Recently active topics

Hi everyone,I was trying to automate credential injection for Kaspersky Security Center and apparently PS_Automate does not support applications in .msc format.Is there a workaround to get this application successfully automated with credential injection through password safe. Thank you.

Hi there,We have set up MFA-Messages to authenticate admins when installing software on a client. This also needs to be done on “user-clients”. The problem is that you actually can use the admin mfa session to access various ressources such as microsoft admin portal if youre not actively sign out or do the authentication in private-tab.I already tried to use the following in my entra application, but this does not seem to work: Has anyone setup an MFA-Authentication in Messages for EPM-W and may assist?Many Thanks!

Like the title says, I have a couple of non-domainjoined windows VMs, which I would like to be able to use multisessions on, credential injection works fine obviously for the Jump point object, meaning the local account credentials are managed in PRA, but Remote RDP doesn’t seem to support it, unless I’m missing something.We do not use Password Safe, only the built in credential Vault.

Hi, is there a way in PRA console to identify which Jumpitems are being used by user to stablish connection to end points? Just want to make sure all my 4 jumpitems are being used.

Ran into an issue while upgrading to 25.3.3 (and 26.1.1 + Base 8.2) this week, maybe I’m incorrect in my assertion but I’ve updated our appliance several times since going live, and haven’t had this issue before.After updating to 25.3.3 all of our Desktop clients stopped working, we use SAML auth, and the SAML itself works fine, we see successful logins, but when the login is complete, the desktop console doesn’t do anything, it remains in its default state, waiting for you to press login, and the cycle repeats.I tested this both on going from 25.3.2 to 25.3.3 and 26.1.1, with desktop consoles both on 25.3.2 and 25.3.3, same thing on both.Again, I’ve updated the appliance several times, without the need to manually re-install the desktop console.SAML login to the /login page and /console page in web works fine.

Hello,I would like guidance on recommended best practices for Smart Group to User Group mapping.Requirement:Multiple teams will access dedicated managed accounts.We are evaluating the following design approaches:Option 1:Maintain only two common user groups globally: Read-Only Users Read-Write Users Map all dedicated account Smart Groups across teams to these shared groups.Option 2:Maintain separate user groups for each team, even if permissions are identical. Example: Team A – RO / RW Groups Team B – RO / RW Groups We would appreciate guidance on:Recommended best practices for large scale deployments. RegardsGB

Hi,Has anyone successfully implemented automated credential injection for the pgAdmin application?There are no usable keyboard shortcuts, and TAB navigation doesn’t allow selecting “Add New Server”.I also tried simulating key sequences (Alt → Right Arrow → Enter → Enter → Enter), but it doesn’t open the “Register Server” window. AutoIt-based automation attempts haven’t worked either.If anyone has found a way to automate this, please let me know.

Hi everyone, I’m quite new to BeyondTrust and am completing the Privileged Remote Access - BCIE course.I wanted to know the difference between a Remote RDP Jump Item vs Remote Jump Item.Is Remote RDP Jump similar to using a VM session?Thanks in advance!

has EPM-W in BeyondInsight Software, Now its eol.We need to migrate to UVM based appliance in Active Active with DC-DR, I need assistance in understanding what all should be considered before the migration.1. How do i make sure the software based deployment which has DB should be moved to the new UVM deployment in Active active.2. How do I make sure I deploy UVM in Active Active in DC & DR where I should deploy 3 UVM in DC and 3 UVM in DR so I get them running active active all the time.3. How many maximum machines do we can connect using this kind of deployment for EPM-W4. Also Wanted to understand for EPM what the load Balancer configuration should be.

Hello,We are currently integrating credential injection from Password Safe into PRA for Cisco devices using the Shell Jump method.Users are able to successfully authenticate and access the devices with the injected credentials. However, when they attempt to enter "enable" mode to perform configuration changes, the system prompts for the password again.At this point, no credential injection prompt or window is displayed, so users are required to manually enter the password. Since the credentials were injected automatically during the initial login, the users do not have visibility of the password and cannot proceed.There is any feature or recommended approach that allows re-injecting or reusing the credentials once inside the shell session (for example, when escalating to enable mode).Thank you.

