This release will be available soon.
To view previous release notes, see BeyondInsight/Password Safe release notes.
Important informationThis update is for On-Premises customers only. Fixes have been automatically applied to all 25.1 Password Safe Cloud deployments.
February 19, 2026
For a list of supported platforms for the latest version of BeyondInsight and Password Safe, see Supported Platforms.
🆕 New features
This is a maintenance release. There are no new features.
✨ Enhancements
This is a maintenance release. There are no new enhancements.
🛠️ Issues resolved
| Product Area | Description | Resolution |
|---|---|---|
| Endpoint Privilege Management | When an EPM agent checks-in, the IP Address for the corresponding Managed System may get reset to 127.0.0.1 | If the EPM agent provides a loopback/127.0.0.1 IP Address, it is ignored by Password Safe. |
| Workforce Passwords Browser Extension | Updating a credential via the browser extension reports successful, however the credential is not updated. | Updates to credentials made from the browser extension are saved properly. |
| Workforce Passwords Browser Extension | Users with MFA configured cannot sign in to the Workforce Passwords Browser Extension. | The Workforce Passwords Browser extension now properly handles logins from users with MFA configured. |
| Public API | Attempting to retrieve a large number of secrets via the GET Secrets-Safe/Secrets API can fail with a timeout. | Increased the default client timeout. |
| Public API | When creating a new Active Directory user via the POST Users AP, the Disable forms login for new directory accounts configuration setting is ignored. | When creating new Active Directory users, the Disable forms login setting is properly applied. |
| API | When you use the Invoke-Restmethod Windows PowerShell cmdlet to modify the permissions on a safe, performing a GET after a PUT results in a protocol violation error. | Corrected API response to align with proper RESTful conventions, which eliminates the protocol violation error in looped GET operations. |
| API | The GET Secrets endpoint defaulted the decrypt parameter to true, when it should default to false, and setting it to false would return a null owner email. | The GET Secrets endpoint now correctly defaults the decrypt parameter to false and returns the owner email in all cases when it’s available. |
| API | When you add an Active Directory user via the API and the Disable forms login where the new directory accounts checkbox is selected, the user setting is not disabled. | The Disable forms login for new directory accounts checkbox works as expected for new Active Directory users created from the API. |
| API | Field length validation discrepancy between POST and PUT public APIs for Text secrets, the PUT endpoint enforced a lower character limit than the POST. | The PUT endpoint has been updated to allow a Text secret with a value of up to 4096 characters, to align with the limit on the POST endpoint. |
| SCIM API | Users created with SCIM API do not adhere to local account TOTP setting defaults. | Updated the SCIM API to adhere to local account TOTP setting defaults. |
| SCIM API | When making a call to retrieve PrivilegedData from the SCIM API, the returned values have the properties defined as Name, Description, and Type. As per the schema, these properties should be all lower case. | The JSON properties are now all in lower case. |
| SCIM API | SCIM PrivilegedData endpoint returned values have capitalized properties instead of lowercase. | Corrected the SCIM API so that calls to the PrivilegedData endpoint returns the properties in all lower case. |
| SAML | SAML login ignores the Enable Group Resync configuration option when user mapping is set to Local and always resyncs the local groups. | Groups are no longer resynced if the Enable Group Resync option is disabled. |
| SAML | When using a SAML configuration that uses Active Directory as the mapping type, if an Active Directory user gets created during a SAML login, that user is missing several user attributes. This includes the domain, email and first/last name, and can cause issues with mapping or attempting to remove the user. | All attribute data is now populated during SAML login. |
| SAML | User permissions may not be properly validated in some Microsoft Entra ID (Azure AD) SAML authentication scenarios. | Improved SAML session handling for Microsoft Entra ID (Azure AD) integrations to ensure user permissions are correctly enforced. |
| Smart Rules | AWS Connector Instance type retrieval and caching is exhibiting problems paging results, resulting in an infinite loop and, eventually, memory exhaustion, and, attempting to save a Smart Rule when the instance types < 1000 results in an error and the Smart Rule does not save. | The AWS Connector Instance type retrieval has been corrected to ensure appropriate execution and use of memory, and when there are more than 1000 instance types, Smart Rule now saves without an error. |
