Agent for Windows 6.0.0 Release Notes (Verify Privilege Server Suite 2023)

For the list of the supported platforms by this release, refer to the "Supported Platforms" section in the Verify Privilege Server Suite release notes.

For the platforms to be removed support in coming releases, refer to the "Notice of Termination Support" section in the Verify Privilege Server Suite release notes.

About Verify Privilege Server Suite Agent for Windows

The Verify Privilege Server Suite Agent for Windows package contains software to support auditing, access control, and privilege management on Windows computers. Audit and Access features must be installed together but their services can be enabled separately on the Windows computers you want to manage.

For auditing, the Verify Privilege Server Suite Agent for Windows requires the Auditing & Monitoring Service feature set, which is available in Verify Privilege Server Suite. Auditing & Monitoring Service enables detailed auditing of user activity on a wide range of UNIX, Linux and Windows computers. With Auditing & Monitoring Service, you can perform immediate, in-depth troubleshooting by replaying user activity that may have contributed to system failures, spot suspicious activity by monitoring current user sessions, and improve regulatory compliance and accountability by capturing and storing detailed information about the applications used and the commands executed. If you enable auditing, the Verify Privilege Server Suite Agent for Windows records user activity on the Windows computer when it is installed.

For access control and privilege management, the Verify Privilege Server Suite Agent for Windows requires the Authentication Service and Privilege Elevation Service feature sets, which are available in Verify Privilege Server Suite. With Authentication Service and Privilege Elevation Service, you can configure and manage role-based access controls for Windows servers. The Verify Privilege Server Suite Agent for Windows extends the access control and privilege management features available for Linux and UNIX computers, so that you can use a single console to manage multiple platforms. You can deploy the Verify Privilege Server Suite Agent for Windows in a Windows-only environment
or as part of a mixed environment that includes Windows, Linux, and UNIX computers.

The Verify Privilege Server Suite Agent for Windows provides both privilege elevation and auditing functionalities, and for more information about the auditing feature, refer to the IBM Security Auditing & Monitoring Service Release Notes for more detailed information.

You can obtain information about previous releases from the IBM Security Support Portal, in the Documentation & Application Notes page.

Delinea software is protected by U.S. Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103; 9,112,846; 9,197,670; 9,378,391 and 9,442,962. (Ref: CS-44575)

Changes in Release 2023 Component Update (2023.0.3 / July 2024)

  • Fixed an issue where an agent installed on a domain controller could prevent the Windows KDC service from starting. (Ref:581570)

Known Issues

Installation and Uninstallation

  • Upgrading from the beta build to this version may result in offline MFA mode if there are multiple authentication servers registered in your AD forest. To resolve this, uninstall the beta build first and then install this new version. (Ref: CS-41915)

  • Upgrading Windows while the Agent is installed will result in a failure of the Windows upgrade. The workaround is to uninstall the agent before performing the upgrade or perform a fresh Windows install without keeping existing applications and settings. (Ref: CS-42200)

  • Currently the MFA login feature is not supported on Windows Server 2016 "Server Core" systems. This feature component will not be installed on Windows Server 2016 "Server Core" systems. (Ref: CS-42192, CS-42527)

  • The IBM Security Common Component should be the last IBM Security Verify Privilege Server Suite component uninstalled. If the component is uninstalled before other component, it must be reinstalled by the uninstall process to complete its task. (Ref: 36226a)

  • If you intend to install the software on the desktop with elevated privilege, you should not check the "Run with UAC restrictions" option when creating the desktop. (Ref: 39725b)

  • When you double-click on the Verify Privilege Server Suite Agent for Windows msi and select the "repair" option, the existing files are replaced irrespective of their version number, even when theyare identical. As a result, a prompt to restart the system is displayed as files that were inuse were replaced. However, if you use the Easy Installer to do the repair and a file on thedisk has the same version as the file that is part of the installer package, the installed file will not be replaced. Therefore, there will not be any prompt to restart the system. (Ref: 26561a)

  • When the Verify Privilege Server Suite Agent for Windows is either installed or uninstalled and the prompt for a machine restart is deferred using the "restart later" option or ignored, other components ofDirectManage may display errors due to an incomplete installation. A restart is mandatory if requested after install or uninstall operation. (Ref: 36307a)

