Privileged Remote Access 26.2.1 release notes

🚨 Action Required

Stricter controls on critical security patch opt-outs (On-premises only)

To reduce the risk of appliances running with known vulnerabilities, critical security patch enforcement has been strengthened in the following ways:

For critical updates that install without downtime, the option to opt out is removed and these updates are now applied automatically.

For critical updates that require downtime, you can still opt out, but doing so requires you to explicitly acknowledge that you assume responsibility for the associated risk.

If an appliance has not successfully communicated with the update server within a defined time window, key functionality is degraded or disabled. This prevents appliances that are disconnected from updates, whether intentionally or through misconfiguration, from continuing to operate indefinitely in a potentially vulnerable state.

🚧

Important information

  • This change removes the ability to opt out of seamless critical security updates. Review your patch management process before upgrading.

🆕 New features

Assign a Jump Client to multiple Jump Groups at installation

You can now assign a Jump Client to multiple Jump Groups when you install it, instead of
updating group membership after deployment. The JC_JUMP_GROUP installer parameter accepts a
comma-separated list of Jump Group identifiers, so an endpoint registers in every specified
group as soon as it comes online.

  • Works with Windows MSI, macOS PKG, and Linux installers, so you can deploy through tools
    such as MECM, Intune, or Jamf.
  • Existing single-group installer syntax continues to work without changes.

This removes the need for follow-up API calls or scripts to reassign Jump Group membership
after installation.

ℹ️

For information, see Assign a Jump Client to multiple Asset Groups at installation.

Enforce FIDO2 authentication through Group Policies

Administrators can now enforce FIDO2 authentication at the Group Policy level, using the same
model already available for TOTP enforcement. FIDO2 authentication is also now supported on
Pathfinder deployments.

This gives administrators a way to require phishing-resistant MFA consistently across a user
population, without relying on individual user configuration.

ℹ️

For information, see Group policy settings.

Concurrent User License Usage Report

A new report gives you visibility into how your licensed capacity is being consumed over
time. The report shows concurrent usage, time-based trends, and peak usage, and you can
export the data to CSV or PDF, or retrieve it through the API. Access to the report is
controlled by role.

📘

For information, see Licensing reporting.

Stream appliance logs to your syslog destination

Privileged Remote Access now streams appliance platform and infrastructure logs through your existing syslog pipeline, so security teams can send appliance-level logs directly to a SIEM for incident detection, investigation, and compliance evidence collection without opening a support ticket.

  • Available log types include web server access and error logs, authentication logs,
    SSL/HAProxy logs, and proto-handler logs, among others.
  • Log file output is unstructured in this release, so you may need to configure your own parsing rules.
🚧

Important information

This feature is available for on-premises deployments only in this release. Enabling or
disabling individual log categories is not supported yet.

Search, export, and API support for the Duplicate Jump Clients report

The Duplicate Jump Clients report now supports search and filtering, CSV export, and API
access, so you can manage duplicate Jump Client data programmatically instead of working
through the report manually.

  • Search and filter duplicate Jump Client entries directly in the report.
  • Export report data to CSV for offline analysis.
  • Use the API to detect and resolve duplicates at scale and integrate with your own
    automation.
📘

For information, see Duplicate Jump Client reporting.

AI-generated session summaries

Privileged Remote Access now automatically generates an AI-powered summary when a session ends. Each summary
includes a case summary, a step-by-step description of the resolution, system information and
tags such as OS, applications, and issue type, and key highlights from the session.

  • Edit a summary after it is generated.
  • Export summaries in multiple formats.
  • Generate summaries in multiple languages.
  • Integrate session summaries with platforms such as Salesforce and ServiceNow.
ℹ️

For information, see AI summaries.

Require a justification before connecting to an asset

You can now require users to enter a justification before they connect to an asset. When
enabled in the asset policy, a dialog box prompts for a reason of at least 8 characters, and
the session cannot start until a valid justification is entered. The justification is recorded
in audit logs and appears in session and access reports.

  • Available in both the Web Console and Access Console.
  • If both a ticket ID requirement and a justification requirement are enabled for an asset,
    users are prompted for one or the other, not both.
ℹ️

For information, see Require justification.

Managed and shadow accounts

Privileged Remote Access brings several vault discovery and management capabilities natively into the product,
reducing the need for Endpoint Credential Manager (ECM) integrations.

