Recently active topics

This might be a bit too big of a question for this forum. However, I am not sure where to start. We are still somewhat new to PRA. I am wanting to start using Docker containers for our jumpoints instead of putting them on Linux instances. First, where do I go to download the container image? I heard that there is a stock image that we would use and then just input the key to start the connection to our system. Second, can we put the container in a service like AWS container service or Azure container service? Third, and this will show my very beginner level of experience with containers, would we do the firewall rules for the containers the same way that we do them for the Linux servers that are jumpoints?I have a feeling there are other items that I am totally missing, but I figured this is a good start. If you know of documentation you can point me to I am more than happy to start reading and testing things out. 

Hello, we recently started using BeyondTrust for our Intune-managed MacOS devices, and we have run into an issue with several of our users. They get 10-15 popups a day, saying "Remote Support Customer Client" is requesting to bypass the system private window picker and directly access your screen and audio. Screenshot here:  Here are the details.Device:MacBook Pro (16-inch, 2024) MacOS Tahoe 26.3.2 BeyondTrust Remote Support 25.3.1Symptoms:Pop-ups happen all throughout the day, approximately 10-15 times daily, with no specific trigger. Even after pressing "Allow", the pop-ups continue to reappear. The Pop-ups have the following text: "Remote Support Customer Client" is requesting to bypass the system private window picker and directly access your screen and audio. This will allow Remote Support Customer Client to record your screen and system audio, including personal or sensitive information that may be visible or audible. Troubleshooting steps:Tried turning the setting off and back

I have a requirement to deploy a web application that will handle credential injection when users attempt to log on to the vCenter console. From an RDS perspective, what would be the recommended approach? Specifically, can I leverage my existing Brokers to publish this application, given that I currently support approximately 70 concurrent RDP and SSH sessions distributed across three brokers? Or is it strongly advised to provision dedicated RDS servers for this purpose?!--endfragment>!--startfragment>

Tell Us What You Want to LearnWe’re opening up a new series of informal, instructor‑led sessions, and we want your input to decide what topics we cover next. If there’s a feature you’ve been curious about, a concept you’d like explained more clearly, or an area of a product you’d like to explore in more depth, this is your chance to tell us. Share the topics you’d like our instructors to walk through, and we’ll build short, discussion‑focused sessions around the most requested ideas. We’ll be collecting suggestions until March 27th, and then our instructors will schedule sessions based on the themes you submit. To keep these sessions useful and relevant for everyone, a few guidelines:This isn’t a space for troubleshooting, error messages, or support‑ticket issues. We can’t address environment‑specific setups or consulting‑style questions. Topics should be broad enough for an instructor to cover without formal labs.We look forward to hearing from you!

Hi,Has anyone tried using a custom platform in Password Safe to onboard Allied Telesis? Hoping for your help. Thank you

Hi,Usually we do the workaround of reinstalling BeyondTrust client when it affects more than 30% usage but now it takes up to 98% and reinstallation also does not help.Please let me know if you have any ideas on this issue.

We have defender for endpoint and since past couple of days, we are most of powershell scripts are trying to elevate. Earlier they were running in passive mode. Also many applications including intune pushed scripts are giving Yes/No Promts (Configured in policy). As it was working fine earlier and suddenly started this issue. Anyone else facing the same?

Hi All,In PRA, we have a SAML security provider configured for user authentication and provisioning. User will only be provisioned when they first-time logged in.Is there anyway we can pre-provision the users by LDAP/AD Group synchronization similar functionality as Password Safe (without using SCIM). Thanks, 

Hello Team,We will be moving/migrating our on-prem EPM to the cloud in the upcoming months and I was just looking for any insights or things to look out for during or after the migration.Thank you for anything you can share.

