Solved

Unconsistent application of policies (EPM-W)

Forum|Forum|11 hours ago
April 29, 2026
4 replies
20 views

itobi
Apprentice

Hi There,

we often create a blanc Test-Policy by importing the productive policy, make changes and test them there. However we expirience some unconsistencies when rolling back to the productive policy.

In fact OnDemand processes are not being recognized. So if i start powershell as Administrator, it hits the default any uac (not OnDemand) This is most likely due to a cache issue or sth. On a machine which did not have the test-policy assigned, the productive-policy is working as expected and OnDemand rules are applied correctly.

Multiple Computer restarts did not solve the problem. A few hours later, it just worked again without any changes.

Is there a way to troubleshoot this?

Many Thanks

Best answer by Jens Hansen

Note that policy change is not instant.

it can be forced on the systray icon, or using the commandline.

"C:\Program Files\Avecto\Privilege Guard Client\EndpointUtility.exe" /pmc /p

A policy file remains on the endpoint once downloaded, and the Console Adapter checks if it a new policy is available and downloads it. in the old days that was 90min, I think that has been improved significantly in the newer version, but do not know the current time for a check in.

You do not have an option to clear the policy unless you move the computer to a group without policy, use one of the refresh options.

The EPM client reads the policy file and stores it in memory on each boot, and on each time a new policy is loaded.

Things that can cause issues for policy are conflicts with 3rd party AV and other security apps, along with web filters tampering with traffic to and from endpoint to you PM Cloud instance.

https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0017099

KR Jens

J

+4

Jens Hansen
Guru
Forum|Forum|11 hours ago
April 29, 2026

Hi @itobi

If you are 100% sure the policy should apply, and did in fact get updated on the on the End-Point. Then this would need a ticket with BT to get resolved.

But from my knowledge I have never see a On-Demand elevation(Run as Administrator) hit “(Default) Any UAC Prompt” as they never exist in the On-Demand space for any of the workstyles.

if you can easily reproduce the issues with the policy change, the TraceConfig can capture it and would be needed for your ticket.

At the bottom of this KB https://beyondtrustcorp.service-now.com/csm?id=csm_kb_article&sysparm_article=KB0017077 You get both the TraceConfig and PGCapture, do TC first and the PGCapture last, but also include the two policies

KR Jens

Like

I

itobi
Author
Apprentice
Forum|Forum|11 hours ago
April 29, 2026

Hi @Jens Hansen ,

Thanks for the fast reply!

Sadly i cannot really reproduce it, it more seems to be a bug.
However i’m just looking for an option to clean policy cashe or sth. since the problem solved itself after just waiting some time.

Like

J

+4

Jens Hansen
Guru
Answer
Forum|Forum|10 hours ago
April 29, 2026

Note that policy change is not instant.

it can be forced on the systray icon, or using the commandline.

"C:\Program Files\Avecto\Privilege Guard Client\EndpointUtility.exe" /pmc /p

A policy file remains on the endpoint once downloaded, and the Console Adapter checks if it a new policy is available and downloads it. in the old days that was 90min, I think that has been improved significantly in the newer version, but do not know the current time for a check in.

You do not have an option to clear the policy unless you move the computer to a group without policy, use one of the refresh options.

The EPM client reads the policy file and stores it in memory on each boot, and on each time a new policy is loaded.

Things that can cause issues for policy are conflicts with 3rd party AV and other security apps, along with web filters tampering with traffic to and from endpoint to you PM Cloud instance.

https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0017099

KR Jens

Like

I

itobi
Author
Apprentice
Forum|Forum|10 hours ago
April 29, 2026

Note that policy change is not instant.

it can be forced on the systray icon, or using the commandline.

"C:\Program Files\Avecto\Privilege Guard Client\EndpointUtility.exe" /pmc /p

A policy file remains on the endpoint once downloaded, and the Console Adapter checks if it a new policy is available and downloads it. in the old days that was 90min, I think that has been improved significantly in the newer version, but do not know the current time for a check in.

You do not have an option to clear the policy unless you move the computer to a group without policy, use one of the refresh options.

The EPM client reads the policy file and stores it in memory on each boot, and on each time a new policy is loaded.

Things that can cause issues for policy are conflicts with 3rd party AV and other security apps, along with web filters tampering with traffic to and from endpoint to you PM Cloud instance.

https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0017099

KR Jens

I’ve seen, that the correct policy revision was “active”. However not functional.
Thanks for the clarification of how the policy apllication is being handled.

I’ll try the next time to assing a policy without any rules and see what happens after applying it again.
Many Thanks on this!