11.4.2 Release Notes

Release Schedule

Privilege Manager Cloud Release – Saturday, September 23, 2023

Privilege Manager On-Premise Release - Friday, October 6, 2023

Windows Agent Software
11.4.2168 Bundled Privilege Manager Agent Installer
11.4.2168 Core Thycotic Agent (x64)
11.4.2168 Core Thycotic Agent (x86)
11.4.2168 Application Control Agent (x64)
11.4.2168 Application Control Agent (x86)
11.4.2168 Local Security Solution Agent (x64)
11.4.2168 Local Security Solution Agent (x86)
11.4.2168 Bundled Privilege Manager Core and Directory Services Agent
11.4.2029 Directory Services Agent (x64)

macOS Agent
11.4.2.021 Privilege Manager macOS Agent (Catallina and later)
10.8.27 Privilege Manager macOS Agent (Catalina and previous)

Privilege Manager On-Premise Release - Friday, October 6, 2023
    Windows Agent Software
    11.4.2169 Application Control Agent (x64)
    11.4.2169 Application Control Agent (x86)
When upgrading Privilege Manager to a newer version, Delinea recommends upgrading the Directory Services agent such that both are running on the same release version.
Privilege Managerexclusively supports operating systems (OS) that have not reached their official End of Support. For optimal performance and compatibility, it is recommended to utilize Privilege Manager on a supported and actively maintained OS.
Delinearecommends as a best practice to create system restore points prior to doing system changes such as patches.

Upgrading with Virtual Service Accounts

In version 11.4.2, the Thycotic Application Control service is run using a virtual service account named NT SERVICE\ArelliaACSvc instead of NT AUTHORITY\SYSTEM (LocalSystem). Note that virtual service accounts really are "virtual" in that there isn't a user account being provisioned on the computer. These accounts have been a supported feature since the release of Windows 7 SP1.

By default, all virtual service accounts are members of the group NT SERVICE\ALL SERVICES, and Microsoft grants the Log on as a service log on right to that group when Windows is installed. If that log on right is revoked from that group the service will not start.

Before upgrading to version 11.4.2 or newer from version 11.4.1 & older, review this information completely and ensure that your runtime environment complies with the stated requirements. Failing to do so will result in the application control service failing to function properly.

Refer to Virtual Service Accounts in Upgrades.

Certificate Validation for SSPM Agents

For both the Windows Agent and macOS Agent, by default, validate server certificate is turned off. However, if your server domain includes one of these, then validate server certificate will automatically be turned on and the server certificate will be validated:

  • .privilegemanagercloud.com

  • .privilegemanagercloud.eu

  • .privilegemanagercloud.com.au

  • .privilegemanagercloud.com.sg

  • .privilegemanagercloud.ca

To force this setting to be enabled for use with an on-premise Privilege Manager server via MDM deployment of the agent, refer to the documentation:

Installing Windows Agents
Installing macOS Agents

Privilege Manager Windows Agent Security Update

A local privilege escalation vulnerability that could be exploited to allow access and/or modification of highly privileged system-level folders and files was identified. This impacts all versions of Privilege Manager Agent on Microsoft Windows before v 11.4.1030. This issue is rated High with an 7.8 Common Vulnerability Scoring System (CVSS) score. Please see the CVSS Calculator for details.

This issue has been resolved where Authenticated Justification Message Actions were not properly handling groups marked as Use for deny only, which could result in the action incorrectly producing a success result when a failure result should have been produced.
Fixed in the following versions:
Application Control agent (x32) - 11.4.2169
Application Control Agent (x64) - 11.4.2169

Enhancements

  • New policies that support Just In Time (JIT) elevated access have been added to the default Windows Computer Group. JIT elevated access grants temporary administrator access to workstations without having to create unique policies for applications with this need. Any application that requires elevation can be run as Administrator by the user.

  • Performance improvements were made to the File Agent Discoverer for the Image Processing Performance report.

  • Privilege Manager 11.4.2 allows policies in one Secured Computer Group, along with its permissions, to be moved to another Secured Computer Group. Any role, including custom roles with write permissions assigned to the Secured Computer Group, can edit the policy moved into that Secured Computer Group.

    This update does not extend to the Filters and Actions that were created specifically under the original Secured Group.

  • The User Management and Group Management screens now load faster by showing the list of managed and built-in users and groups only. Inventoried users and groups no longer appear by default unless there are less than 200 workstations in that computer group. You can still manage any group or user on those workstations using Create User or Create Group in the top right of those tables.

  • Added a new Remove feature to the Optional field within the create and modify tasks screens.

  • Privilege Manager now allows greater flexibility in elevating or blocking the execution of sudo and commands run under sudo. See Controlling the Usage of sudo.

  • On macOS, installer packages (.pkg files) can now be inventoried by uploading them to the Privilege Manager Server (or via the macOS agent file inventory process). Once inventoried, their signing certificates will be available to use in the Digital Certificate filter. This allows Privilege Manager policies to control the installation of .pkg files signed by a particular vendor.

  • Policies that include common scenarios for macOS are available in the Workstation Policy Framework. They include the following elevation and monitoring policies.

    • Elevate Common Preference Panes

    • Elevate Xcode

    • Elevate Console

    • Elevate Pakcage Installers

    • Elevate jamf Commands

    • Monitor sudo Usage

    • Monitor Admin Applications

Bug Fixes

  • Fixed an issue for the Application Control - Secondary Hash Exclusions Config Feed, to ensure it can be installed without errors.
  • The Privilege Manager UI can identify managed users which have a mixture of upper and lower case characters within its name.