| Smart Rules | Google Cloud Platform (GCP) onboarding Smart Rule has a limit of 100 users. | Added support for onboarding more than 100 users using a Managed Account Smart Rule with a Google Cloud Identity Query filter. |
| Smart Rules | In some cases, high system usage is observed during processing of an asset onboarding Smart Rule. | Improved the underlying query performance that contributes to the processing of an asset onboarding Smart Rule. |
| Smart Groups | Using the Workgroup filter and creating a new Quick Rule may not include all items expected. | Corrected the selection process to ensure that all expected items are included. |
| Reporting | In some environments, the Inactive Managed Accounts report times out. | Excluded irrelevant records from the result set, resulting in much faster query execution time and improved report performance. |
| Reporting | The Active Users report only returns records with users that have been active within the last few months. The value in the parameter Used In X Days is not respected. | The Used In X Days report parameter is properly applied. |
| Reporting | When the Password Safe Password And Session Activity report is exported as a CSV, some cells may incorrectly contain line breaks, which causes a row to be split into two incomplete rows. | Line breaks from the Reason field are automatically removed. |
| Event Forwarding | When using a connector that uses the syslog format, the event severity in the priority field is the inverse of what’s expected for syslog events. | Syslog events are now sent with the correct severity. |
| Event Forwarding | Syslog event forwarder no longer sending application audit events. | Corrected the underlying event selection logic to ensure that all application events continue to be forwarded. |
| Mobile App | Secrets are not being properly returned to the mobile app from Secrets Safe personal folders when the user is a member of the Administrators group. | Users who are members of the Administrators group can now access secrets found in their personal folders. |
| Mobile App | An authentication error occurs when attempting to login via the Mobile App using an Active Directory or LDAP user account. | Active Directory and LDAP users can now successfully login via the Mobile App. |
| Sessions | RDP sessions using multiple monitors may encounter an error during session initialization. | RDP sessions with multiple monitors now function as expected. |
| Sessions | Poor performance with large scale datasets in the Completed Sessions Grid. | Made meaningful improvements in the data retrieval to improve performance and reduce grid loading time. |
| Directory Credentials | When using a directory credential with a username formatted as a UPN, directory queries using this credential do not work as expected. | Directory credentials with UPN usernames are now properly handled. |
| Propagation Actions | When trying to run a script propagation action on a managed system that uses a custom port, the propagation action fails. | The port setting on the managed system is now properly handled during propagation actions. |
| Functional Accounts | Local functional accounts on managed systems that have a DNS Name containing a period (.) are not properly tested via the Password Test Agent. | Local functional accounts are now tested properly. |
| Upgrade | In some scenarios, the upgrade to 25.1.0 could fail during the database upgrade if an asset is associated with invalid IP Address data. | The invalid IP Address data is adjusted to the latest data or reset if none exists. |
| Upgrade | Certain data points in existing environments (duplicate entries in Event Table Monitor, smart rules or smart rule criteria or actions with Xen or Risk in the names) could potentially cause a problem with the database upgrade process. | Made the database upgrade process more robust by adding additional safeguards around steps that remove or deactivate deprecated functionality. |
| SSH | SSH connection fails when using a DSS key for the login account | SSH connections now succeed when using a DSS key for the login account. |
| Activation Keys | In some rare cases, the Activation Keys page fails to load. | Improved the hostname resolution reliability to prevent this failure scenario from occurring. |
| BeyondInsight Configuration Utility | Several services were not started on the appliance after clicking Apply or after clicking Start Services in the BeyondInsight Configuration Utility. | The utility was updated to include those service starts in the Apply and Start Services actions. |
| Omni Worker | A large backlog in the Event Forwarding queue can cause the service to stall. | The event forwarding logic has been updated to avoid the stall condition even when the backlog is very large. |
📝 Requirements
- Direct upgrades to 25.1.1 are supported from BeyondInsight versions 23.1 or later releases.