We would like to confirm the current behavior of the sorting function on the Events page in Privilege Management Console.Environment : Privilege Management Console 25.8.865Location in the UI : Home > Analytics > EventsObservationOn this page, only a few fields such as the following display a triangle sorting indicator next to the column label: VirusTotal Score Time Since Last Lookup Other fields do not display this indicator.In addition, when the triangle icon is clicked, the icon changes direction (upward / downward), but the actual list order does not appear to change.Questions Is it expected that only certain fields show the sorting indicator? Is the sorting function currently implemented only for specific fields? Enhancement requestIf sorting is intended to be available, it would be helpful if: the sorting indicator and functionality were consistently available across sortable fields, and clicking the indicator clearly changed the sort order of the list. For reference,

HelloWe have a situation with the Web Jump where user needs to open a specific website which automaticaly downloads an instalation package. I was able to configure web jump but when user connects to it - it just displays the webpage. Is it possible to set web jump to auto download the file after connecting?Kind Regards

I am encountering a limitation when using BeyondTrust Privileged Remote Access (PRA) for remote access to network shares.I tested an alternative using: Jump Client Session Policies → File Transfer tab ➡️ File transfer works correctly from the remote machine.❌ However, the main issue is that: The session runs under a local administrator account The user accessing the session does have access to the shared folders, but not when using their Active Directory account Requirement / QuestionI would like to know if there is a way: To access the remote machine via Jump Client (File Transfer tab) using the user’s Active Directory account during the session Specifically through: A network tunnel Running the session in the Active Directory user context Active Directory credential injection Or any other native BeyondTrust PRA functionality ObjectiveAllow the remote user to access shared folders and files using their Active Directory account, without using a local administrator account on

Hello Team, We are planning to implement automation in such way that there should not be any need to go into configuration page and create new credentials (for scan account) manually.However, I would like to know do we have any automated way to create or update scan credentials (as it seems Rest API is not available). Thanks,Prasad  

Hello Team, We are looking for KBA article, pointer to know how MongoDB instances can be configured in BeyondTrust Password safe. We are looking for similar option as we do while performing asset scan (with database option checked) for Oracle type databases. Thanks,Prasad

Out shop is using BeyondTrust 25.2 and soon upgraded to 25.3  I find the current reporting and analysis is quite limited in terms of functionality.  I would like to see if you faced the same or any other circumventions.  I regarded my requirements quite elementary however, it turns out to my very big despair. In fact, my intention is to produce a holistic entitlement report for review purpose.  Our interest is to export an excel like format with  user id                            list of managed accounts                                       role (requestor/auditor/approver)  Now, I try to use smart rule details of password safe.   However, the structure of this is totally unacceptable as if you want to download.   100 Smart rules will need to download 200 times which is very time consuming other next, is to associate by table join to group entitlement report as I don’t want reviewers to know which groups and in particular smart groups which are no meaning to them as well as they are

Dear all,I am seeking your assistance regarding a challenge we are facing in our current project to present events generated by the EPM-W Agent in PowerBI.As you are aware, the GUI allows us to download up to 5 million records, but this process is often time-consuming, especially when the data size reaches several gigabytes. Additionally, I recently learned that the API has a limit of only 10,000 events per request, which is insufficient for our environment. We generate approximately 455,882,549 events over a 30-day period. While I am actively working to reduce the number of events, this is our current situation.Your advice on how to efficiently process and visualize such large datasets in PowerBI would be greatly appreciated. Specifically, if there are ways to increase the API limit or alternative best practices for handling this scale of data, please let me know.

Hi Team,I am trying to create the EntraId group in Beyondtrust password using API. I am calling below API to do it https://jlr-uat.ps.beyondtrustcloud.com/BeyondTrust/api/public/v3/usergroupsBelow is the body param I am providing {"isActive":"true","groupType":"EntraID","groupName" :"***","description" :"***","TenantId" : "5....","ClientId" : "3873..","ClientSecret" : "d....."}Client Id and client secret is correct. I have provided below permission to group which has API key configured   When I am trying to create the group for group type as Entra Id I am getting error message which says ""Unsupported group type: EntraID"I am following below documentationhttps://docs.beyondtrust.com/bips/reference/post-api-public-v3-usergroupsIn event logs I see below error Warning DetailsMessageBadRequest (400) - "Unsupported group type: EntraId"Exception--ThreadId102HttpRequestIde7d013ef-d20f-46c9-9e37-066becSourceServicepublicapiStatusCode0ElapsedMilliseconds0From Password Safe, I am able to Add gro

