Remote Support 26.2.1 release notes
🚨 Action Required
Stricter controls on critical security patch opt-outs (On-premises only)
To reduce the risk of appliances running with known vulnerabilities, critical security patch enforcement has been strengthened in the following ways:
- For critical updates that install without downtime, the option to opt out is removed and these updates are now applied automatically.
- For critical updates that require downtime, you can still opt out, but doing so requires you to explicitly acknowledge that you assume responsibility for the associated risk.
- If an appliance has not successfully communicated with the update server within a defined time window, key functionality is degraded or disabled. This prevents appliances that are disconnected from updates, whether intentionally or through misconfiguration, from continuing to operate indefinitely in a potentially vulnerable state.
Important information
- This change removes the ability to opt out of seamless critical security updates. Review your patch management process before upgrading.
🆕 New features
Assign a Jump Client to multiple Jump Groups at installation
You can now assign a Jump Client to multiple Jump Groups when you install it, instead of
updating group membership after deployment. The JC_JUMP_GROUP installer parameter accepts a
comma-separated list of Jump Group identifiers, so an endpoint registers in every specified
group as soon as it comes online.
- Works with Windows MSI, macOS PKG, and Linux installers, so you can deploy through tools
such as MECM, Intune, or Jamf. - Existing single-group installer syntax continues to work without changes.
This removes the need for follow-up API calls or scripts to reassign Jump Group membership
after installation.
For information, see Assign a Jump Client to multiple Asset Groups at installation.
Enforce FIDO2 authentication through Group Policies
Administrators can now enforce FIDO2 authentication at the Group Policy level, using the same
model already available for TOTP enforcement. FIDO2 authentication is also now supported on
Pathfinder deployments.
This gives administrators a way to require phishing-resistant MFA consistently across a user
population, without relying on individual user configuration.
For information, see Group policy settings.
Search, export, and API support for the Duplicate Jump Clients report
The Duplicate Jump Clients report now supports search and filtering, CSV export, and API
access, so you can manage duplicate Jump Client data programmatically instead of working
through the report manually.
- Search and filter duplicate Jump Client entries directly in the report.
- Export report data to CSV for offline analysis.
- Use the API to detect and resolve duplicates at scale and integrate with your own
automation.
For information, see Duplicate Jump Client reporting.
AI-generated session summaries
Remote Support now automatically generates an AI-powered summary when a session ends. Each
summary includes a case summary, a step-by-step description of the resolution, system
information and tags such as OS, applications, and issue type, and key highlights from the
session.
- Edit a summary after it is generated.
- Export summaries in multiple formats.
- Generate summaries in multiple languages.
- Integrate session summaries with platforms such as Salesforce and ServiceNow.
For information, see AI summaries.
Managed and shadow accounts
Remote Support brings several vault discovery and management capabilities natively into the
product, reducing the need for Endpoint Credential Manager (ECM) integrations.
- A filter dropdown is added to the Type column on the Vault > Endpoints page.
- Add additional options to discover, import, and auto-create Jump Items for SSH, RDP, Jump Items in Password Safe. Organizations using Password Safe can now streamline jump item provisioning for SSH, web, and database targets.
- Configure an additional method of Password Safe Discovery using Direct access. It is assumed that the SRA user is also a Password Safe user. In this case, credentials are discovered at the time of need (that is, credential injection, same as ECM) and import is skipped.
For more information, see Manage shadow accounts.
Start a Collaboration Mode session with yourself
A new shortcut in the Representative Console lets you start a screen-sharing session with
yourself and immediately invite other representatives, replacing the legacy Presentation
feature and the workaround of manually starting a session with your own system.
- No Jump Client is required on your own machine.
- Each invited representative consumes a concurrent license.
- Invited representatives can view the screen but cannot take control.
For more information, see Share screen in Collaboration Mode.