  • Users may notice a few "Side by side" configuration errors in the Event Viewer after installing the Verify Privilege Server Suite Agent for Windows, if Microsoft KB945140 related components have beeninstalled on the local machine previously. These errors will go away after you restart the computer and have no functional effect. (Ref: 35302a)

  • If you uninstall the Verify Privilege Server Suite Agent for Windows while the DirectAudit Agent Control Panel is open, files needed by the uninstall process may be blocked. You should close the DirectAudit Agent Control Panel for a successful conclusion to the uninstall process. (Ref: 25753a)

  • If you have installed the Access feature of Verify Privilege Server Suite Agent for Windows from Verify Privilege Server Suite 2013 and are trying to upgrade the component to the latest version, you may see the following errorduring the installation process, "Service 'DirectAuthorize Agent' could not be installed. Verifythat you have sufficient privileges to install system services." If you see this error message, ittypically indicates that the existing service is taking longer time to stop and hence the newservice is not getting installed. When you see this error, wait for some time (typically 30 seconds) and click on Retry button on the error message box. (Ref: 47270a)

  • Verify Privilege Server Suite Agent for Windows and its installer are built on .NET. Therefore, .NET is always installed as a pre-requisite before the agent is installed. If .NET is removed from the system later,Verify Privilege Server Suite Agent for Windows will not run properly. User will also experience problem when tryingto remove Verify Privilege Server Suite Agent for Windows from the system. To properly uninstallVerify Privilege Server Suite Agent for Windows, please make sure Verify Privilege Server Suite Agent for Windows is uninstalled before .NET. (Ref: 39051a)

  • The list of rescue users is stored in different places in Suite 2013.3 (or previous releases) and Suite 2014 and this list is not automatically migrated to its new location when upgrading fromSuite 2013.3 or a previous release to Suite 2014. Because of this, it's highly recommended thatVerify Privilege Server Suite Agent for Windows should not be upgraded in disconnected mode (i.e. whenthe system cannot connect to the Active Directory). If a system is upgraded in disconnectedmode, the list of rescue users will be lost and only local administrators will be able to login to the system after reboot. (Ref: 57622a)

  • If you install Access feature of Verify Privilege Server Suite Agent for Windows without installing the Audit feature, the registry key value for HKEY_LOCAL_MACHINE\SOFTWARE\Centrify\AuditTrail\AuditTrailTargetsis set to zero as expected, which means the audit trail is not sent to DirectAudit Audit Storedatabase. However, if you try to change the installed features list of Verify Privilege Server Suite Agent forWindows and add the Audit feature later, the change process does not automatically set theAuditTrailTargets value to the expected new value of 1, which means to send audit trail data toDirectAudit Audit Store database. This is a known issue and workaround is to set this value manually to 1 after the installer finishes the process of adding new feature. (Ref: 59353b)

  • If you have installed the Access feature of Verify Privilege Server Suite Agent for Windows from earlier version and then upgraded the component to the latest version while the Agent for Windows isnot currently connected to any Active Directory domain controller, only users who have beenassigned a role with rescue rights will be able to log on to the computer until the connection to Active Directory is restored. (Ref: 58858b)

Configuration

  • In a cross-forest environment, forest A user cannot enroll a device joined to forest B when forest A does not have a connector. (Ref: CS-44805)

  • When a machine that has MFA for Windows login enabled is reconfigured to connect to a different forest, the previous setting for the authentication server may no longer be valid. However, ifthere are Group Policy login settings applied to the machine in the new forest, the new settings will be enabled when the Group Policy Editor refreshes. (Ref: CS-41928)

  • In Windows 2016 and Win10, during the login process, selecting SMS or using other mechanisms like Security Question/Phone call/Password/Email/Mobile for MFA and clicking the "Commit" button will be intermittently unresponsive. (Ref: CS-41699)

  • It can take a long time for users in offline mode to be re-prompted for their passcode.

