Privileged Endpoint Policy RRS feed

  • Question

  • Hi,

    Just need some clarification - I have created an app and set the Access Policy to be 'Default Privileged Endpoint'.

    Now, when I authenticate to the portal the app is greyed out, and when I click details I see:


    The endpoint does not meet access policy requirements for this application.
      Your computer does not meet the security policy requirements of this site. For more information, contact your administrator.


    If I open the 'Default Privileged Endpoint' Policy, there is nothing really configured in there....why am I getting the error? The error message also does not say what it is that I am missing.


    Friday, April 23, 2010 1:55 PM


All replies

  • Hi

    Can you tell something about the endpoint, domain member? Anti virus? Firewall? etc etc

    Martijn B.
    Friday, April 23, 2010 1:58 PM
  • Yes, its a domain member XP SP3, it has firewall running and an AV with updates done 2 days ago.

     According to another post "Privileged_Endpoint is the default policy/expression that is always false unless edited." - so it looks like we have to configure something in it to make it work...http://social.technet.microsoft.com/Forums/en/forefrontedgeiag/thread/1c55a338-e0f4-4333-8337-9129ad641e91

    Which brings me to another question...When do we use the 'Session Access Policy'; when do we use 'Privileged Endpoint Policy'?

    I guess these wold be controlled by different security levels inside your company?

    General Staff might see what the Session Access Policy enforces.

    Then, certain IT people might see what the Privileged endpoint Policy is configured to.

    And for extreme security, a Certified Endpoint might be the criteria....

    Am I on the right track?

    Friday, April 23, 2010 2:04 PM
  • 'Privileged Endpoint' is a policy defined in the Session tab of the Advanced Trunk confiuration window.  Basically you can determine the MACHINE requirements to elevate the machine for more privileges (session lenght, time out, attachment wiper, etc) and application access.  You would still use Application Authorization to determine which USERS have access to which applications based on user or group membership.

    Create a custom privileged endpoint session policy (e.g "My Awesome Privileged Endpoint Policy") however you like. For instance, the machine must be a domain member.  The apply this policy to the Privileged Endpoint setting in the session to give all domain member machines privileged session settings.  You can then re-use this custom policy for applications you want to restrict access to only domain members (for example).


    Friday, April 23, 2010 3:19 PM
  • Ah ofcourse - completely forgot about that....right..so in other words....what would make this machine obtain the one session state of - 'you are valid for 1 hour' vs 'hey I trust you and you can stay logged in for 24 hours' ...and all the other check boxes in that area.

    its all coming back to me....thanks Dee

    Friday, April 23, 2010 5:34 PM
  • The example here looks like a reasonable PrivEnd script to me ;)




    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Tuesday, April 27, 2010 11:39 PM
    Saturday, April 24, 2010 12:04 AM