Inject vault credentials during an active RDP session
You can now inject credentials from the vault during an active RDP session, for example, to
run as a different user, without disconnecting and reconnecting. This requires the
BeyondTrust RDP Tools component to be installed on the endpoint. Previously, credential
injection was only available at the start of a session.
For information, see Credential injection for RDP sessions.
Stream appliance logs to your syslog destination
Remote Support now streams appliance platform and infrastructure logs through your existing syslog pipeline, so security teams can send appliance-level logs directly to a SIEM for incident detection, investigation, and compliance evidence collection without opening a support ticket.
- Available log types include web server access and error logs, authentication logs,
SSL/HAProxy logs, and proto-handler logs, among others. - Log file output is unstructured in this release, so you may need to configure your own
parsing rules.
Important informationThis feature is available for on-premises deployments only in this release. Enabling or
disabling individual log categories is not supported yet.
Jump Client support for Windows Server Core
The Jump Client is now officially supported on Windows Server Core, including Windows Server
2019 Core, Windows Server 2022 Core, and Windows Core running in Azure.
- Supported deployment scenarios include domain-joined and workgroup environments,
on-premises and Azure-hosted systems, and silent MSI or scripted deployments. - Supported capabilities include remote shell sessions, file transfer, session logging and
recording, credential injection, and client auto-update.
This lets security-focused organizations that standardize on Windows Server Core include
BeyondTrust in their architecture with full support.
For more information, see Deploy Jump Client on Windows Core.
Native support for ARM-based systems
BeyondTrust clients now run natively on ARM-based systems, such as Windows 11 ARM devices,
instead of requiring x86 emulation. The following capabilities are now natively supported on
ARM:
- Credential injection
- Virtual Smart Card
- Jump Client download via API
- Embedded Support Buttons are not included in this release.
- For more information, see ARM support .
Use vault credentials for Remote VNC Jump sessions (Cloud only)
You can now configure vault credentials to be entered automatically when a representative
starts a Remote VNC Jump, so representatives do not need to manually type a username and
password. Because the VNC protocol does not support secure credential injection, credentials
are transmitted in clear text. This is an opt-in feature that you enable per asset, and it
requires acknowledging a consent notice, which is recorded through the Config API.
This is especially useful for OT/ICS environments with legacy VNC-accessible endpoints that
cannot run a Jump Client.
For more information, see Credential injection for VNC session.
✨ Enhancements
View the endpoint's private IP address in the Representative Console (Cloud only)
The Representative Console now displays the private IP address of a connected endpoint
instead of the public IP address seen by the appliance. This gives representatives accurate
network information, particularly for endpoints behind NAT or in on-premises-to-cloud
migration scenarios.
Pop out remote monitors into independent windows
Representatives can now pop out each remote monitor into its own independent, resizable
window instead of switching between monitors one at a time or viewing them combined in a
single "View All" window. This is especially useful when remote monitors are in mixed
landscape and portrait orientations.
For information, see Multiple monitors.
Support for 200,000 accounts in the Vault
The Vault now supports up to 200,000 accounts, giving enterprise customers more room to store
and manage credentials at scale.