    In the event that the Agent cannot connect to the IBM Security Authentication Server, and a user is required to enter an offline passcode, it can take up to several minutes for the agent tore-prompt for the passcode if the user enters it incorrectly. If the user tries to cancel loginby pressing "back" or by switching the user, the login screen may become unresponsive. This timelag between an incorrect passcode and the re-prompt can also occur when a user incorrectly enters their offline passcode for privilege elevation. (Ref: CS-41302)

  • Administrator should always leave the zone before joining the computer to a different domain. Otherwise, DirectAuthorize may not function correctly after the computer is joined to a different domain. (Ref: 54278b)

  • In some large environment with multiple domain controllers, it may take up to one minute for the new zone setting in Verify Privilege Server Suite Agent Configuration to take effect. (Ref: 58128b)

  • If one of the Global Catalog servers is unavailable, user may not be able to configure the zone for Verify Privilege Server Suite Agent for Windows. (Ref: 58621b)

  • Microsoft normally automatically distributes and installs root certificates to the Windows system from trusted Certificate Authorities (CA) and users are seamlessly able to use a secure connectionby trusting a certificate chain issued from the trusted CA. However, this mechanism may fail ifthe system is in a disconnected environment where access to Windows Update is blocked or thisfeature of automatic root certificate installation is disabled. Without updates on the certificatetrust list (CTL), the default CTLs on the system may not be adequate for secure connections ofIBM Security multi-factor authentication especially for older versions of Windows. To ensure thesuccess of IBM Security multi-factor authentication, user may need manually distribute and installthe latest CTLs and the required root certificate to systems in a disconnected environment. See IBM Security KB-6724 for further information. (Ref: CS-39703)

Environment

  • On Windows 10 and Win2K16 machines with IBM Security Privilege Elevation Service, following will occur (Ref: CS-43883):

    • Pop up an error dialog several seconds after clicking "Open file location" in the context menu of a shortcut on the start menu. Explorer windows will display correctly.

    • No responses to the following actions

    • Clicking "Open file location" in the context menu of a shortcut on desktop

    • Clicking "Open file location" in the context menu of a shortcut on the IBM Security Start menu in the Privileged Desktop

    • Slow response to "OK", "Cancel" in the shortcut property page after "Open file location" in the general tab is clicked. The dialog will close after several seconds.

  • On some Windows 10 machines, the smart card login option may not be displayed if another credential method has been recently used. To display the smart card login option, remove andinsert a smart card into the reader. This will cause the login screen to reload and will display the smart card login option. (Ref: CS-41282)

  • Verify Privilege Server Suite Agent for Windows requires you to patch to at least build 10.0.14393 on Windows 10 and Windows Server 2016 to use MFA features. (Ref: CS-41387)

  • Selective two-way external trusts are not supported. Both Windows machines and Verify Privilege Server Suite zones are required to be in the same forest or different forests with a two-way forest trust established. (Ref: 40713b, 44644b, 44647b, 44657b, 40643b, 40650b, 45341b, 45372b)

  • Environment with no Global Catalog is not supported. (Ref: 46577a)

  • DirectAuthorize for Windows requires machine time to be synchronized with domain controller. VMware virtual machine has a known issue that its time may not be synchronized with domaincontroller. This problem occurs more often on an overloaded virtual machine host. If the systemclocks on the local Windows computer and the domain controller are not synchronized, DirectAuthorizefor Windows does not allow any domain users to login. You can try the following KB from VMware tofix the time synchronization issue.http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189 (Ref: 47795b)

RunAsRole

  • If you use the "RunAsRole.exe /wait" command to run a Python script, the input/output cannot be redirected for versions of Python below 3.0.0. (Ref: 45061a)

  • Run As Role menu is not available on the start screen in Windows 8 or Windows 2012 or later because Microsoft doesn't support any custom context menu on the start screen. User has to go to the Windows desktop in order to launch an application using Run As Role context menu. (Ref: 35487a)

  • On Windows 8, Windows 8.1, Windows Server 2012 and Windows Server 2012 R2, use "Run as role" with Local Administrators group privilege on Control Panel does not have sufficient permission to addprinters if the printer drivers are not pre-installed on the computer. The workaround is to definea role run as a user with Local Administrator privilege or with a group as a member of Local Administrators group. (Ref: 68826a)

  • The "Run as role" for Windows Media Player is not recommended. Please use privilege desktop instead. (Ref: 55615a)

