Recently active topics

Recently, we upgraded several customers to versions 25.1.1 and 25.3 of Password Safe/BI, and we have encountered an issue when accessing some SSH devices:"Managed system host key check is enabled but the list of accepted host keys is empty."In some cases, enabling the Auto Accept Initial Key property on the Managed System resolves the issue.However, for certain managed systems, this setting causes access problems.Has anyone else experienced this behavior or found an definitive and clear solution?

Hi everyone,I have a question regarding PASM. I have users and devices managed through Password Safe, and session delivery is handled by PRA. If I want a user connecting from PRA with credentials injected from Password Safe to provide a reason for connecting, where do I configure this in PS or PRA? Also, if they need an approval workflow, where do I configure that in PS or PRA?

Hi Guys, Can anyone address this query? Does PRA Remote RDP Jump using SecureApp with Type Remote Desktop Agent requires Cal License. Use case is we have an application that needs to be accessed, so we configured the Remote RDP jump short cut and configured  SecureApp with Type selected Remote Desktop Agent. If Yes Cal is needed then why do we have two options one RemoteApp and the other Remote Desktop Agent. please let me know how to go ahead without the Cal license for this use case

Hi, I’m looking for a way to change password on network devices (mainly switches) without functional account need. Indeed, all switches have only one local root account and I don’t want to create another account to rotate this one. It could be really more efficient to use a “change password” action by the account itself more than a “reset password” by a functional account. Fabien

Some users intermittently encountered this error in Password Safe PAM:Because of an error in data encryption, this session will end. Please try connecting to the remote computer again.After that error message, the session disconnects.Tech Support determined that the issue is caused due to a network-related TLS/SSL interference between the appliances and target servers. However, Networking team couldn't find any issues to fix.Please share with us if anyone encountered this type of issue.ThanksMeku

My Security Team wants to do unauthenticated scans with Rapid 7 on our Privileged Management on-prem appliances.  I dont see why this would be an issue, but wanted to check if anyone has any experience with this or any issues that they have run into.  Or if anyone from Beyond Trust has any info also that would be great.

Is anybody aware of CVE 2026 20833 Impacting Password Safe Cloud and PRA? Microsoft will discontinue the RC4 algorithm in Kerberos.!--endfragment>!--startfragment>

Hi everyone,we would like to raise a concern regarding the Command Shell behavior introduced in Remote Support 25.3.1.The fact that the shell now starts in the context of the logged-in user by default (without requiring user credentials or consent) is, from our perspective, a significant security regression.In previous versions, this behavior was not possible — access to the user context required explicit authentication. Now, support staff can directly access user-level resources such as OneDrive, network shares, or SharePoint without the user being aware.In regulated environments (e.g., banking), this is a serious issue:- it breaks the separation between user and system privileges- it introduces potential audit and compliance risks- it allows unintended access to sensitive user dataAt the same time, our operational requirement remains:- we must be able to perform support actions without user interaction- but strictly within system/administrative context unless explicitly approved othe

Hi Community,I need to make some configuration changes to Password Safe login capabilities. The client has a Cloud instance of Password Safe, and I want to avoid users being locked out of the application in case the configuration fails.Is there a way to back up the SAML IdP configurations so they can be restored if a rollback is needed? Thanks in advance.  

We have ran the pspca command and in the logs it states it was able to get credentials for some of the accounts. Now that we know it has stored the passwords somewhere locally, how can we retrieve the passwords?

I tried to install my EPM for Windows Local AD connector on a server but it failed on the activation part.Error is:[ERR] [BT.LocalAdConnector.Services.ActivationService] [9] Activation failed.System.Net.Http.HttpRequestException: No such host is known. (xxxxxx-xxxxxxxxx-services.pm.beyondtrustcloud.com:443) ---> System.Net.Sockets.SocketException (11001): No such host is known. My server is connected to my proxy server for external access and I have the policy opened from my server to xxxxxx-xxxxxxxxx-services.pm.beyondtrustcloud.com but it is not getting triggered at all. Am I missing something here? do I need any additional URL for the activation of the AD connector?

!--startfragment>I recently onboarded several managed accounts into Password Safe and synchronized them with my secret cache. Since these accounts are designated as break-glass accounts and are not actively used, I wasn’t expecting to see a last logon in AD associated with them. Could you explain why that information is appearing? Maybe Password Safe password change process.!--endfragment>

Hello All, We have a requirement for deletion of Inactive AD users from BeyondTrust Password Safe (User Management). However for some of the users when trying to delete we are getting below error -“Cannot delete a user 'username' with active Password Safe Release Requests”Does anyone know resolution for this? Any known KBA or document for this? Thanks,Prasad

This doc is a quick guide of finding potential instances of OpenClaw (aka Clawdbot, Moltbot) by using EPM Analytics. Please refer to Using Endpoint Privilege Management with local AI agents in our public docs. Where this worksThis works in the cases where:The application group is set up to log to EPM-SaaS The target system has the name as standard, and not obfuscated the tool with a renameQuick Analytics ChecksIn EPM SaaS, or in your SIEM / log aggregator of choice, search for Events → Filter by: Command Line → Search for any contains `openclaw`, `moltbot`, or `clawdbot` In EPM SaaS, or your SIEM / log aggregator of choice, I would recommend using the Custom Views options to save this for rechecks You can also check for file/folder contains those key wordsWhat returnsDepending on what is being logged, you could end up with a lot of noise. For instance, emails or browser visits to sites with those in the name, etc.  It could return scheduled tasks calling gateway.cmd, etc. which is a de

I have a requirement to deploy a web application that will handle credential injection when users attempt to log on to the vCenter console. From an RDS perspective, what would be the recommended approach? Specifically, can I leverage my existing Brokers to publish this application, given that I currently support approximately 70 concurrent RDP and SSH sessions distributed across three brokers? Or is it strongly advised to provision dedicated RDS servers for this purpose?!--endfragment>!--startfragment>

I am getting several users complaining about their Avecto Defendpoint Service just stopping all of a sudden. May I ask what is the best way to troubleshoot and find out what is causing the service to stop?I ran a PGCaptureConfig extract and looking at the Avecto IC3 client log, I can see the warning about the “Defendpoint agent service is not running”. I have looked at the Windows event log but it does not really say anything what might have caused the service to stop.