🛠️ Issues resolved
| Product area | Description | Resolution |
|---|---|---|
| API | A Gateway Configuration API PATCH request returned a 422 validation error when the request body re-sent the Gateway's own unchanged name, code name, or external Jump Item network ID. | These fields can now be re-sent unchanged when updating a different field. |
| Atlas | Restoring an on-premises backup onto a cloud site could overwrite the cloud site's cluster settings, causing Jump Clients to route to the wrong traffic node. | Restoring a backup onto a cloud site no longer overwrites the cloud site's cluster settings. |
| Atlas | A backup and restore that supplied the vault key as a separate file caused all Jump Client connections to fail on clustered sites after the restore. | Jump Client connections on clustered sites now continue to work after a restore that supplies the vault key as a separate file. |
| Atlas | Appliances in Failover experienced excessive memory consumption. | Memory consumption on appliances in Failover has been corrected. |
| Atlas | Mixed-case traffic node names caused proxy connection routes to be rejected because hostname comparison was case sensitive. | Hostname comparison for proxy connection routes is no longer case sensitive. |
| CustomerClient | The Windows Customer Client showed a greyed-out elevation shield, and credentialed elevation failed on 24.x, when the installer rename failed but the copy fallback succeeded. | The elevation shield and credentialed elevation now work correctly in this scenario. |
| CustomerClient | The session watermark disappeared during some sessions. | The session watermark now displays consistently throughout sessions. |
| CustomerClient | The Customer Client used only the CPU for screen sharing operations, with no option to take advantage of available GPU resources. | Added a site-wide option allowing the Customer Client to use the GPU for screen sharing operations on Windows clients where a GPU device is detected. |
| Endpoint Automation | Endpoint Automation jobs containing more than 65,535 items could not be saved. | Endpoint Automation jobs can now be saved regardless of item count. |
| Gateway | Installing a Gateway on a system with no connection to the appliance could leave the service installed but not running, and the post-install Setup dialog would never appear. | The service now starts without requiring the appliance to be reachable and retries the connection to the appliance. |
| Gateway | Remote RDP jumps through a Linux Gateway did not trust endpoint certificates placed in the system certificate store. | Remote RDP jumps through a Linux Gateway now trust endpoint certificates in the system certificate store. |
| Gateway | The Gateway Docker image used outdated libraries and ran as the root user. | The Gateway Docker image has been updated with library updates and bug fixes, and now runs as a non-root user. |
| Gateway | The Gateway used more CPU than necessary while idle when recording RDP sessions. | Idle CPU usage when recording RDP sessions on the Gateway has been reduced. |
| Group Policies | A login schedule applied through Group Policy remained applied to a user account after the schedule was removed from the policy, requiring it to also be turned off on the user account. | Removing a login schedule from a Group Policy now also removes it from the associated user accounts. |
| Group Policies | Asset Policies could not be created or edited after upgrading. | Asset Policies can now be created and edited after upgrading. |
| JumpClient | Jump Clients could fail to upgrade and repeatedly request an upgrade when the cached MSI installer was missing. | Jump Clients now upgrade successfully even when the cached MSI installer is missing. |
| JumpClient | Jumping to a Windows 10 kiosk-mode endpoint through a Jump Client disrupted the kiosk. | Jumping to a kiosk-mode endpoint no longer disrupts the kiosk. |
| JumpClient | Copying a Jump Client and changing its Connection Mode from Active to Standby did not update the Connection Mode on the other copied Jump Clients. | Changing the Connection Mode on a copied Jump Client now updates the Connection Mode on all related copies. |
| JumpClient | Installing a Jump Client on some Linux distributions modified the GDM profile and could break the system's authentication configuration. | Installing a Jump Client no longer modifies the GDM profile or affects the system's authentication configuration. |
| Mac | The macOS Customer Client failed to connect through a proxy when the client was connected to a VPN and a PAC file was in use. | The macOS Customer Client now connects through a proxy correctly in this scenario. |
| Mac | The RepConsole on macOS automatically rescaled itself when a new session was opened after an RDP Jump Item session had its monitor scaling toggled. | The RepConsole on macOS no longer rescales unexpectedly in this scenario. |