  • When running "RunAsRole.exe /wait sc.exe" with no argument provided to sc.exe, sc.exe will prompt

    Would you like to see help for the QUERY and QUERYEX commands? [ y | n ]:

    Typing 'y' or 'n' doesn't do anything because the input cannot be successfully redirected to sc.exe. (Ref: 47016b)

  • It is not recommended to change zone via Run As Role since the role that is in use may no longer be available once after leaving from the previous zone during the change zone process. (Ref: 58043a)

Desktop with Elevated Privileges

  • In desktop with elevated privilege a mouse left click does not work for SysTray Icons that involve opening the WinRT(or new Window) UI. The Systray icons affect are Time, Volume Control, or any third party icons on Windows 10/2016. (Ref: CS-39454)

  • Server Manager cannot be started on multiple desktops at the same time. The bug exists on Windows 2012R2, 2016. (Ref: CS-42060)

  • On a desktop with elevated privileges on Windows 8, 10 & 2016, the search for files or folders will be intermittently disabled from the Start menu ("Start" menu > "Search" > "For Files or Folders…"). (Ref: CS-42066)

  • On a desktop with elevated privileges, if you open the Task Manager and select "File > New Task" to run an application without selecting the "Create this taskwith administrative privileges" option, the application will be launched on the default desktop. This issue occurs when User Account Control (UAC) is enabled. (Ref: 32169a)

  • If the sAMAccountName attribute of an Active Directory account is changed while the old account name is still cached on the computer, you may see the following error message when creating a new desktop or using "Run as role" with a right configured to run as the modified user account:

    "Failed to open new desktop. Right xxx references bad user account."

    The workaround is to restart the computer. (Ref: 35124a)

  • On a desktop with elevated privileges, if you use "Control Panel > Programs > Programs and Features" to uninstall a program, you may see the following warning message and cannot uninstall the software.

    "The system administrator has set policies to prevent this installation."

    This issue happens when User Account Control (UAC) is enabled and when "Run with UAC restrictions" is selected when creating the new desktop. (Ref: 33384a)

  • When you open the Start menu "Help and Support" item on a desktop with elevated privileges, the Windows Help and Support is launched on the default desktop. Switch to the default desktop to view the information. (Ref: 32147a)

  • If you shut down, restart, or log off from a desktop with elevated privileges, all running applications are terminated forcibly without being prompted to save any open documents. (Ref: 40749a)

  • You cannot launch Windows Security Options using "Start menu -> Windows Security" on a privilege desktop with elevated privileges when using a remote desktop connection. You must switch back to the default desktop to continue. (Ref: 45995b)

  • Installation of IE9 on desktops with elevated privileges may cause the privileged desktop to become unusable. Use "RunAsRole" for installation of IE9 instead. (Ref: 44930a)

  • You cannot use the Start menu option "Switch User" while you are using a role-based, privileged desktop. To use the "Switch User" shortcut, change from the privileged desktopto your default Windows desktop. From the default desktop, you can then select Start > Switch User to log on as a different user. (Ref: 39011b)

  • On a DirectAuthorize desktop using a role with local administrator privilege, the Stand By option in the shutdown menu does not work. This is a known issue and will be addressed in future release. (Ref: 58280a)

  • VMWare registers to run VMwareUser.exe on the guest operating system to enable user to copy and paste text between the guest and managed host operating systems. Creating multiple desktopswith different user accounts causes multiple VMwareUser.exe are run in different user accountsin the same logon session. VMwareUSer.exe cannot support this scenario and therefore an errormessage is displayed on the default desktop which blocks all the UI operation on the newdesktop. To workaround this problem, user can disable the VMWare user program on the guestmachine by deleting the registry value name "VMware User Process" from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. (Ref: 49268a)

  • On a privileged desktop on Windows 8, Windows 8.1, Windows 2012 and Windows 2012 R2, you may not be able to access the VMware shared folder. (Ref: 40686c)

  • Windows logo key keyboard shortcuts are not supported on privileged desktop. Depends on the key and operation system, the shortcut could either have no effect or its effect is applied to the default desktop instead. (Ref: 47588b)