- BeyondInsight 25.1.1 supports SQL Server 2016 SP2 or higher.
🗒️ Notes
- This release is available by download for BeyondTrust customers (https://beyondtrustcorp.service-now.com/csm) and by using the BeyondTrust BT Updater.
- The MD5 signature is: 311d75ac58a9c8d2c75f9197c5000d48
- The SHA-1 signature is: 89dc7fa93be56719a6ad547d6bd51e55ba5eac59
- The SHA-256 signature is: 0f66439537ab9b3a4355e85c32426a24a2e7bcfcb88d8c66a8e71158b5fae45d
February 3, 2026
🆕 New features
Database Credentials for Protocol Tunnel Jump Items
- New Support: Protocol Tunnel Jumps for MySQL, PostgreSQL, and Microsoft SQL Server databases
- Port Specification: Custom database ports now supported using multiple notation formats:
- Standard notation: hostname:port or IPv4:port
- Windows comma notation: hostname,port or IPv4,port or IPv6,port
- RFC-compliant IPv6 bracket notation: [IPv6]:port
- Default Ports: Automatically applied when not specified (MySQL: 3306, PostgreSQL: 5432, SQL Server: 1433)
IPv6 Address Support
- Full IPv6 Support: Complete recognition and validation of IPv6 addresses across all credential types
- Supported Formats:
- Full IPv6: 2001:db8:85a3:0:0:8a2e:370:7334
- Compressed notation: 2001:db8::1, ::1, ::
- IPv4-mapped IPv6: ::ffff:192.168.1.1
- IPv6 with ports: [2001:db8::1]:5432
- Wildcard Patterns: IPv6 credential matching with wildcards (that is, 2001:db8:85a3:0:0:8a2e:370:*)
Framework and Dependencies
- Upgraded to .NET Framework 4.8 (from 4.5)
- Enhanced security features
- Improved performance and reliability
- Extended support lifecycle
- Updated Dependencies:
- ECM and Util DLLs updated to version 1.6.2601
- All NuGet packages updated to latest stable versions
Code Quality Enhancements
- Enhanced IP Address Validation: Improved IP detection and parsing with comprehensive IPv4 and IPv6 validation
- Improved Filtering: Better DNS name, hostname, and port filtering logic
- Expanded Unit Tests: Extensive test coverage for new IPv6 and port parsing functionality
✨ Enhancements
- There are no new enhancements.
🛠️ Issues resolved
- There are no new issues resolved.
🗒️Notes
- Ensure .NET Framework 4.8 is installed before upgrading
- No configuration changes required
- All existing configurations remain compatible
📝Requirements
- Requires BeyondTrust ECM v1.6.2601+
February 3, 2026
🆕 New features
This is a maintenance release and there are no new features.
✨ Enhancements
Desktop client being deprecated in version 4.0
The following banner appears in the product:
This desktop client has been deprecated and will be removed from the product in version 4.0. All users should be utilizing the browser-based interface located at http://<IP>/UpdaterSettings.
where <IP> is the actual IP of the local computer.
Improved handling of Endpoint Priviled Management (EPM) bundles
We improve how the platform handles Endpoint Privileged Management (EPM) bundles, making bundle imports more reliable, streamlining version management, and helping you catch configuration conflicts earlier and more accurately.