| Mac | User Mode Jump Client and ad-hoc sessions on macOS 13 and later did not black out newly opened windows for the Representative when the Customer disabled Automatically Share New Windows. | Newly opened windows are now correctly blacked out for the Representative in this scenario. |
| Mac | The Jump Client uninstall prompt could appear behind other applications on macOS. | The uninstall prompt now appears in front of other applications. |
| Mac | Mac customers could receive an empty or corrupt zip file when downloading the Customer Client on macOS. | The Customer Client download for macOS no longer produces empty or corrupt zip files. |
| Misc | The Jump Item search field remained yellow after the search term was cleared instead of returning to white. | The search field now correctly returns to white after the search term is cleared. |
| Misc | The MCP Server configuration page in /login was missing a copy button for the connection content. | A copy button has been added to the MCP Server configuration page. |
| Misc | Canned scripts had a delay of approximately 20 seconds when used. | Canned scripts now run without the delay. |
| Misc | Emails displayed only the sender's email address instead of the configured sender name "Secure Remote Access Appliance." | Emails now display the configured sender name. |
| Misc | The Jump Client settings in /login referred to Connection Type. | Connection Type has been renamed to Connection Mode for Jump Client in /login. |
| Misc | The Type column had excessive left-hand spacing on the macOS, Windows, and Linux tables on the Jump Client Installer page. | Spacing for the Type column has been corrected. |
| Misc | Site installs on offline appliances failed to upgrade due to an internal service connection error. | Site installs on offline appliances now upgrade successfully. |
| MS Teams Bot | The Microsoft Teams bot failed to authenticate when processing messages due to a configuration mismatch between the Azure Teams app registration and the bot server configuration. | The Microsoft Teams bot now authenticates correctly in this scenario. |
| MS Teams Bot | The Microsoft Teams bot failed to start a session after the Microsoft Teams greeting or bot configuration was changed and saved. | The Microsoft Teams bot now starts sessions correctly after configuration changes are saved. |
| Pathfinder | Uploading an incorrect certificate on the Migration page in /login produced a console error. | The Migration page now handles invalid certificate uploads without producing a console error. |
| Pathfinder | The Public Portal list on the iOS Configuration page could not be scrolled correctly on Pathfinder sites with multiple Public Portal sites configured. | The Public Portal list now scrolls correctly when multiple Public Portal sites are configured. |
| RepConsole | Pressing Enter after searching for a Jump Item on the Home page opened a session instead of displaying the search results. | When you press Enter it now displays the search results instead of opening a session. |
| RepConsole | The search box looked no different in its disabled state, making it appear interactive while waiting on external Jump Item search results. | The search box now visually reflects its disabled state. |
| RepConsole | Some valid external email addresses were incorrectly flagged as invalid when inviting an external Representative, specifically when the domain contained a hyphen after the first dot. | These email addresses are now validated correctly. |
| RepConsole | Launching the elevated version of Windows Explorer through Special Actions failed with an unknown error. | The elevated version of Windows Explorer now launches correctly through Special Actions. |
| RepConsole | The iOS RepConsole continued to show Video Optimized as selected even when Screen Sharing was set to black and white mode. | The iOS RepConsole now reflects the correct selection when Screen Sharing is set to black and white mode. |
| RepConsole | Dragging a session between two monitors with different display scaling caused drop-down menu icons to be centered instead of positioned in the bottom right corner. | Drop-down menu icons now remain correctly positioned when dragging a session between monitors with different display scaling. |
| RepConsole | A Representative in a session with an iOS Customer could create directories at the top level of the remote side in File Transfer. | Representatives can no longer create directories at the top level of the remote side during File Transfer with an iOS Customer. |
| RepConsole | The Authenticate Using drop-down menu would not appear, and the Quit button would not work, if the RepConsole was closed and reopened during a site upgrade. | The Authenticate Using drop-down menu and Quit button now function correctly in this scenario. |
| RepConsole | The Edit Jump Client window in the RepConsole referred to Connection Type. | Connection Type has been renamed to Connection Mode in the Edit Jump Client window in the RepConsole. |
