​@Bartosz The following documentation will help:

https://docs.beyondtrust.com/bips/docs/ps-sessions#enhanced-session-auditing

Hello ​@Paulo144 Thank you for your response, I saw this document previously, however the problem is that I can’t find any information about requirements there.

Best regards,

Bartosz

​@Bartosz the only real requirement is the port 445 open on the system and ADMIN$ enabled as well, the rest is more about the FA being local or domain admin, so it can create a folder directly in C:\, start a service, create a new register key and create e scheduled task.

What ESA do is:

– Move pbpsdeploy.exe (which is embedded in RatTrapAPI.dll) to the root of the ADMIN$ share on the managed system and create the C:\pbps folder
– Register pbpsdeploy.exe as a service named pbpsdeploy (BeyondTrust Password Safe Deployment Agent) and start it.
– Move pbpsmon.cab (which contains pbpsmon, pbpslaunch, and supporting DLLs) to the root of the ADMIN$ share on the managed system

– In Task Scheduler, the following task is created: BeyondTrust Password Safe Monitoring Task

– In regedit, the following registry keys are created:

HKLM\System\CurrentControlSet\Control\Terminal Server\Addins\PBPSMON

HKLM\Software\Microsoft\Windows NT\CurrentVersion\TerminalServer\TSAppAllowList\Applications\pbpslaunch

See if this information can be more helpfull to you.

Here are few more articles that may be a help:

Check folder shares for Enhanced Session Auditing (ESA) deployment by Functional Account

RDP proxied sessions not logging off disconnected sessions - ESA fails in pbsm.log: ERROR: Failed to deploy pbpsdeploy

How to manually remove the PBPSdeploy service and resources from the Managed System - PBPSdeploy uninstall fails