  • The Prevent File Operations option in the Restrict File dialog action now functions the same as Disable Context menu options, blocking the context menu entirely. This applies to the agent versions 11.4.2 and above.

  • Fixed an issue that was causing all client items to be rebuilt unnecessarily, causing additional network traffic between servers and agents.

  • When creating a new Send Change History Events to Syslog task you no longer get a default schedule. Now, all templates consistently create a schedule.

  • The User Cannot Change Password option for the Administrator account under Windows User Management is no longer available due to an unsupported option for the Administrator account on the Windows workstations.

    If the option has been enabled prior to 11.4.2 the upgrade process will automatically set the field to false before disabling in the Privilege Manager Console.

    All other users remain unaffected.

  • Fixed issues where the Agents Missing a Policy report was inconsistent with the Policy page Deployment summary.

  • Fixed an issue regarding user-configured agent settings, where upgrades could not update defaults, and the Memory Protection setting showed incorrectly in the UI.

  • Fixed an issue with fully-trusted UWP applications in version 11.4.1. The User Access Control Consent Prompt Detected filter now matches a UWP process that was launched via right-click -> Run as administrator, as well as a UWP app that is manifested to always run as administrator.

  • Fixed an issue where incorrectly edited XML was causing the Application Control policy to fail and show no groups.

  • Updated Privilege Manager Console to display the complete resource name. Previously long resource names would appear cut off.

  • Fixed an issue that produced errors when importing Azure AD Device data, even when the Device ID changed.

  • An issue was fixed that now allows Basic and Hybrid UWP applications to have Justify and Approval actions applied to them by Application Control policies.

    Up through Privilege Manager Agent Version 11.4.1, the UI for the Justify/Approval action did not appear on the user's desktop, errors were logged in the Agent's Event Log, and the UWP application itself would self-terminate when the action failed.

Agent Specific

Windows

  • Fixed an issue with the Windows Application Control agent where a long command line could cause the service to stop responding.

  • Updated the Windows agent to ensure agents no longer rely on locally cached hashed value of a targeted application when the targeted application has changed.

  • Updated the Windows agent to ensure agents no longer rely on locally cached file versions of a targeted application when policy matching. This ensures that audited events correctly show the version number of the application.

  • When the LSASS system service process is configured to run as PPL (Protected Process Light), it prevented the resulting Thycotic Application Control service running the ArelliaACSvc.exe program to run properly. Now, the privileges required for the service to start and run properly are explicitly granted to that virtual service account when the native NT service is installed.
    Additionally, the service configuration is modified to prevent the service from starting if the required LSA privileges have been revoked from the virtual service account.
    The following LSA privileges are granted to the virtual service account and must not be revoked or the service will not start or run properly.  
    • SeBackupPrivilege

    • SeChangeNotifyPrivilege

    • SeCreateGlobalPrivilege

    • SeCreatePermanentPrivilege

    • SeCreateSymbolicLinkPrivilege

    • SeCreateTokenPrivilege

    • SeDebugPrivilege

    • SeDelegateSessionUserImpersonatePrivilege

    • SeImpersonatePrivilege

    • SeIncreaseBasePriorityPrivilege

    • SeIncreaseQuotaPrivilege

    • SeIncreaseWorkingSetPrivilege

    • SeLoadDriverPrivilege

    • SeManageVolumePrivilege

    • SeProfileSingleProcessPrivilege

    • SeRestorePrivilege

    • SeSecurityPrivilege

    • SeSystemProfilePrivilege

    • SeTakeOwnershipPrivilege

    • SeTcbPrivilege

It is necessary to ensure that GPOs (Group Policy Objects), any other Microsoft-supplied system configuration management tools or any third-party products do not revoke or change these LSA privilege assignments.

macOS

  • Addressed a performance issue observed in the 11.4.1 release running on macOS Monterey.

  • Updating Managed groups from the Privilege Manager server for macOS agents now correctly update the group on the agent if one of the users included does not exist on the agent.

Known Issues

  • Issue: In certain situations, after logging on to the computer after it has been restarted, it is possible that the very first application elevation request is not properly intercepted and results in the default UAC consent prompt being displayed.

    Resolution: Canceling the consent prompt and immediately retrying the elevation request results in the prompt being intercepted and an application elevation policy being properly applied.

  • Issue: On older macOS releases, when approval is received for an installer package (.pkg file), but that package is installed by opening it directly rather than from the notification, then the same package is opened a second time and approval is granted, the package may not be elevated as expected when it is re-installed.
    Affected Systems:
    • BigSur 11.7.6 and older

    • Monterey 12.6.5 and older

    • Ventura 13.2.1 and older

    Resolution: Repeat the approval process for the package one more time.

  • Issue: Sometimes, after installing the Privilege Manager agent on the latest releases of macOS Big Sur and Monterey, the OS fails to prompt the user to approve notifications from Privilege Manager, and the Privilege Manager application does not appear in the Notifications pane of System Preferences.

    Affected System:

    • BigSur 11.7.7 and older

    • Monterey 12.6.6 and older

    Workaround: Restart the Mac. After restarting and logging in, you will be presented with the prompt to approve notifications from Privilege Manager