| RepConsole | Server-side scaling was still applied when Actual Size was selected, causing the image to be scaled down. | Actual Size now displays the image at its true size without server-side scaling. |
| RepConsole | The RepConsole closed unexpectedly after accepting a session or jumping to a Jump Client on Linux systems running Wayland. | The RepConsole no longer closes in this scenario on Linux systems running Wayland. |
| RepConsole | Starting broadcasting on an iPhone presented a smaller screen size to the Representative. | Broadcasting from an iPhone now presents the correct screen size to the Representative. |
| RepConsole | iOS Screen Sharing sometimes failed to resume in a timely manner, or did not recover at all, after the iOS broadcast extension stopped. | iOS Screen Sharing now resumes reliably after the broadcast extension stops. |
| Reporting | The User Account Report fails to download. | The User Account Report now downloads correctly. |
| Reporting | The Duplicate Pinned Clients report could fail to render on sites with a large number of duplicate Jump Clients. | The report is now optimized and paginated, and renders reliably on sites with large numbers of duplicate Jump Clients. |
| Security Providers | RADIUS remained available as an active authentication option with no indication that it was being phased out. | RADIUS authentication is now deprecated, hidden as an authentication option, and in-product notifications inform users of the deprecation. |
| Security Providers | The Allowed to Set Passwords and Reset MFA permission did not function for non-local accounts and could not remove a TOTP authenticator. | The permission now functions correctly for non-local accounts and can remove a TOTP authenticator. |
| Security Providers | Listing external-provider users on the Users page was slow. | Performance when listing external-provider users on the Users page has been improved. |
| Shell | Quickly opening more than four Shell instances and then quickly closing all of them caused a subsequent Command Shell start to spin indefinitely and never start. | The Command Shell now starts reliably after this scenario. |
| Support Button | The legacy Support Button feature remained available alongside its replacement. | The legacy Support Button feature has been removed. |
| Syslog | Jump Items deleted as a result of deleting a Jump Group were logged as deleted by "system" instead of the administrator who performed the deletion. | These deletions are now logged with the administrator who invoked the deletion. |
| Text Updates | The /login interface and related areas referred to Jump Technology. | Jump Technology has been renamed to Remote Access Methods throughout the /login interface and elsewhere it appears. |
| Text Updates | The Asset association section in Vault referenced token accounts on RS sites, which no longer apply. | The mention of token accounts has been removed from the Asset association section in Vault for RS sites. |
| Vault | A Password Safe–managed Vault credential could be rotated while a session was still active if the session outlasted the release duration, causing a password mismatch. | Added a setting to control whether accounts are rotated when a session ends and the integration releases the account. |
| Vault | Injecting an invalid credential without starting a session was not logged as a Vault checkout/check-in. | Credentials are now locked before session creation, and an aborted checkout logs a checkout/check-in pair and triggers rotation when necessary. |
| Vault | Password Safe Shadow accounts did not follow the Rotate On Check-in policy setting. | Shadow accounts now follow the Rotate On Check-in policy setting. |
| Vault | The delete warning for Password Safe–imported endpoints incorrectly referenced account associations. | The delete warning now correctly reflects account associations for Password Safe–imported endpoints. |
| WebRepConsole | The Asset Groups list in the web console had no way to filter results. | Added a filter input to the top of the Asset Groups list in the web console. |
📝 Requirements
- Requires Base 8.3.0
- Supports upgrades from 25.3.5 Remote Support+
- Supports ECM Protocol 1.6
- Validated with ECM 1.6.2601.35016
- Validated with Integration Client 26.1.3.210
- Includes VSC 1.3.0.0
⏰Deprecation Notice
RADIUS Authentication Provider
RADIUS authentication is being deprecated due to inherent security weaknesses in the protocol. Beginning in Remote Support 26.2.1, the RADIUS provider option is hidden from administrators who do not have an existing RADIUS configuration. Administrators who do have RADIUS configured will continue to see this option and be able to edit the configuration, but will receive an in-product banner alerting them to the deprecation and prompting them to take action.
While existing RADIUS providers remain functional, new ones cannot be created in 26.2.1 or later. Administrators are encouraged to migrate to a supported authentication method, such as SAML, LDAP, or another supported two-factor authentication option, before RADIUS is fully removed.