Unanswered questions

We often hear from our techs that Jump Clients stay offline even though the PC is only and reachable.Trying to restart the sra-pin Service or the whole PC does nothing.The only way you get this client back online is with the user clicking onto “Reconnect now”.As soon as you click reconnect now the client comes back online.Does anyone else have this problem or has an idea how we can get around this?Another problem is that after a reboot the Jump Client often takes more than 10 minutes to get back online. 

We have Session Recording Archiving enabled and is working as designed. What happens when (if) I delete recordings from the Archive? Is there a dead link in PWS? Would be interested if anyone has a procedure they use to delete the recordings, say after 12 months. Would like to NOT see any references to the sessions once they are deleted from Archive.

Hi, does anyone have a Huawei Switch/Router custom platform for Password Safe to share with us?

What is the recommended best practice for upgrading PAM Terminal Servers from Windows Server 2012 to Windows Server 2019, particularly when CAL licensing is involved and the servers are used for PAM applications?We currently operate two application servers behind a load balancer (TRM1 and TRM2). TRM1 was originally running Windows Server 2012 for our PAM application. After performing an in‑place upgrade to Windows Server 2019 using the ISO, the upgrade appeared to complete successfully. However, we encountered a significant issue: when launching any application session through PAM, users now receive full desktop access instead of the intended restricted application session.Additionally, after a recent restart, TRM1 began displaying an RDS Licensing error, and we were only able to access the server through the console. Although we resolved the licensing issue and applied the appropriate CALs, the problem with users receiving full desktop access persists.

Hello teams,I have a case like this:There is an application, let’s call it data_input.exe that installed in my RDS Jumphost server.Two users need to login this application using their own managed accounts (this is done using automation).However, I need both users to launch the application under different functional accounts within the same RDS jump host. For example, person A start the jumphost using FA-1, and person B start the jumphost using FA-2.Is BeyondTrust able to support this type of scenario? Or is there a workaround for this kind of scenario?I tried cloning the data_input.exe application in the BeyondTrust configuration, but it appears that only one functional account can be assigned per managed system. Note: This is not a multi-session issue, i can do multisession already. But more like each functional account must have different privileges for specific reasons. Thank you 

Hi,I lost several projects due to PRA dedicated accounts missing feature. I know that is existing in PasswordSafe but these projectw were really secure remote access use cases. Moreover, our main competitor in France is Wallix and they have this feature embedded. Is somebody in the community know if it could be possible to create automation with APIs to map a user with his user-adm account for example ? With a csv input file it could be good enough. Fabien

Is it possible to launch multiple or duplicate tabs in a Web Jump?

Is there is a way to adjust the name of the client or customize the pop up to say, "COMPANY NAME - TECH SUPPORT" or something other than "Remote Support Customer Client" as it sounds incredibly suspicious. 

Hi All,We’re relatively new to BeyondTrust PRA and are deploying multiple on‑prem PRA systems (one large Atlas system plus several HA systems for data‑residency). As we plan appliance upgrades (e.g. 24.2.3 → 24.3.3), we have concerns around remote access disruption and network impact, particularly related to Jumpoints. Environment24x7 OT environments 100+ Jumpoints (growing significantly) Jumpoints used as Jump Zone proxies aligned to Purdue/network segmentation JumpItems - primarily JumpClients and RDP. Remote sites connect via low‑bandwidth, often congested satellite linksKey ConcernsJumpoints are not backward compatible Remote access is unavailable until Jumpoints are upgraded to match the appliance version. Upgrade size & network impact ​​​​​​​Latest guidance suggests Jumpoint upgrades are full installers (~130 MB), creating risk of network congestion at scale. Lack of upgrade controls for Jumpoints ​​​​​​​No way to defer/disable auto‑updates, limit concurrency, throttle ban

Hi BeyondTrust Community,I recently deploy the BeyondTrust PasswordSafe (On-Prem) for 2 nodes, 1 for Management (Single Appliance Deployment solution)  and 1 for Worker (SQL less solution no HA) with a single-standalone remote database. After fully deploy those UVM, I try to test the credential on both Management Account, and Functional account but resulted in the mentioned error. Will there be any solution for this issue? I try to looking for the KB within the BeyondTrust customer portal and found nothing.I do appreciate for any solution I will try what suggested. Thank you,

Hello All,We have a requirement for to not onboard Oracle user account while performing oracle DB scan. We only want ‘Oracle system accounts’ and ‘Oracle Service accounts’ to be onboarded. We have attributes (Same as in DB) defined in BeyondInsight configuration. When we attempt to onboard DB accounts using the smart rule, it captures all accounts. Consequently, when we use the 'Set attributes in each account' action within the smart rule, it assigns attributes to all accounts, regardless of the account type. Thanks,Prasad

Hello everyone!We are facing a possible configuration issue, we believe.Is there any setting for using BeyondTrust Workforce Passwords in a fixed browser window? The problem is that every time we authenticate, a new browser window opens, causing us to lose visibility and usability. Has anyone else encountered this situation?Thank you very much.  

We are trying to use API query for creating session request using dedicated API account. using API , we are pushing the request to PAM including asset ID and admin account ID and duration ...etc.when we login on the PS user interface using API account, we can find the requests pushed using API.when we login on PS UI using the user login account, the session request isn't listed/viewed in his list. We tried to use Runas option in the authorization but there is no changes. session request is only viewed under the API account UI.  Please advise what could be the option to create the request for the admins using dedicated API account.

