Recently active topics

When scanning assets with PWS we get an enumeration of all users that have permissions on this  system under advanced details => scan data => users However, we only see user here from the domain directly linked to this system. Users that have permissions on this system trough a trust with another domain are not enumerated. Is there any way of getting visibility on this?

Hi everyone,I have a question regarding PASM. I have users and devices managed through Password Safe, and session delivery is handled by PRA. If I want a user connecting from PRA with credentials injected from Password Safe to provide a reason for connecting, where do I configure this in PS or PRA? Also, if they need an approval workflow, where do I configure that in PS or PRA?

Hello , I see there is only TOTP MFA option in PRA . We are using PRA for external Vendor access where the accounts are quarterly reviewed but as the number of vendor grows , manual errors might increase. Also as the review can not be made more frequent , there is a possibility that Terminated vendor user still has access as they know their PRA login password and have TOTP MFA configured using a personal mobile device. These user identities are in Active Director as well as PRA internal DB. Is there any way to implement email-based MFA so that terminated user will immediately lose access as they wont have access to company email ?I see Radius auth and OKTA can be used both have separate trade-offs

I tried to install my EPM for Windows Local AD connector on a server but it failed on the activation part.Error is:[ERR] [BT.LocalAdConnector.Services.ActivationService] [9] Activation failed.System.Net.Http.HttpRequestException: No such host is known. (xxxxxx-xxxxxxxxx-services.pm.beyondtrustcloud.com:443) ---> System.Net.Sockets.SocketException (11001): No such host is known. My server is connected to my proxy server for external access and I have the policy opened from my server to xxxxxx-xxxxxxxxx-services.pm.beyondtrustcloud.com but it is not getting triggered at all. Am I missing something here? do I need any additional URL for the activation of the AD connector?

I can log into the portal but when I click on links for KB articles or cases nothing happens. If I use a direct link to a KB article I get a message that it was not found. Is anyone else experiencing problems or do I need to look for issues on my ends?

Some users intermittently encountered this error in Password Safe PAM:Because of an error in data encryption, this session will end. Please try connecting to the remote computer again.After that error message, the session disconnects.Tech Support determined that the issue is caused due to a network-related TLS/SSL interference between the appliances and target servers. However, Networking team couldn't find any issues to fix.Please share with us if anyone encountered this type of issue.ThanksMeku

Hi Team, The customer has a requirement to maintain segregation for administrators across different sites. Could you please advise how this can be achieved? Currently, we have five sites (A, B,C,D,E,F configured in an Active-Active setup. Each site has its own set of administrators. The customer now requires segregation of duties so that administrators from one site are restricted from viewing or accessing assets, groups, or directory queries belonging to other sites. For example, administrators from the Asite should only be able to view and manage assets, groups, and directory queries related to A, and should not have visibility into resources from the other sites. Please let us know the possible approach to implement this requirement.

Hi, I’m looking for a way to change password on network devices (mainly switches) without functional account need. Indeed, all switches have only one local root account and I don’t want to create another account to rotate this one. It could be really more efficient to use a “change password” action by the account itself more than a “reset password” by a functional account. Fabien

Recently, we upgraded several customers to versions 25.1.1 and 25.3 of Password Safe/BI, and we have encountered an issue when accessing some SSH devices:"Managed system host key check is enabled but the list of accepted host keys is empty."In some cases, enabling the Auto Accept Initial Key property on the Managed System resolves the issue.However, for certain managed systems, this setting causes access problems.Has anyone else experienced this behavior or found an definitive and clear solution?

Hi Guys, Can anyone address this query? Does PRA Remote RDP Jump using SecureApp with Type Remote Desktop Agent requires Cal License. Use case is we have an application that needs to be accessed, so we configured the Remote RDP jump short cut and configured  SecureApp with Type selected Remote Desktop Agent. If Yes Cal is needed then why do we have two options one RemoteApp and the other Remote Desktop Agent. please let me know how to go ahead without the Cal license for this use case

My Security Team wants to do unauthenticated scans with Rapid 7 on our Privileged Management on-prem appliances.  I dont see why this would be an issue, but wanted to check if anyone has any experience with this or any issues that they have run into.  Or if anyone from Beyond Trust has any info also that would be great.

Is anybody aware of CVE 2026 20833 Impacting Password Safe Cloud and PRA? Microsoft will discontinue the RC4 algorithm in Kerberos.!--endfragment>!--startfragment>

Hi everyone,we would like to raise a concern regarding the Command Shell behavior introduced in Remote Support 25.3.1.The fact that the shell now starts in the context of the logged-in user by default (without requiring user credentials or consent) is, from our perspective, a significant security regression.In previous versions, this behavior was not possible — access to the user context required explicit authentication. Now, support staff can directly access user-level resources such as OneDrive, network shares, or SharePoint without the user being aware.In regulated environments (e.g., banking), this is a serious issue:- it breaks the separation between user and system privileges- it introduces potential audit and compliance risks- it allows unintended access to sensitive user dataAt the same time, our operational requirement remains:- we must be able to perform support actions without user interaction- but strictly within system/administrative context unless explicitly approved othe

Hi Community,I need to make some configuration changes to Password Safe login capabilities. The client has a Cloud instance of Password Safe, and I want to avoid users being locked out of the application in case the configuration fails.Is there a way to back up the SAML IdP configurations so they can be restored if a rollback is needed? Thanks in advance.  