  • A filter dropdown is added to the Type column on the Vault > Endpoints page.
  • Discover, import, and auto-create Jump Items for SSH, Web, and Database systems in Password
    Safe.
  • Configure Password Safe Discovery using direct access.
📘

For information, see Manage shadow accounts.

Transfer files during a Web Jump session in the Web Access Console

The Web Access Console now supports file transfer during a Web Jump session using the
chat-based file transfer mechanism, so you no longer need to switch to the desktop Access
Console to move files during these sessions.

📘

For information, see Download files using a website.

Inject vault credentials during an active RDP session

You can now inject credentials from the vault during an active RDP session — for example, to
run as a different user — without disconnecting and reconnecting. This requires the
BeyondTrust RDP Tools component to be installed on the endpoint. Previously, credential
injection was only available at the start of a session.

ℹ️

For information, see Credential injection for RDP sessions.

Jump Client support for Windows Server Core

The Jump Client is now officially supported on Windows Server Core, including Windows Server
2019 Core, Windows Server 2022 Core, and Windows Core running in Azure.

  • Supported deployment scenarios include domain-joined and workgroup environments,
    on-premises and Azure-hosted systems, and silent MSI or scripted deployments.
  • Supported capabilities include remote shell sessions, file transfer, session logging and
    recording, credential injection, and client auto-update.

This lets security-focused organizations that standardize on Windows Server Core include
BeyondTrust in their architecture with full support.

ℹ️

For more information, see Deploy Jump Client on Windows Core.

Keystroke logging for Jump Client and RDP sessions

Users can enable keystroke logging to record the keystrokes they enter during Jump
Client sessions and RDP sessions (RDP sessions also require enhanced RDP logging). Captured
keystrokes are stored on the appliance and available for audit and reporting. Input into
password or other secure fields is excluded from capture.

ℹ️

For information, see Keystroke logging.

Native support for ARM-based systems

BeyondTrust clients now run natively on ARM-based systems, such as Windows 11 ARM devices,
instead of requiring x86 emulation. The following capabilities are now natively supported on
ARM:

  • Credential injection
  • Virtual Smart Card
  • Jump Client download via API
ℹ️

  • Embedded Support Buttons are not included in this release.
  • For more information, see ARM support.
Use vault credentials for Remote VNC Jump sessions

You can now configure vault credentials to be entered automatically when a user
starts a Remote VNC Jump, so users do not need to manually type a username and
password. Because the VNC protocol does not support secure credential injection, credentials
are transmitted in clear text.

This is an opt-in feature that you enable per asset, and it requires acknowledging a consent notice, which is recorded through the Configuration API.

This is especially useful for OT/ICS environments with legacy VNC-accessible endpoints that
cannot run a Jump Client.

ℹ️

This change is for Cloud only.

For more information, see Credential injection for VNC session.

✨ Enhancements

Support for high-resolution and multi-display endpoints

Users can connect to endpoints with very high-resolution displays, including
configurations that exceed 4K, without the severe lag that affected these connections
previously. The endpoint's display is automatically scaled down before being sent to the
user. This release also adds GPU-accelerated capture, scaling, rotation, and format
conversion on Windows endpoints.

Manually enter access duration in the Web Console

When you request access to an asset through the Web Console, you can now type a duration
value directly instead of using increment controls, bringing the Web Console in line with the
Desktop Console.

ℹ️

For more information, see Web console preferences.

Support for 200,000 accounts in the Vault

The Vault now supports up to 200,000 accounts, giving enterprise customers more room to store
and manage credentials at scale.

View the endpoint's private IP address in the Access Console

The Access Console now displays the private IP address of a connected endpoint
instead of the public IP address seen by the appliance. This gives users accurate
network information, particularly for endpoints behind NAT or in on-premises-to-cloud
migration scenarios.

ℹ️

This change is for Cloud only.

Pop out remote monitors into independent windows

Users can now pop out each remote monitor into its own independent, resizable
window instead of switching between monitors one at a time or viewing them combined in a
single View All window. This is especially useful when remote monitors are in mixed
landscape and portrait orientations.

ℹ️

For information, see Multiple monitors.

Native Wayland support for the Linux desktop Access Console

The Linux desktop Access Console now runs natively on Wayland instead of running as
an X11 application, including Wayland-based screen capture for features like Show My Screen.

