Skip to main content
Question

Unable to disable agent using token

  • February 24, 2026
  • 2 replies
  • 29 views
R

I’m posting this to see if anyone has run into this situation to see what their outcome was. 

We currently have two devices that do not show an active policy on the client, the platform shows a policy and that it is connected, but the device will not pull a policy. 

We have tried using the agentprotectionutility to generate a token but that token does not work. We have tried this with several computers, verified the token does work on a device that is not having the issue. 

Now we’ve tried moving that device to a test policy with agentprotectionstate set to 0, requested update from the device through the BT platform, rebooted the device, same issue. 

This device will not show a BT prompt for anything, UAC for everything, unable to modify any registry settings regarding BT, token does not work, moving to another policy with agentprotection disabled didn’t change anything. Reinstalling the agent doesn’t change anything. 

At this point it seems like there is nothing else that can be done and support doesn’t have any answers so it seems like the only option is to reprovision the machine. 

2 replies

J
Forum|alt.badge.img+4
  • Jens Hansen
  • Guru
  • February 24, 2026

There can be multiple reasons for that, but not possible to tell you from the information provided. Some logs from the systems are needed.

Some basic checks:

These two services are an absolute minimum for the EPM client to get policy from the PM Cloud.
Avecto Defendpoint Service
BeyondTrust Privilege Management Cloud Adapter (IC3Adpater)
Are those services running, or do we see errors in the Event logs for any of them?

Did we use the Package Manager for the deployment of the above two? if Not, did we deploy the EPM client and adapter with the correct switches to communicate with your PM Cloud instance?

This command will force a policy update if possible and give an error.
"C:\Program Files\Avecto\Privilege Guard Client\EndpointUtility.exe" /pmc /p 

An export of this from you registry is useful:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Avecto\Privilege Guard Client
Is the registry showing that the AgentProtectionState is 1 in above location?

Or you can create a PGCaptureConfig can for sure help, it contains almost all the details needed.

if you only have see normal UAC behavior, you might not even have had a policy applying to the system.

Kind regards
Jens

 

 

 

 

R
  • RKMS89
  • Author
  • Apprentice
  • February 24, 2026

Verified both services are running, set to auto. 

Tried running “"C:\Program Files\Avecto\Privilege Guard Client\EndpointUtility.exe" /pmc /p” 

Forcing PMC policy update…

No updates to policies

Checked registry and yes the setting for agentprotectionstate is set to 1, cannot be changed even using an admin account, permission denied. 

PGcapture was already run on this machine and sent to support, they recommended trying the token to disable the agent which did not work. The token works on other machines NOT having the issue, but not on the machine that won’t pull a policy. 

Badge Earners

  • Core Concepts - Remote Support
    RobFromOregonhas earned the badge Core Concepts - Remote Support
  • BCIE: Password Safe
    ujjwal.kumarhas earned the badge BCIE: Password Safe
  • BCIE: Privileged Remote Access
    MichaelMhas earned the badge BCIE: Privileged Remote Access
  • BCA: Password Safe
    Alejo Purrinoshas earned the badge BCA: Password Safe
  • 1 Courses Completed - Entitle
    MillieJnsnhas earned the badge 1 Courses Completed - Entitle
Show all badges
Terms & ConditionsCookie settingsAccessibility statement