Issue: After upgrading Privileged Account Manager agents from 4.0 to 4.1 on Windows servers, Direct RDP will be disallowed when agents are unable to reach Privileged Account Manager server.
Workaround: You can configure Windows servers with PAM agents to allow a specific Troubleshoot user to initiate Direct RDP sessions when PAM Manager is not reachable. It is recommended to configure this before you update the agents to 4.1. Note that if you are installing and registering a fresh install of PAM 4.1 agent, you can achieve this automatically as a step during agent registration. Follow the below steps to add this configuration to windows registry:
Navigate to Registry Editor > HKEY_LOCAL_MACHINE > SOFTWARE > NetIQ > npum.
Right -click npum and add Key named TROUBLESHOOT.
Right-click TROUBLESHOOT. Click New > String Value.
Specify Value Name as name and Value Data in the hostname\username format.
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\NetIQ] [HKEY_LOCAL_MACHINE\SOFTWARE\NetIQ\npum] @="C:\\Program Files\\NetIQ\\npum\\" [HKEY_LOCAL_MACHINE\SOFTWARE\NetIQ\npum\TROUBLESHOOT] "name"="dom032100\\administrator1"