Does anyone know how to get BeyondTrust Jump Client or Customer Client working with interactivity on Intune Multi-App Kiosk machines? We have our Jump Client installed but there’s no interactivity in Kiosk mode. And Customer Client simply gets blocked. Part of the issue with whitelisting apps with AssignedAccess seems to be the multiple EXEs to whitelist and not allowing dynamic paths. E.g. I think bomgar-scc.exe needs to be whitelisted but it lives in C:\Program Files\BeyondTrust\bomgar-scc\*\ bomgar-scc.exe 

I was recently asked if there were any best practices uses the challenge response tool with EPM where there’s the software and the key. While we do have some documentation around how to use it, I feel this warranted a quick notes of practices I recommend based on seeing this live in some environments. Tip 1: Put the shared key in a vaultThe shared key is something that should be protected as anyone with the response code generator tool can generate the code. That’s by design, so please protect the shared keys in a vault. Or other encrypted method that’s not in the company’s documentation portal.  Tip 2: Restrict who can run the response code generatorEven though the response code generator needs access to get the installer, it’s good to restrict who can run the response code generator as a layer of friction in the policy. Ideally limited to the service desk only.  Other documentsThis is a quick tips on the response code generator for trying to restrict it’s abuse outside of the desired

I am trying to configure my SNMP connector but the guides I am seeing (SNMP Trap and Syslog Event Forwarding | BI) have outdated screenshots and new features are not on the details.Has anybody implemented the SNMP event connector yet on their environment? Was wanting to know what are the recommended Authentication protocols and the privacy protocols are.

Greetings all I have a developer who is using AWS Secrets Manager for his code. However, he is passing the username and password from Active Directory over to the secret in AWS Secrets Manager and calling that JSON from Secrets Manager.Ideally, yes, he should be calling it from BT and not AWS Secrets Manager but that would involve a lot of code rewrite for him on a production system.We are looking at adding the secret in Secrets Manager as a synced account with the service account so that when we rotate the password on the service account, it would also rotate the password on the AWS Secrets Manager secret to the same password.What he needs though, complicates it. He is storing this in his AWS secret{"binddn":"cn=ldapauth_account,OU=Service,OU=Accounts,OU=company,DC=domain,DC=com","password":"abcabc"}When BT rotates the password on the service account in AD, it writes the password to the secret in AWS wiping out everything so he ends up with something like newpassword instead of the wh

Trying to install BeyondTrust during a Windows Autopilot deployment, the application installs, but it's not fully setup to handle elevation prompts until after a considerable amount of time and a reboot. Is there a guide on how to install Beyond Trust EPM during Autopilot that improves this experience?

Remote Support Labs is the new BeyondTrust community space for building what’s next in secure remote support. Explore and share practical scripts, API‑driven workflows, and lightweight apps that extend BeyondTrust Remote Support, helping service desks work faster, automate safely, and deliver better support experiences.https://beekeepers.beyondtrust.com/groups/remote-support-labs-95

Hi All, We are working on a use case where we are observing password change failures due to multiple reasons, to eliminate funtional account failure and get the systems where it is failing, we need either an API or a way where we can test it.  Any idea on how we can do it for bulk systems?Account Type:Local account on Windows Functional account:Domain account on the domain where the servers are hosted Regards,Neha

The following articles were published last week. New Knowledge Base Articles: KB0022201 - Managed System external Jump items are missing troubleshooting KB0022250 - Canned scripts option missing for macOS remote sessions KB0022262 - File transfer not working for macOS remote session KB0022294 - What are the Appliance FQDN requirements? KB0022319 - Can future Jump or Rep installer versions be downloaded before the appliance build is updated? KB0022320 - Can automated session reports be created? KB0022379 - Failed to convert VHDX file. Hyper-V Platform is not found KB0022388 - Is there a way to delete previous Discovery Jobs with Vault? KB0022400 - Why is FIDO2 not available for LDAP Users? KB0022402 - VNC asking for password when Vault is configured KB0022685 - Issues connecting to macOS Sequoia - Connection failed error