🛠️ Issues resolved
| Description | Resolution |
|---|---|
| Updater is overwriting log files on subsequent install attempts | Code was added to create unique log file in Updater’s log folder, for each installation attempt of a package. |
| When Updater attempts to install a version of software but a newer version is already installed it returns the install attempt as a failure. | The MSI Error Code 1638 has been included in the success code collection, allowing the Updater to identify it as a success when it is returned by the MSI. |
| Currently SUPI engine will install each individual version that is available. | You can now select the latest version of SUPI Engine and skip all the versions in between. |
| When the Updater service is paused there is no notification. | A banner has been added to the Web UI that shows a message regarding the download status when it is paused. Additionally, this banner includes a button that allows users to enable the Updater service and resume downloads. |
| Updater not creating entries for BeyondInsight Password Safe in package.db | The BeyondInsight Password Safe subscription check has been removed from the local database refresh process. |
| Some tiles show as blank or empty when the server is unresponsive. | A loading spinner has been added in the Other Subscriptions panel, which stays visible until the service delivers data to the user interface. |
| When setting a download schedule to exclude a day the download was still occurring. | Download schedule is now being respected. |
| When you install a PMUL package with AD Bridge subscriptions, the installation order does not work as expected. | The recent code addition implements an explicit cleanup process for all old files and folders in the designated PMUL directory, excluding the folder named adbridge. This enhancement aims to improve file management by removing files that were created by earlier versions. |
📝 Requirements
- .NET 4.7.2 or later
- IIS to be enabled on host
January 29, 2026
🆕 New features
Configurable Uniform Resource Identifier (URI) Match Detection
We’ve added a new configuration option to allow better control over which credentials are presented for autofill on a given site.
Configurable from the Extensions Options page, the Default URI Match Detection option allows the following values:
- Base domain (default for prior browser extension releases)
- Host
To understand the URL https://mysite.ps.beyondtrustcloud.com/webconsole/login, use the following table:
| Section | Value |
|---|---|
| Top Level Domain | com |
| Second Level Domain | beyondtrustcloud |
| Subdomain | mysite.ps |
| Hostname | mysite.ps.beyondtrustcloud.com |
Base Domain
When Base Domain is selected, only credentials that have the same top-level domain and second-level domain are available for autofill. This means that credentials are shared across various sub-domains, such as a credential for okta.beyondtrust.com could be used on jfrog.beyondtrust.com.
For example, the URL https://mysite.ps.beyondtrustcloud.com would behave as follows if Base Domain was the selected behavior:
Host
When Host is selected, only credentials that have the same hostname and, if specified, port is presented for autofill.
For example, the URL https://mysite.ps.beyondtrustcloud.com would behave as follows if Host was the selected behavior:
🛠️ Issues resolved
🔧 Workforce Passwords
| Description | Resolution |
|---|---|
| When you deploy Workforce Passwords extension via GPO, you receive frequent notifications that Workforce Passwords has been updated. | Corrected the update detection logic to no longer incorrectly trigger an update notification. |
| On some websites, Workforce Passwords was inadvertently overriding the styling of the web page content. | CSS styling in Workforce Passwords has been adjusted to no longer ‘leak’ into the host website. |
📝 Requirements
Requires BeyondTrust Password Safe version 23.2.0 or later release.
🗒️ Notes
This release is available in:
January 28, 2026
You can download this release from your Password Safe Cloud portal by navigating to Configuration > Resource Zones and clicking Download Installer.
🆕 New features
This is a maintenance release. There are no new features.
✨ Enhancements
This is a maintenance release. There are no new enhancements.
🛠️ Issues resolved
This is a maintenance release. There are no issues resolved.
📝 Requirements
- We recommend a restart after this update.
🗒️ Notes
- Direct upgrades to 25.3.58.30001 are supported from all previous versions.
- .NET hosting bundle v8.0.21 is included
- Session Monitoring Agent (pbsmd) 25.3.48 is included
- Enhanced Session Monitoring Agent (pbpsmon) 25.3.48 is included
- This release bundles version 25.3.0.2025 of the BeyondTrust Discovery Scanner, corresponding release notes, see View the Discovery Scanner release notes..
- PS Automate 25.3.0 is included
- SAP platform password changes now set a ProgramID = PasswordSafe_SAP_Connection property to provide support for SAP gateways.
