Remote Desktop Protocol Shortcuts

Use BeyondTrust to start a Remote Desktop Protocol (RDP) session with remote Windows and Linux systems. Because RDP sessions are proxied through a Jumpoint and converted to BeyondTrust sessions, users can share or transfer sessions, and sessions can be automatically audited and recorded as your administrator has defined for your site. To use RDP through BeyondTrust, you must have access to a Jumpoint and must have the user account permission Allowed Jump Methods: RDP via a Jumpoint.

Create an RDP Shortcut

To create a Microsoft Remote Desktop Protocol shortcut, click the Create button in the Jump interface. From the dropdown, select Remote RDP. RDP shortcuts appear in the Jump interface with Jump Clients and other types of Jump Item shortcuts.

Create New Remote RDP Jump Shortcut

Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.

From the Jumpoint dropdown, select the network that hosts the computer you wish to access. The access console remembers your Jumpoint choice the next time you create this type of Jump Item.

Enter the Hostname / IP of the system you wish to access.

By default, the RDP server listens on port 3389, which is therefore the default port BeyondTrust attempts. If the remote RDP server is configured to use a different port, add it after the hostname or IP address in the form of <hostname>:<port> or <ipaddress>:<port> (for example,

Provide the Username to sign in as, along with the Domain.

Select the Quality at which to view the remote screen. This cannot be changed during the remote desktop protocol (RDP) session. Select the color optimization mode to view the remote screen. If you are going to be primarily sharing video, select Video Optimized; otherwise, select Black and White (uses less bandwidth), Few Colors, More Colors, or Full Color (uses more bandwidth). Both Video Optimized and Full Color modes allow you to view the actual desktop wallpaper.

To start a console session rather than a new session, check the Console Session box.

If the server's certificate cannot be verified, you receive a certificate warning. Checking Ignore Untrusted Certificate allows you to connect to the remote system without seeing this message.


When RemoteApp or BeyondTrust Remote Desktop Agent is selected in the SecureApp section, the Console Session checkbox is unchecked. Remote applications cannot run in a console session on a RDP server.

To get more detailed information on the RDP session, check Session Forensics. For this feature to work, you must select an RDP Service Account for the Jumpoint being used. When checking this setting, the following reminder displays:

Enabling this feature requires the RDP server to be configured to receive the monitoring agent and an RDP Service Account to be configured with this Jumpoint. If these requirements are not met, all attempts to start a session will fail.

In typical installations, the RDP service account requires privileges including access to create and control remote services and write access to remote file systems. We recommend that you create an Entra ID account and use Entra ID group policy settings to configure the permissions, however the exact permissions required depend on your Entra ID configuration.

When Session Forensics is checked, the following additional details are logged:

  • Focused window changed event
  • Mouse click event
  • Menu opened event
  • New window opened event

To start a session with a remote application, configure the SecureApp section. The following dropdown options are available:

  • None: When accessing a Remote RDP Jump Item, no application is launched.
  • RemoteApp:The user can configure an application profile or command argument, which executes and opens an application on a remote server. To configure, select the RemoteApp option and enter the following information:
    • Remote App Name: Enter the name of the application you wish to connect to.
    • Remote App Parameters: Enter the profile details or command line arguments needed to open the application.
  • BeyondTrust Remote Desktop Agent: This option facilitates passing parameters through an agent in order to launch applications on a remote host. To configure, select the BeyondTrust Remote Desktop Agent option and enter the following information:
    • Executable Path: Enter the path of the application the agent will connect to.
    • Parameters: Enter any parameters that you could normally type from a command line when launching the app on the remote system.

For more information on Session Forensics and RDP service account, please see Jumpoint: Set Up Unattended Access to a Network > RDP Service Account.

Inject Credentials

The option to Inject Credentials is made available when the BeyondTrust Remote Desktop Agent type is selected. This option facilitates passing parameters as well as credentials through an agent in order to launch applications on a remote host. The first set of credentials is in the Jump definition. These are the credentials for the user account you'll use to log into the remote system. There is a secondary prompt for additional credentials, either manually provided or from a password vault. These secondary credentials are made available to the command line you define through the %USERNAME% and %PASSWORD% macros (additional macros shown below). This allows you to pass additional credentials to the application you are launching (e.g., SQL Server Management Studio). To configure, select the BeyondTrust Remote Desktop Agent: option and enter the following information:

  • Enter the Executable Path and Parameters as described above.
  • Target System: Enter the name of the system running the application.
  • Credential Type: Enter the credential type as defined by the credential management system (e.g., SQL).
Macro Name Result
%USERNAME% username
%USERPRINCIPLENAME% username@domain
%DOWNLEVELLOGONNAME% domain\username
%DOMAIN% domain
%PASSWORD% password
%PASSWORDRAW% password (without any attempt to escape special characters)
%TARGETSYSTEM% supplied target system value; in the case of SQL Server, this would be the SQL Server name.
%APPLICATIONNAME% optional application name; in the case of SQL Server, this can be hard-coded to "SQL Server" or something similar.


The BeyondTrust Remote Desktop Agent option requires a BeyondTrust Remote Desktop Agent to be preconfigured on the target system. This agent can be downloaded from the My Account page in the /login interface. It is neither version nor site-specific, and thus the same agent can be used for as many applications as the admin wishes to support. Once the agent is installed, you can then use BeyondTrust to create RDP Jump Items that are configured to use the BeyondTrust Remote Desktop Agent option to launch any application installed on the remote system.

RemoteApp relies on publishing applications using Microsoft RDS RemoteApps. Please refer to the Microsoft documentation for publishing applications.

Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.

Further organize Jump Items by entering the name of a new or existing Tag. Even though the selected Jump Items are grouped together under the tag, they are still listed under the Jump Group in which each Jump Item is pinned. To move a Jump Item back into its top-level Jump Group, leave this field blank.

Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.

To set when users are allowed to access this Jump Item, if a notification of access should be sent, or if permission or a ticket ID from your external ticketing system is required to use this Jump Item, choose a Jump Policy. These policies are configured by your administrator in the /login interface.

For more information about contained database users, please see Contained Database Users - Making Your Database Portable.

Use an RDP Shortcut

To use a Jump shortcut to start a session, select the shortcut from the Jump interface and click the Jump button.

Enter RDP Credentials

You are prompted to enter the password for the username you specified earlier.


Your RDP session now begins.

When starting an RDP session, the RDP keyboard automatically matches the language you have set in the access console. This functionality is available for Windows-based access consoles only.

Begin screen sharing to view the remote desktop. You can send the Ctrl-Alt-Del command, capture a screenshot of the remote desktop, share clipboard contents, use Alt and Shift commands, and perform key injection. You also can share the RDP session with other logged-in BeyondTrust users, following the normal rules of your user account settings.


Jump Items can be set to allow multiple users to simultaneously access the same Jump Item. If set to Start New Session, then a new independent session starts for each user who Jumps to a specific RDP Jump Item. The RDP configuration on the endpoint controls any further behavior regarding simultaneous RDP connections. For more information on simultaneous Jumps, please see Jump Item Settings.