Windows policies

This topic describes how to create and manage policies for Windows endpoints, and define how EPM manages applications on those endpoints.

Overview

EPM Windows policies determine whether applications on Windows servers and workstations can run, are blocked, or are elevated. Each Windows policy with a defined action is an advanced policy. For more details about EPM policies, see Apply policies.

To apply advanced application policies to Azure AD (Entra ID) users, make sure you configure and activate Azure AD (Entra ID) integration. For details, see Integration with Azure Active Directory (Microsoft Entra ID).

EPM supports the following Windows administrative tasks:

  • Date & Time

  • System Properties

  • Add/Remove Windows Programs or Features

Create a policy

  1. In the EPM management console, click Policies.

  2. In the Policies dropdown list, make sure that Application policies is selected (default), then click Create advanced policy.

  3. In the Create advanced application policy window, specify the name of the policy, select Windows as the platform, and the action for the policy, then click Continue.

    Windows policies support the following actions:

    Action

    Description

    Allow

    Allow applications to run without elevation.

    Block

    Prevent applications from running.

    Elevate

    Automatically elevate applications and allow standard users to perform administrative tasks.

    Elevate if necessary

    Elevate applications when they require administrative privileges, either automatically or manually.

  4. Under Details, set a unique name for the policy and an optional description.

  5. Under Scope, set the following:

    Option

    Description

    Add group

    Add one or more application group whose actions will be managed by this policy. For more details about creating application groups, see Application groups.

    Add definition

    Define the commands and command properties that will be managed by this policy. For more details about adding definitions, see Manage application definitions for Windows policies.

    Add definition from application

    Use the EPM Admin Utility to add a definition from an application. For details, see Add file definitions and users to groups and policies.

    Paste definition

    Paste a definition from another policy.

    Once you have created a list of application groups and/or application definitions, you can edit, copy, or delete them.

  6. Under Targets, define the computers, users, and groups to include and exclude from this policy.

    Option

    Description

    Computers in this set

    This policy is applied to computers in this Set that are defined by this target.

    Computers in AD security groups

    This policy is applied to computers that are identified by EPM agents as members of the specified AD security computer groups.

    Users and groups

    This policy is applied to the users and groups that are defined by this target and identified by EPM agents. The types of users and groups include:

    • Local users and groups on an endpoint

    • Windows AD Security users and groups

    Click Switch to collections mode to create a collection of users and groups,
    or,
    Click Switch to groups and users mode to add specific users and groups.

    Currently, users and groups can only be included in Windows policies, not excluded.

    Click Add then specify or select the target to add.

  7. Under Audit, define the audit behavior for this policy.

    Option

    Description

    Audit policy enforcement

    Collect statistics about events that are triggered on applications by policies on endpoint computers, also known as policy enforcement events.

    Record audit video

    Collect audit videos to track Allow, Elevate, and Elevate if necessary advanced policies.

    To see this section, make sure that the Data collection > Collect policy audit data parameter in the agent configuration is set to On.

    For more details, see Define policy audits.

  8. Under End user UI, define the prompt that will be displayed on endpoint computers when this policy is enforced. This prompt notifies users that the application to be launched may be harmful to their computer, and prompts them for a justification.

    For more details about notifications, see Configure endpoint notifications.

  9. Under Options, define the policy options.

    These options differ according to the policy action.

    Option

    Description

    Activation

    Activates or deactivates the policy when the policy is created.

    Application access control

    Controls access to sensitive resources by applications managed by this policy.

    To manage access control, set this option to On then define access to different resource types. You can also audit access to restricted resources and configure the policy to notify users when an unauthorized application attempt occurs.

    User access token

    Changes the access token for applications handled by Elevate policies to match the built-in administrator's token.

    Scheduled enforcement

    Enforces active policies for a specified period of time and by a recurring timetable. By default, policies do not expire.

    To activate this policy according to a schedule, set this option to On and then define the start and end times, and/or a timetable.

    Conditional enforcement

    Enforces active policies according to a specific condition. By default, policies are enforced unconditionally.

    To activate this policy conditionally, select the relevant option and provide the required details. For details about configuration, see Policies in Configure agent settings.

    Priority

    Prioritizes policies in order of precedence.

    For more details, see Policy priority.