Configure a separate authentication source for MongoDB tunnel connections

You can now specify an authentication source for MongoDB database tunnel connections that is separate from the target database. Previously, the tunnel authenticated using the target database name, which required the vault user to exist in that same database.

Set the Auth Source field on the jump item to the database where the vault user account resides (for example, admin). When left blank, the tunnel defaults to admin, matching MongoDB's standard behavior for authenticated connections.


🛠️ Issues resolved

Product areaDescriptionResolution
Access ConsolePressing Enter after searching for a Jump Item on the Home page opened a session instead of displaying the search results.When you press Enter it now displays the search results instead of opening a session.
Access ConsoleThe search box looked no different in its disabled state, making it appear interactive while the Rep was waiting on external Jump Item search results.The search box now visually indicates its disabled state.
Access ConsoleLaunching the elevated version of Windows Explorer through Special Actions failed with an unknown error.Launching the elevated version of Windows Explorer through Special Actions now works correctly.
Access ConsoleThe iOS RepConsole continued to show Video Optimized as selected even when Screen Sharing was set to black and white mode.The iOS RepConsole now reflects the correct selection when Screen Sharing is set to black and white mode.
Access ConsoleDragging a session between two monitors with different display scaling caused drop-down menu icons to be centered instead of positioned in the bottom right corner.Drop-down menu icons now remain correctly positioned in the bottom right corner after dragging a session between monitors with different display scaling.
Access ConsoleThe Authenticate Using drop-down menu would not appear and the Quit button would not work if the Access Console was closed and reopened during a site upgrade.The Authenticate Using drop-down menu and Quit button now work correctly in this scenario.
Access ConsoleServer-side scaling was still applied when Actual Size was selected, causing the image to be scaled down.Selecting Actual Size no longer applies server-side scaling.
Access ConsoleThe Access Console closed after accepting a session or jumping to a Jump Client on Linux systems running Wayland.The Access Console no longer closes in this scenario on Linux systems running Wayland.
APIThe get_logged_in_reps v1 Command API response fails validation against command.xsd on Privileged Remote Access because it includes the support license element only on Remote Support sites.The API response now includes the support_license element so it validates correctly on Privileged Remote Access sites.
APIThe Command API v2 GET /client endpoint rejected the documented type=access_console filter with an HTTP 422 error on Privileged Remote Access sites.The endpoint now accepts access_console on Privileged Remote Access sites to match the documented contract.
APIThe Command API v2 GET /appliance/client-count endpoint rejected the documented type=access_console filter with an HTTP 422 error on Privileged Remote Access sites.The endpoint now accepts access_console on Privileged Remote Access sites to match the documented contract.
APIThe Gateway Configuration API PATCH request returned a 422 validation error when the request body re-sent a Gateway's own unchanged name, code_name, or external_jump_item_network_id.These fields can now be re-sent unchanged when updating a different field.
AtlasRestoring an on-premises backup onto a cloud site could overwrite the cloud site's cluster settings, causing Jump Clients to route to the wrong traffic node.Restoring a backup onto a cloud site no longer overwrites the cloud site's cluster settings.
AtlasA backup and restore that supplied the vault key as a separate file caused all Jump Client connections to fail on clustered sites after the restore.Jump Client connections on clustered sites now continue working correctly after a restore that uses a separate vault key file.
AtlasAppliances in Failover experienced excessive memory consumption.Memory consumption on appliances in Failover is now reduced.
AtlasMixed-case traffic node names caused proxy connection routes to be rejected because hostname comparison was case sensitive.Hostname comparison for proxy connection routes is no longer case sensitive.
CustomerClientThe Customer Client offered no way to use the GPU for screen sharing operations.Added a site-wide option allowing the Customer Client to use the GPU for screen sharing operations on Windows clients that have a GPU device.
CustomerClientThe Windows Customer Client showed a greyed-out elevation shield, and credentialed elevation could fail on 24.x, when the installer rename failed but the copy fallback succeeded.The elevation shield and credentialed elevation now function correctly in this scenario.
Endpoint AutomationEndpoint Automation jobs containing more than 65,535 items could not be saved.Endpoint Automation jobs can now be saved regardless of item count.
GatewayRecording RDP sessions on the Gateway used excessive idle CPU.Idle CPU usage when recording RDP sessions on the Gateway is now reduced.