We have ran the pspca command and in the logs it states it was able to get credentials for some of the accounts. Now that we know it has stored the passwords somewhere locally, how can we retrieve the passwords?

!--startfragment>I recently onboarded several managed accounts into Password Safe and synchronized them with my secret cache. Since these accounts are designated as break-glass accounts and are not actively used, I wasn’t expecting to see a last logon in AD associated with them. Could you explain why that information is appearing? Maybe Password Safe password change process.!--endfragment>

Hello All, We have a requirement for deletion of Inactive AD users from BeyondTrust Password Safe (User Management). However for some of the users when trying to delete we are getting below error -“Cannot delete a user 'username' with active Password Safe Release Requests”Does anyone know resolution for this? Any known KBA or document for this? Thanks,Prasad

This doc is a quick guide of finding potential instances of OpenClaw (aka Clawdbot, Moltbot) by using EPM Analytics. Please refer to Using Endpoint Privilege Management with local AI agents in our public docs. Where this worksThis works in the cases where:The application group is set up to log to EPM-SaaS The target system has the name as standard, and not obfuscated the tool with a renameQuick Analytics ChecksIn EPM SaaS, or in your SIEM / log aggregator of choice, search for Events → Filter by: Command Line → Search for any contains `openclaw`, `moltbot`, or `clawdbot` In EPM SaaS, or your SIEM / log aggregator of choice, I would recommend using the Custom Views options to save this for rechecks You can also check for file/folder contains those key wordsWhat returnsDepending on what is being logged, you could end up with a lot of noise. For instance, emails or browser visits to sites with those in the name, etc.  It could return scheduled tasks calling gateway.cmd, etc. which is a de

I have a requirement to deploy a web application that will handle credential injection when users attempt to log on to the vCenter console. From an RDS perspective, what would be the recommended approach? Specifically, can I leverage my existing Brokers to publish this application, given that I currently support approximately 70 concurrent RDP and SSH sessions distributed across three brokers? Or is it strongly advised to provision dedicated RDS servers for this purpose?!--endfragment>!--startfragment>

I am getting several users complaining about their Avecto Defendpoint Service just stopping all of a sudden. May I ask what is the best way to troubleshoot and find out what is causing the service to stop?I ran a PGCaptureConfig extract and looking at the Avecto IC3 client log, I can see the warning about the “Defendpoint agent service is not running”. I have looked at the Windows event log but it does not really say anything what might have caused the service to stop.

Hi All ,Just wondering how others managing “Mandatory multifactor authentication for Azure sign-in” where azure app published as managed apps and ps_automate injecting credential.Given especially user do not know their credential.  Announcing mandatory multifactor authentication for Azure sign-in | Microsoft Azure BlogRegards,M 

Good day everyone! So recently we have begun to ingest EPM log into MS Sentinel, and I have noticed a difference in the data we see in the console Analytics vs Sentinel. Firstly the integration was simple and straight forward.  Once configured we began to see information flow into Sentinel.  This is not a problem and seems to be working well, we used the CIM format.What we are seeing is good, but it is nowhere near the information we see in the console analytics.Example I will use is logons.  We can see logons in both the analytics and Sentinel, however there is information missing in the information we see in Sentinel, namely privilege. So in the analytics I can see and search on the client privilege, and status of the account (domain, local), but in Sentinel I am not.I just wanted to start a conversation with others who are using a SIEM with EPM or plan too int he near future.  We could compare experiences and possibly see what in store for the future from Beyond Trust.  Thanks, and

Hello, we recently started using BeyondTrust for our Intune-managed MacOS devices, and we have run into an issue with several of our users. They get 10-15 popups a day, saying "Remote Support Customer Client" is requesting to bypass the system private window picker and directly access your screen and audio. Screenshot here:  Here are the details.Device:MacBook Pro (16-inch, 2024) MacOS Tahoe 26.3.2 BeyondTrust Remote Support 25.3.1Symptoms:Pop-ups happen all throughout the day, approximately 10-15 times daily, with no specific trigger. Even after pressing "Allow", the pop-ups continue to reappear. The Pop-ups have the following text: "Remote Support Customer Client" is requesting to bypass the system private window picker and directly access your screen and audio. This will allow Remote Support Customer Client to record your screen and system audio, including personal or sensitive information that may be visible or audible. Troubleshooting steps:Tried turning the setting off and back

The following articles were published last week. New Knowledge Base Articles: KB0021644 - Configuration for Opengear Custom Platform KB0022089 - After Password Safe upgrade getting unauthorized error for Vaulting request KB0022096 - Email alerts received by the appliance. Error - Failed for: 'IUSER_REM', machine name KB0022098 - Custom dashboard disappears after logout or browser change KB0022101 - Resource Broker installations fail "Failed to get server time. One or more errors occurred." KB0022162 - Workforce Passwords URL is trimmed when creating a credential KB0022172 - Large Active Directory (AD) group sync fails - Error Code: RequestTimedOutError Message: Timeout making http request KB0023337 - Unable to view Secrets Safe after upgrade to 25.3 - Failed to fetch folders or An unexpected error occurred KB0023374 - Does Password Safe support Windows Server 2025?  

The following articles were published last week. New Knowledge Base Articles: KB0022044 - Using --nohosts results in error - Required configuration stage not enabled [code 0x0000a606] KB0023321 - Error 1721 installing AD Bridge "There is a problem with this Windows Installer package"