Hello Everyone, I had a quick question and wanted to check with the group. Is there a way to discover all the databases on an OS without providing any DB credentials? Basically, does the scan agent use OS-level creds to get into the system and pick up the available databases the same way it finds accounts? Thanks,Prasad

Hello, we have BI PasswordSafe on-prem . When we do IP Discovery scan against 50+ network devices for some of the devices , IP address is added as an Asset after the scan, instead of hostname , I think IP Discovery scan would just query the DNS and add the hostname as an asset along with IP address as details for that asset. All devices have similar DNS entries (hostname : IP ). But for some devices the scan add hostname as an asset - which is the desired outcome , but for others IP address is added as asset

Hi All,I have got the PWS to PRA connection working, I can see my managed test account in PRA but when I try and use the cred store to connect, I get the following error. (Could not find a schedule to use with this release request)I have followed the guide (BeyondInsight / Password Safe - Unable to pull Password Safe Credential via ECM. Error: "Could not find a schedule to use with release request".)Any ideas where I can start to look? log? or have I missed something simple?

I am opening this post to discuss solutions for upgrading Remote Support in an enterprise environment where all software, including the Representative Console, must be distributed via Microsoft Intune. Users cannot install or upgrade software themselves directly from the Download Console page, which often leads to downtime during upgrades.Our current approach is:Upgrade the backup appliance first to obtain the latest software and prepare the Intune package in advance. On rollout day, ensure the new version is available in Intune, then temporarily switch the backup appliance to primary so users experience minimal interruption. Behind the scenes, we will upgrade the original primary appliance, then revert to the normal setup.However, this method has limitations: during the backup/primary appliance upgrade, there is no failover, and data synchronization may be affected.What strategies have you used to handle similar upgrade challenges in Intune-managed environments?

For those who are looking to start out on building block lists for EPM, below are some tips and resources available. Analytics can shift this exercise from ‘blocking by vibes’ to data-informed changes. Tips for Implementing a Block Rule: Check your analytics for application definitions that match your anticipated block rule This can help determine estimated impact Check your policy for allow rules that may match your block (either on purpose or by accident) If so, then your allow or block may need to be altered to not conflict Block Rules are the only time you’re going to want to be more generic, and typically the widest net possible. It’s the opposite of allow rules where we recommend more than one definition Examples: One rule for the Publisher One rule for the file name of the executable One rule for the Product Name Block rules will only block what can be managed by EPM - seems redundant but a general guide I have is that if the configuratio

I tried to install my EPM for Windows Local AD connector on a server but it failed on the activation part.Error is:[ERR] [BT.LocalAdConnector.Services.ActivationService] [9] Activation failed.System.Net.Http.HttpRequestException: No such host is known. (xxxxxx-xxxxxxxxx-services.pm.beyondtrustcloud.com:443) ---> System.Net.Sockets.SocketException (11001): No such host is known. My server is connected to my proxy server for external access and I have the policy opened from my server to xxxxxx-xxxxxxxxx-services.pm.beyondtrustcloud.com but it is not getting triggered at all. Am I missing something here? do I need any additional URL for the activation of the AD connector?

We have seen an issue where in some scenarios, it may be possible to connect to a user’s screen without requiring their acceptance. When you initially establish a jump session and perform Shell work to fix an issue, users may have their screen locked or logged out.  Unfortunately, the session policies do not appear to re-evaluate, so whatever the status of the device was when you established the jump session is held throughout the session. A workaround would be to disconnect the jump session and establish a fresh session before you use the screenshare function, which would then pick up the user is logged on and present the prompt.For example:User reports an issue on desktop, walks away.The machine is connected to (Shell, System etc but not screen sharing).User returns and unlocks the machine.Screen sharing is started from the Rep Console.Due to the existing session already established (using Shell and System Information), no prompt for the user to accept is required, and it connects to

Can anybody let me know what are the BeyondTrust certifications on Endpoint Privilege Management and how can I get those certifications?I am unsure of all the certifications and the process involved in acquiring them. So, any help would be greatly appreciated.