GatewayInstalling a Gateway on a system with no connection to the appliance could leave the service installed but not running, and the post-install Setup dialog would never appear.The service now starts without requiring the appliance to be reachable and retries connecting to the appliance.
GatewayRemote RDP jumps through a Linux Gateway did not trust endpoint certificates placed in the system certificate store.Remote RDP jumps through a Linux Gateway now trust endpoint certificates placed in the system certificate store.
GatewayThe Gateway Docker image included outdated libraries and ran as the root user.The Gateway Docker image is updated with library updates and bug fixes and now runs as a non-root user.
Group PoliciesA login schedule applied through Group Policy remained applied to the account after the schedule was removed from the policy, requiring it to also be turned off on the user account.Removing the login schedule from the Group Policy now also removes it from the associated user accounts.
Group PoliciesAsset Policies could not be created or edited after upgrading.Asset Policies can now be created and edited after upgrading.
JumpClientJump Clients could fail to upgrade and repeatedly request an upgrade when the cached MSI installer was missing.Jump Clients now upgrade successfully even when the cached MSI installer is missing.
JumpClientJumping to a Windows 10 kiosk-mode endpoint using a Jump Client disrupted the kiosk.Jumping to a Windows 10 kiosk-mode endpoint no longer disrupts the kiosk.
JumpClientCopying a Jump Client and changing its Connection Type from Active to Standby did not update the Connection Type on the other copied Jump Clients.Changing the Connection Type now updates all copied Jump Clients correctly.
JumpClientInstalling a Jump Client on some Linux distributions modified the GDM profile and could break the system's authentication configuration.Installing a Jump Client no longer modifies the GDM profile or breaks the system's authentication configuration.
MacThe macOS Customer Client failed to connect through a proxy when the client was connected to a VPN and a PAC file was in use.The macOS Customer Client now connects through a proxy correctly in this scenario.
MacThe Access Console on macOS automatically rescaled itself when a new session was opened after an RDP Jump Item session had its monitor scaling toggled.The Access Console on macOS no longer rescales itself in this scenario.
MacThe Jump Client uninstall prompt could appear behind other applications on macOS.The uninstall prompt now appears in front of other applications on macOS.
MacMac customers could receive an empty or corrupt zip file when downloading the Customer Client.Downloading the Customer Client on macOS no longer produces an empty or corrupt zip file.
MiscThe Jump Item search field remained yellow after the search term was cleared instead of returning to white.The search field now returns to white after the search term is cleared.
MiscThe MCP Server configuration page in /login was missing a copy button for the connection content.A copy button is now available for the connection content on the MCP Server configuration page.
MiscCanned scripts had a delay of roughly 20 seconds when used.Canned scripts now run without the delay.
MiscEmails displayed only the sender's email address instead of the configured sender name, Secure Remote Access Appliance.Emails now display the configured sender name, Secure Remote Access Appliance.
MiscThe Type column had excessive left-hand spacing on the macOS, Windows, and Linux tables on the Jump Client Installer page.Spacing in the Type column is now corrected on the Jump Client Installer page.
MiscAdding a MIPA IP range incorrectly displayed a This is a required field. message.Adding a MIPA IP range no longer displays this message incorrectly.
MiscSite installs on offline appliances failed to upgrade due to an internal service connection error.Site installs on offline appliances now upgrade successfully.
PathfinderUploading an incorrect certificate on the /login Migration page produced a console error.The Migration page now handles invalid certificate uploads without producing a console error.
Protocol TunnelsThe command shell opened twice when clicking Open Client on a MongoDB session from the IAC.The command shell now opens only once when clicking Open Client on a MongoDB session.
Protocol TunnelsThe Database field was not marked as required when creating a MongoDB Asset in the Access Console.The Database field is now marked as required when creating a MongoDB Asset.
Protocol TunnelsThe Network Tunnel filter editor incorrectly required a port for protocols that do not support ports, such as ICMP, ESP, and GRE.The filter editor no longer requires a port for protocols that do not support ports.
Protocol TunnelsAuthenticating through a PostgreSQL Tunnel using Kerberos did not work correctly.Kerberos authentication through a PostgreSQL Tunnel now works correctly.
Protocol TunnelsThe Network Tunnel's network statistics speed values did not refresh after a file transfer stopped.Network statistics speed values now refresh correctly after a file transfer stops.
Protocol TunnelsThe Network Tunnel service was not upgraded during Access Console auto-update.The Network Tunnel service now upgrades during Access Console auto-update.