  • A Start menu on privileged desktop on Windows 8, Windows 8.1, Windows 2012 and Windows 2012 R2, to make up for a limitation of Windows 8, Windows 8.1, Windows 2012 and Windows 2012 R2.In addition, navigating to a Modern Start screen to use Modern-style apps from a privilegeddesktop is not possible from either the charm bar or using a Windows. Note: you must switch back to the default desktop in order to go to Modern Start screen. (Ref: 41245c)

  • The Challenge Pass-Through Duration setting is currently not supported for Verify Privilege Server Suite Windows multi-factor authentication. The Challenge Pass-Through Duration setting does not requirea user, who has successfully met a multi-factor authentication challenge, to re-authenticatethrough mfa to use an mfa-required right or role if that user chooses the same challenge mechanism when prompted within the duration specified in the setting. (Ref: CS-39432)

Roles and Rights

  • No 'Require multi-factor authentication' system right for the predefined 'Windows Login' role. To define this system right for MFA, use the pre-defined Require MFA for logon role, or create a new custom role. (Ref: CS-40888)

  • Windows Network Access rights do not take effect on a Linux or UNIX machines. If you select a role to start a program or create a desktop that contains a Network Access right, you can onlyuse that role to access Windows computers. The Windows computers you access over the network mustbe joined to a zone that honors the selected role. The selected role cannot be used to access any Linux or UNIX server computers on the network. (Ref: 32980a)

  • To elevate privileges to the "Run as" account specified in a Windows right, the "run as" account must have local logon rights. If you have explicitly disallowed this right, you may receive anerror such as "the user has not been granted the requested logon type at this computer" when attempting to use the right. (Ref: 34266a)

  • If your computer network is spread out geographically, there may be failures in NETBIOS name translation. If a NETBIOS name is used, Active Directory attempts to resolve the NETBIOS namebased on the domain controller that the user belongs to, which in a multi-segment network mightfail. Therefore, Network Access rights might not work as expected if the remote server islocated using NETBIOS name. You may need to consult your network administrator to work around this issue. (Ref: 39087a)

  • File hash matching criteria in the Application right is not supported for a file larger than 500MB. This is to make sure DirectAuthorize does not spend too much CPU and memory resources tocalculate the file hash. User trying to import a file with the size larger than 500MB will see an empty value for the file hash field. (Ref: 56778a)

  • For a small set of applications, enabled matching criterion: "Product Name", "Product version", "Company", "File Version" or "File Description" of a Windows Application Right may fail to match after upgrading agent under the following conditions:

    • Any value for the enabled matching criteria is defined by either import from a process or file
    • The matching criteria is defined by 5.1.3 or 5.2.0 DirectManage Access Manager since the number

      of affected application is expected to be relatively low, proactively updating the defined

      matching criteria of Windows Application Right is not necessary. (Ref: 60053a)
  • Smart card users can continue to use their own smart card to logon, but there will be no Verify Privilege Server Suite MFA features applied to smart card users. (Ref: CS-41539)

Compatibility with 3rd Party Products

  • MFA may be skipped when connecting through XenDesktop because the Citrix Credential Provider may be used instead of the IBM Security Credential Provider. The workaround is to disable theCitrix Credential Provider through the Group Policy"Centrify Settings\Windows Settings\MFA Settings\Specify the credential providers to exclude from the logon screen." (Ref: CS-46744)

  • VirtualDesktop is not compatible with Verify Privilege Server Suite Agent for Windows. Users should use the

  • IBM Security system tray applet to create virtual desktop instead. (Ref: 44641b)

  • Attempting to launch SCOM Operation Console on privileged desktops will fail if there is an existing instance on other desktops and a new SCOM Operation Console will be started on thedesktop with the existing instance. The workaround is to close all existing instances before starting a new SCOM Operation Console. (Ref: CS-43790)

  • The startup path for "SharePoint 2010 Management Shell" and "Exchange Management Shell" may set to C:\Windows instead of user home directory if it is launched via RunAsRole.exe or from a desktop with elevated privilege. (Ref: 38814b, 46943b)

  • On a desktop with elevated privileges, if you install McAfee Security Scan products and click "View Readme", the Readme.html is shown on the default desktop. Similar issues mayhappen with other third party programs. The alternate way to view the Readme.html on the desktop of a managed computer is to open the Readme.html file directly. (Ref: 34642a)

