: Privileged Remote Access
    ravi.bisramhas earned the badge BCIE: Privileged Remote Access
  • BCA: Endpoint Privilege Management - Windows
    omarmohy98has earned the badge BCA: Endpoint Privilege Management - Windows
  • BCIE: Password Safe
    Emre Yardimcihas earned the badge BCIE: Password Safe
Show all badges
Terms & ConditionsCookie settings