Hi AllI am trying to find a way to use the API to force check in of vault accounts which have had their password checked out for over 7 days,I think it is crazy to allow the PRA and the vault account members to checkout their password and allow it to stay checked out (this could be over a year) therefore they could use the password and put it into some automated tasks where it is in plain text and as it is never checked in this will always stay the same.It seems a lot safer if there was an option within PRA to force check in ( a tick box or something ) and a correct schedule that could be set that would check in all passwords on a set day and time and rotate them. Instead I am having to mess about with APIs which are not very well documented in my opinion.Therefore has anyone needed to do this and if so how did they go about it?Thank you in advance.

I’m starting to onboard users and computers to password safe and I want to allocate certain users to certain servers.So to illustrate.Team A has 5 users each user has a std AD account and a dedicated admin AD account.This team is responsible for several servers which I have put in an AD group. I can do the directory queries and onboard the servers and manage them. I can also onboard and manage the dedicated admin accounts and link them to the std accounts.I’ve hit a road block linking the accounts to the servers.There is an existing onboarding rule which sets an attribute (Tier1Server) on Servers and a rule which sets an attribute (Tier1account) on T1 accounts. The servers I want to sort now and the team users are a subset of Tier 1 so I should be able to use the similar process using attributes.So I create a managed account smart rule with selection criteria of the directory query relating to that user group so I can set an attribute of the team name on those users. But when I save an

Hello all, We are experiencing a behavior with RDP sessions via Password Safe initiated from machines with Windows 11.The session has a slow image loading, appearing to load in rows of images and in blocks.A simple movement of windows within the RDP session causes the image loading of this movement to be very slow.This does not occur if the RDP session is direct with the destination server.But if the connection is through Password Safe being Windows 11 > Resource Broker > Destination server, this slowness is noticed. Has anyone else noticed this problem in your environments? Additionally, this behavior does not occur in Windows 10.Points that I have already checked:- The software installed on the computers are the same between Windows 10 and 11;- The network settings are the same. This behavior occurs on both wireless and wired networks;- The GPOs of the Windows 10/11 stations, Resource Brokers and destination servers have already been checked. No Remote Desktop configurations th

Can BeyondTrust Password Safe support strict logical segregation between two departments (Network Division and IT Security Division) within the same Password Safe deployment, ensuring no visibility of assets, accounts, users, or sessions across divisions? Component Network Division IT Security Division PAM Admin Network PAM Admin Security PAM Admin Assets Network devices Security infrastructure Accounts Network privileged accounts Security privileged accounts Users Network engineers Security engineers Policies Network-specific Security-specific Reports Network only Security only Configuration Network Only Security Only

PRA requires a user to login a first time in order to be available in PRA for example to assign vault accounts.Unfortunately this is causing problems with new employees which are onboarded into PRA.Unless they have never logged in, administrators cannot assign personal vault accounts. If the user logs in, and does not see his/her vault account, they create tickets. This is a very large customer and it is difficult to orchestrate / communicate such a process and they would like to automatically provision new users (from AD). How do other customers provision users up-front and define vault accounts, etc. and not depend on a user’s first login?  

Hello Everyone, Is it possible to use the file transfer option via Remote VNC?

Hi All,I have got the PWS to PRA connection working, I can see my managed test account in PRA but when I try and use the cred store to connect, I get the following error. (Could not find a schedule to use with this release request)I have followed the guide (BeyondInsight / Password Safe - Unable to pull Password Safe Credential via ECM. Error: "Could not find a schedule to use with release request".)Any ideas where I can start to look? log? or have I missed something simple?

How do you manage Microsoft Edge browser updates on RDS servers used for web applications?Do we need to allow continuous internet access for Edge updates and WebDriver checks, or do you manage updates in a controlled/whitelisted manner?  What are the best practices to follow ?

So, I’ve attempted this multiple times and took a short break to clear my head. Cannot seem to get this wrapped up, and it’s a necessity. Hi, I’m Robert and I’m a Security Engineer for my company. Part of my portfolio is Enterprise Software Management via Intune. I manage all software deployments for the company on a tenant level, using assignment groups to make certain apps available to pertinent groups. Over the past 3 years, I’ve learned a lot where Intune deployments and the Windows OS intersect. I’m still on the learning path, but I’m figuring out the nuances, the lowest common denominators and getting better at troubleshooting issues. This is where things get complicated: 100% of my experience in this arena is Windows 10 / Windows 11 based. And we now have a very small fleet (<10 devices) of Mac devices for our Marketing team. Now, I’ve tried everything I can find online, but the documentation on how to pull this off via Intune is scarce and incomplete. Reddit has been the mos

I’d like to understand the recommended approach for onboarding local Linux dedicated accounts. Additionally, from a Linux server perspective, is there a recommended method to configure these accounts so that sudo does not prompt for a password? Thank you.

we have 2 PRA appliance in cluster.  The primary appliance was initially deployed as stand alone in 2020 and only in 2022 ,the second appliance was deployed. So, in secondary appliance, we can see the data encryption is already enabled but in Primary , this is not enabled and says we need to free up space. we needed a confirmation, if we fail over to current secondary, will we face issue in this scenario with one appliance data encrypted and other not?  Also, in the documents and in KB, it says secret store is required to be added but since in secondary its already enabled without external secret store, we can assume the encryption keys are stored locally? since only AWS is supported for external secret store, we are unable to add external secret store.  

What is the recommended approach for securely managing and remotely accessing macOS systems using a password safe? Specifically, does a managed application for a VNC client support this use case, and is there an implementation guide? Thank you.