  10. Click Create.

The new policy is created and appears in the list of policies in the list of policies. It is activated immediately.

For details about managing, exporting, and importing existing policies, see Apply policies.

Manage application definitions for Windows policies

Supported application definitions

Windows policies support the following application definition types.

Allow

Action

Definition type

Allow

Executable

Script

Installer

MSU

ActiveX control installation

Administrative task

Windows app

COM

DLL

Block

Executable

Script

Installer

MSU

ActiveX control installation

Windows app

DLL

Elevate

Executable

Script

Installer

MSU

ActiveX control installation

Administrative task

COM

Elevate if necessary

Executable

Script

Installer

MSU

ActiveX control installation

COM

Add application definitions

  1. In the Create policy form, go to Scope > Add definition, and select the definition type.

  2. In Properties, set the properties that define the application to which the policy will be enforced. Click Add property to add a new line for an additional property.

    • Specify one or more properties.

    • Properties that are not specified will not be used to define the command. For example, if parameters are not specified, the policy is applied to the application with any parameter.

    The following table lists all the properties supported by Windows policies and the corresponding definition types.

    Property

    Description

    Definition type

    Filename

    The unique name of the application managed by the policy.

    Executable, Script, Installer, MSU, COM, DLL

    Publisher's signature

    A digital signature of a company that creates or packages software.

    The status of the publisher's signature is taken from the Publisher status field in the EPM tab of the application file's properties. When this property is defined in the policy definitions, the policy can only be executed when the Publisher status is Signature verified.

    If the Publisher status indicates anything else, contact CyberArk support.

    Executable, Script, Installer, MSU, Windows app, COM, DLL

    Location

    The path of the application managed by the policy.

    Select with subfolders to allow commands from subfolders of the specified path.

    Executable, Script, Installer, MSU, COM, DLL

    Location type

    Indicates whether the location is on local disks or removable disks.

    Executable, Script, Installer, MSU, COM, DLL

    Checksum

    The SHA1 checksum of the file that verifies its integrity.

    Optionally, you can also add the SHA256 checksum of the file.

    Executable, Script, Installer, MSU, COM, DLL

    Parameters

    Command line parameters that run the application. Specify the exact order of the parameters.

    For example: Myexe.exe --param

    Executable, Script, Installer, MSU, DLL

    Owner

    The file owner, as set in the NTFS permissions.

    Executable, Script, Installer, MSU, COM, DLL

    Product name

    The product name, as set in the file details.

    Executable, Installer, DLL

    File description

    The file description, as set in the file details.

    Executable, DLL

    Company name

    The company name, as set in the file details.

    Executable, Installer, DLL

    Original filename

    The application's original file name, assigned when it was created.

    Executable, DLL

    File version

    The minimum and maximum file version numbers.

    Executable, DLL

    Product code

    The product code of the Windows Installer installation package.

    Installer

    Upgrade code

    The upgrade code of the Windows Installer installation package.

    Installer

    Product version

    The minimum and maximum product version numbers.

    Executable, Installer, DLL

    Parent process

    Used for installations and updaters when the parent process belongs to an application group.

    Executable, Script, Installer, DLL

    Source

    The properties of the source file. This is only required when the file originates from a specific source.

    Executable, Script, Installer, MSU, DLL

    Any ActveX control

    Allow installation of any ActiveX controls from Internet Explorer.

    ActveX control installation

    Tasks

    Choose from a list of multiple administrative tasks.

    Administrative task

    Capabilities

    Application capabilities.

    Windows app

    Package name

    The general name of the Windows app.

    Windows app

    Package version

    The minimum and maximum package version numbers.

    Windows app

    CLSID

    Matches the exact CLSID before allowing installation.

    COM

  3. When you create certain policies, you can define how the policy manages child commands.

    Under Options, select the options that define how the policy handles the following:

    Option

    Description

    Include child processes

    Apply this policy to the specified application's child processes. Software installers usually require this option. For details, see Child processes.

    Protect temporary installation files

    Use this option for software installers, to protect temporary installation files from being hijacked by malicious processes. This may impact computer performance until the next restart.

    Do not elevate "Open file" and "Save file" dialogs

    Remove administrative rights from the "Open file" and "Save file" dialogs of the specified applications.
    By default, this option is selected.

  4. Click Done to add the application definition to the policy.