Hi All ,Just wondering how others managing “Mandatory multifactor authentication for Azure sign-in” where azure app published as managed apps and ps_automate injecting credential.Given especially user do not know their credential.  Announcing mandatory multifactor authentication for Azure sign-in | Microsoft Azure BlogRegards,M 

Good day everyone! So recently we have begun to ingest EPM log into MS Sentinel, and I have noticed a difference in the data we see in the console Analytics vs Sentinel. Firstly the integration was simple and straight forward.  Once configured we began to see information flow into Sentinel.  This is not a problem and seems to be working well, we used the CIM format.What we are seeing is good, but it is nowhere near the information we see in the console analytics.Example I will use is logons.  We can see logons in both the analytics and Sentinel, however there is information missing in the information we see in Sentinel, namely privilege. So in the analytics I can see and search on the client privilege, and status of the account (domain, local), but in Sentinel I am not.I just wanted to start a conversation with others who are using a SIEM with EPM or plan too int he near future.  We could compare experiences and possibly see what in store for the future from Beyond Trust.  Thanks, and

Hello, we recently started using BeyondTrust for our Intune-managed MacOS devices, and we have run into an issue with several of our users. They get 10-15 popups a day, saying "Remote Support Customer Client" is requesting to bypass the system private window picker and directly access your screen and audio. Screenshot here:  Here are the details.Device:MacBook Pro (16-inch, 2024) MacOS Tahoe 26.3.2 BeyondTrust Remote Support 25.3.1Symptoms:Pop-ups happen all throughout the day, approximately 10-15 times daily, with no specific trigger. Even after pressing "Allow", the pop-ups continue to reappear. The Pop-ups have the following text: "Remote Support Customer Client" is requesting to bypass the system private window picker and directly access your screen and audio. This will allow Remote Support Customer Client to record your screen and system audio, including personal or sensitive information that may be visible or audible. Troubleshooting steps:Tried turning the setting off and back

Hi Team, The customer has a requirement to maintain segregation for administrators across different sites. Could you please advise how this can be achieved? Currently, we have five sites (A, B,C,D,E,F configured in an Active-Active setup. Each site has its own set of administrators. The customer now requires segregation of duties so that administrators from one site are restricted from viewing or accessing assets, groups, or directory queries belonging to other sites. For example, administrators from the Asite should only be able to view and manage assets, groups, and directory queries related to A, and should not have visibility into resources from the other sites. Please let us know the possible approach to implement this requirement.

The following articles were published last week. New Knowledge Base Articles: KB0021644 - Configuration for Opengear Custom Platform KB0022089 - After Password Safe upgrade getting unauthorized error for Vaulting request KB0022096 - Email alerts received by the appliance. Error - Failed for: 'IUSER_REM', machine name KB0022098 - Custom dashboard disappears after logout or browser change KB0022101 - Resource Broker installations fail "Failed to get server time. One or more errors occurred." KB0022162 - Workforce Passwords URL is trimmed when creating a credential KB0022172 - Large Active Directory (AD) group sync fails - Error Code: RequestTimedOutError Message: Timeout making http request KB0023337 - Unable to view Secrets Safe after upgrade to 25.3 - Failed to fetch folders or An unexpected error occurred KB0023374 - Does Password Safe support Windows Server 2025?  

The following articles were published last week. New Knowledge Base Articles: KB0022044 - Using --nohosts results in error - Required configuration stage not enabled [code 0x0000a606] KB0023321 - Error 1721 installing AD Bridge "There is a problem with this Windows Installer package"  

The following articles were published last week. New Knowledge Base Articles: KB0022023 - Error "HTTP status code: undefined" when trying to log in to Password Safe Cloud KB0022062 - RDP proxied session through Password Safe is missing bgInfo KB0022113 - New Access Policy Setting: API Only Access setting KB0022128 - Password Safe error - Group not provisioned KB0023185 - No application provisioned error intermittently on some users when logging in via SAML KB0023267 - Intune deployed Workforce Passwords constantly prompts notification "Your administrator has updated your Workforce Passwords configuration" KB0023325 - How to update or replace an MFA token (authenticator) for users in Password Safe KB0023328 - After upgrading to 25.3 OAuth does not work KB0023329 - Cannot access policies after upgrading BI and WPE - Oops! Something went wrong! KB0023334 - Unable to use RDP to connect to system when an UK pound symbol is used in AD Password. Error "Contains forbidden characters"

We have defender for endpoint and since past couple of days, we are most of powershell scripts are trying to elevate. Earlier they were running in passive mode. Also many applications including intune pushed scripts are giving Yes/No Promts (Configured in policy). As it was working fine earlier and suddenly started this issue. Anyone else facing the same?

HI All, Good dayDo you have any document/article to migrate from on-prem to password safe cloud. Thanks and looking for your response