The following articles were published last week. New Knowledge Base Articles: KB0022201 - Managed System external Jump items are missing troubleshooting KB0022250 - Canned scripts option missing for macOS remote sessions KB0022262 - File transfer not working for macOS remote session KB0022294 - What are the Appliance FQDN requirements? KB0022319 - Can future Jump or Rep installer versions be downloaded before the appliance build is updated? KB0022320 - Can automated session reports be created? KB0022379 - Failed to convert VHDX file. Hyper-V Platform is not found KB0022388 - Is there a way to delete previous Discovery Jobs with Vault? KB0022400 - Why is FIDO2 not available for LDAP Users? KB0022402 - VNC asking for password when Vault is configured KB0022685 - Issues connecting to macOS Sequoia - Connection failed error

The following articles were published last week. New Knowledge Base Articles: KB0022288 - What does the ManageSystemProcesses registry key do? KB0022296 - EPM-M limitation with Keychain Access KB0022297 - JetBrains Toolbox update fails using EPM-M elevation KB0022299 - EPM-M and Xcode compatibility KB0022302 - Is there a way to view all application types at once in EPM Analytics? KB0022303 - What does "Yes" vs "No" mean when filtering for "Admin Required" in EPM analytics ? KB0023380 - EPM and ServiceNow integration lifecycle End of Availability (EoA) notice KB0023505 - Trying to start the EPM cloud adapter results in Error 1053: The service did not respond to the start or control request in a timely fashion KB0023518 - EPM-W Client 25.2 and higher - First keystroke in message prompts is lost KB0023523 - PowerShell script elevation rules: EPM supported command-lin

The following articles were published last week. New Knowledge Base Articles: KB0021440 - RDS application fails to launch "An error occurred while trying to fetch the request details" KB0022248 - What are the deployment requirements for Enhanced Session Auditing (ESA)? KB0022263 - Linux server scan executes init.d scripts instead of validating service existence during status check KB0022326 - How long can the PS Cloud instance stay on an older version? KB0022328 - Can the PS Cloud database be accessed? KB0022384 - Google Cloud Platform Functional Account fails with error - The service admin has thrown an exception KB0023282 - Link to Account Management in Appliance Feature Configuration does not work KB0023492 - Application failed error: Failed to connect to RDP Session. PBSM.log license error: CONNECTION_STATE_LICENSING status STATE_RUN_FAILED KB0023495 - Can the operating s

The following articles were published last week. New Knowledge Base Articles: KB0022694 - AD accounts unable to login error "LW_ERROR_KRB5_PREAUTH_FAILED Preauthentication failed. KRB5 Error code: -1765328174"

We’re currently using BeyondTrust Password Safe to manage SSH access to a large number of Linux servers (100+), where users authenticate using their AD accounts.Access to the servers works fine through Password Safe, but we’re running into an issue when users need to elevate privileges. When they run sudo su, the system prompts for a password, but since password retrieval is disabled, users can’t proceed.We want to avoid enabling password retrieval or exposing any credentials to users, but still allow them to perform privileged operations when required.At the same time, managing sudo access directly on each server (e.g., updating /etc/sudoers individually or using NOPASSWD per user) isn’t really practical at this scale.So I wanted to check with the community:Is there a way to handle sudo password injection through Password Safe for SSH sessions? How are others managing privilege escalation in similar environments without exposing credentials? Any recommended best practices for scaling

We are currently facing a challenge in securely providing users with sudo/root access. Our requirement is to allow users to log in to servers and perform tasks with elevated permissions without retrieving or exposing the root password.Currently, when users launch a PuTTY session, it does not prompt for additional permissions initially. However, once they attempt to execute commands using sudo (the user is LDAP-authenticated with sudo privileges), the system requests a password.We have enabled password retrieval from  Password Safe. Our concern is that enabling password retrieval for such access would violate our internal security policies. We are looking for a secure solution that allows users to perform sudo tasks during the PuTTY session without compromising password security. 

Hi Team, Last week ,we upgraded the BeyondTrust Password Safe version from 23.3 to 25.1. However, post-upgrade, we encountered an issue while accessing the web console, where it displayed the error “Resource cannot be found.” (Please find below the screenshot for your reference )    This is the error message  Server Error in '/' Application.The resource cannot be found.Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.Requested URL: /Eye_RetinaCSAMLSAMLAssertionConsumerService.aspx  We reviewed all relevant Knowledge Base articles for troubleshooting. Additionally, a P1 support ticket was raised with BeyondTrust; however, we did not receive a timely response.Due to time constraints and the dependency of other CRs on Beyond Trust, we have roll back the change. Now we have planned the same activity on 3