  • Attempting to enable Kerberos authentication for Oracle databases will fail. This issue is being brought to the attention of Oracle Support for a resolution in upcoming releases. (Ref: 33835b)

  • The Microsoft Snipping Tool utility has a bug that prevents it from running on a desktop with elevated privileges. (Ref: 31931a)

  • Some applications do not use the process token to check the group membership. They check the user's group membership on its own. Therefore, any Windows rights configured to use aprivileged group will not take effect in these applications. The workaround is to use aprivileged user account instead of a privileged group. Here is the list of known application with this issue:

    1. vCenter Server 5.1
    2. SQL Server
    3. Exchange 2010 or above
    4. SCOM 2007

    (Ref: 45318a, 45218a, 43779a, 38016a)

  • Privilege elevation using Windows Rights for Internet Explorer (IE) 7 is not supported. (Ref: 33425a)

  • Privilege elevation using Windows rights for "Remote Desktop" is not supported. (Ref: 45222b)

  • Privilege elevation using Windows rights for taskmgr.exe, explorer.exe, and cmd.exe are not recommended. A user granted privileges with Windows rights is implicitly granted to run any executable under the same privilege. (Ref: 45861a, 40525a)

  • Users may notice an error and cannot install ActivClient after installing Verify Privilege Server Suite Agent for Windows. During the installation of ActivClient, it attempts to change the localsecurity setting. However, there is a known issue for Verify Privilege Server Suite Agent for Windows ofblocking the local security setting (Ref: 63609b). Therefore, users may not be able toinstall ActivClient successfully after installing Verify Privilege Server Suite Agent for Windows. Wesuggest installing ActivClient before installing Verify Privilege Server Suite Agent for Windows. IfVerify Privilege Server Suite Agent for Windows has been installed, please uninstall it and follow theinstallation sequence suggested. This issue happens on Windows 8.1 and Windows 2012 R2 only. (Ref: 76016b)

  • McAfee Virus scan may block the Verify Privilege Server Suite Agent for Windows from registering the LSA packages while joining the system to a zone. The zone join operation now detects the same and shows a warning to the user. (Ref: CS-48893)

Application Manager

  • Application Manager does not support Server Core edition of Windows. (Ref: CS-40656)

  • Application Manager may not be able to generate Audit Trail event for the uninstall, change or repair operations which require reboot. (Ref: CS-45641)

Network Manager

  • Network Manager does not support Server Core edition of Windows. (Ref: CS-42675)

Endpoint Enrollment

  • When a Windows machine is enrolled by a user as a personal device and subsequently that user

    is disabled, after upgrading the product, there is no way to let another user to enroll a

    personal device for that machine. The workaround is to remove the service "Identity Services

    Platform" in Agent Configuration and add that service again. (Ref: CS-44514)

Verify Privilege Server Suite Agent for Windows

  • Auditing status is incorrectly displayed on Authorization Center and the desktop notification message when the following Group Policies are enabled:

    • Audited user list

    • Non-audited user list

    (Ref: CS-46321)

  • Verify Privilege Server Suite Agent for Windows installation may prematurely end on systems that have Citrix Virtual Delivery Agent version 7.9 or higher installed. Please refer to the IBM SecurityKnowledge Base for possible workarounds to deploy Verify Privilege Server Suite Agent for Windows on systems affected by this issue. (Ref: CS-46288)

Additional Information and Support

In addition to the documentation provided with this package, see the IBM Security Knowledge Base for answers to common questions and other information (including any general or platform-specific known limitations), tips, or suggestions. You can also contact IBM Security Support directly with your questions through the IBM Security Web site, by email, or by telephone.

The IBM Security Resources web site provides access to a wide range of information including analyst reports, best practice briefs, case studies, datasheets, ebook, white papers, etc., that may help you optimize your use of IBM Security products. For more information, see the IBM Security Resources web site.

You can also contact IBM Security Support directly with your questions through the IBM Security Web site, by email, or by telephone. To contact IBM Security Support or to get help with installing or using this software, send email to support@delinea.com or call 1-202-991-0540. For information about purchasing or evaluating IBM Security products, send email to info@delinea.com.