ReportingThe User Account Report fails to download.The User Account Report now downloads successfully.
ReportingThe Duplicate Pinned Clients report could fail to render on sites with a large number of duplicate Jump Clients.The report is now optimized and paginated, resolving the rendering issue.
Security ProvidersRADIUS authentication is deprecated.RADIUS is now hidden as an authentication option, and in-product deprecation notifications are displayed.
Security ProvidersThe Allowed to Set Passwords and Reset MFA permission did not function for non-local accounts and could not remove a TOTP authenticator.The permission now functions correctly for non-local accounts and can remove a TOTP authenticator.
Security ProvidersListing external-provider users on the Users page performed slowly.Performance when listing external-provider users on the Users page is now improved.
ShellQuickly opening more than four Shell instances and then closing all of them caused a subsequent Command Shell start to spin indefinitely and never start.Command Shell now starts correctly after this scenario.
ShellThe Shell Jump File Transfer tab responded slowly when browsing a directory containing a large number of files.The File Transfer tab now responds quickly when browsing directories with a large number of files.
SyslogJump Items deleted as a result of deleting a Jump Group were logged as deleted by 'system' instead of the admin who performed the deletion.Syslog now logs the admin who invoked the deletion.
Text UpdatesThe /login interface and other areas referred to Jump Technology rather than the current terminology.Jump Technology is renamed to Remote Access Methods throughout the /login interface and elsewhere it appears.
Text UpdatesThe daily SMTP alert from Privileged Remote Access still referenced Bomgar Box.The daily SMTP alert now uses current Privileged Remote Access terminology.
Text UpdatesThe Network Tunnel usage consent permission was shown on sites built without the Network/IP tunnel.The Network Tunnel usage consent permission is no longer shown on sites without the Network/IP tunnel.
VaultA Password Safe-managed Vault credential could be rotated while a session was still active if the session outlasted the release duration, causing a password mismatch.Added a setting to control whether accounts are rotated when the session ends and the integration releases the account.
VaultInjecting an invalid credential without starting a session was not logged as a Vault checkout/check-in.Credentials are now locked before session creation, and an aborted checkout logs a checkout/check-in pair and triggers rotation when necessary.
VaultPassword Safe Shadow accounts did not follow the Rotate On Check-in policy setting.Shadow accounts now follow the Rotate On Check-in policy setting.
VaultThe delete warning for Password Safe-imported endpoints incorrectly referenced account associations.The delete warning now displays accurate account association information.
VendorsVendor emails were sometimes not sent out correctly.Vendor emails are now sent out correctly.
Web Access ConsoleThe Asset Groups list in the web console had no way to filter results.Added a filter input to the top of the Asset Groups list in the web console.
Web Access ConsoleWeb console RDP sessions defaulted to the US keyboard layout for a freshly logged-in session instead of the configured layout.Web console RDP sessions now use the configured keyboard layout for freshly logged-in sessions.
Website JumpOpening a URL in a new tab opened a blank tab and navigated the current tab to the URL instead.Opening a URL in a new tab now opens the URL in the new tab as expected.
Website JumpAn issue in Web Jump prevented CAPTCHAs and some customer websites from functioning correctly.CAPTCHAs and customer websites now function correctly in Web Jump.
Website JumpThe local workstation clipboard stopped working while a Web Jump session was active, blocking local copy and paste until the session was closed.The local workstation clipboard now continues working while a Web Jump session is active.

📝 Requirements

  • Requires Base 8.3.0
  • Supports upgrades from 25.3.5 Privileged Remote Access+
  • Supports ECM Protocol 1.6
  • Validated with ECM 1.6.2601.35016
  • Validated with Integration Client 26.1.3.210
  • Includes VSC 1.3.0.0

⏰ Deprecation notices

RADIUS Authentication Provider

RADIUS authentication is being deprecated due to inherent security weaknesses in the protocol. Beginning in Privileged Remote Access version 26.2.1, the RADIUS provider option is hidden from administrators who do not have an existing RADIUS configuration. Administrators who do have RADIUS configured will continue to see this option and be able to edit the configuration, but will receive an in-product banner alerting them to the deprecation and prompting them to take action.

While existing RADIUS providers remain functional, new ones cannot be created in 26.2.1 or later. Administrators are encouraged to migrate to a supported authentication method, such as SAML, LDAP, or another supported two-factor authentication option, before RADIUS is fully removed.

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.