⚙️ Signatures
- The MD5 signature is: E7773A43C026AD645A17DC26EB536815
- The SHA-1 signature is: CA8D4E55962AA84DAC8EE7402ECC3FDFBA990CE9
- The SHA-256 signature is: E2872789E2031D1403CE6F3FCCC2AE3DDFC51781D1E1205EBFAAE047F5958C82
January 22, 2026
🆕 New features
Streamlined Certificate Management
Manage certificates with ease. Now you can view, import, edit, generate, export, move, and delete certificates directly from the Appliance web interface. No need for remote desktop or Microsoft Management Console (MMC). This enhanced workflow simplifies updates, supports all requested use cases, and even adds the ability to transfer certificates between appliances.
For more information, see Certificate Management.
Forced Encryption
Appliance users can now encrypt the data connection to Microsoft SQL Server using a certificate of their choice without the need to establish a Remote Desktop Protocol (RDP) session. This enhancement eliminates the previous requirement to manually upload certificates and configure encryption through the BeyondInsight Configuration Tool or SQL Server Network Configuration.
For more information, see Forced Encryption for SQL Server connections.
✨ Enhancements
Proxy server
Proxy configuration settings have been removed from Password Safe. All proxy server settings are now managed directly on the U-Series appliance, providing a centralized and streamlined configuration process.
Certificate management for mirroring between the two high availability (HA) nodes
We’ve introduced enhancements to simplify certificate management. These improvements reduce manual configuration steps, minimize administrative overhead, and improve overall security compliance. Administrators can now manage certificates more efficiently, ensuring a smoother setup and maintenance process for HA deployments.
For more information, see Certificate mirroring between two HA nodes.
🛠️ Issues resolved
| Issue | Resolution |
|---|---|
| All users were added to the Notifications drop down. | Removed non-admin BeyondInsight users from notification drop down |
| Password fields are not cleared when navigating away from the page. | Password fields are cleared when navigating away from the page |
| The all panels, including the Welcome panel, remain open when the system automatically logged out. | All Open dialogs are closed when the logon page is shown. |
| When you deploy and configure an Azure appliance if the appliance name is same, the Configuration wizard displays an error message while you configure the Phoenix client. | Makes sure your computer is renamed every time it needs to be. |
| When you use Dark Mode theme, the colors in the Notifications drop down do not follow the scheme colors. | Colors in Notifications drop down now follow the colors of the selected theme. |
| Performance graphs are not responsive with minimum supported screen resolution. | Graphs align with screen resolution. |
| The Slider feature moves visually when you click the Discard button from the Features and Services panel. | The message, There are no changes to be discarded displays when there are no discarded changes. |
| A generic 404 message displays on the root site when you type URL at the root site. | Created custom error pages for missing (404) pages. |
| A visible gap or blank space appears in the backup and restore table when the window size is changed. | UI adjusted to remove the gap. |
| When you click the Forgotten Password link, there is not an option to return to the Login page. | A link to return to the login page was added. |
| There is no tooltip for the Enter the NFS File Share Location section on the Log File Export page. | A tooltip now exists for the feature. |
| When you select to configure backups later in the Configuration Wizard, the calendar text turns to red. | Removed the red text as it was unnecessary. |
| SQLFree computers do not backup the RetinaCSDatabase, however in the options to create a backup, the BeyondInsight Database is one of the available options. | Added static text to indicate that remote database will not be backed up. |
| An error message displays when you enter a value exceeding the upper bound in Database Connection Settings. | Fixed validation to give the correct error message. |
| Permissions and logins are created on installation and not when a feature is enabled. | Initial checks are removed from the installer to a service, so it can check when the feature is enabled. |
| The URL path to the Proxy Server page does not match the actual page name. | The URL path is updated. |
| Previously scheduled events (backups, log exports, etc.) no longer run on schedule. | Updated stored schedules to reference the proper service name. |
📝Requirements
- .NET 8.0 or later (available through BT Updater via Supporting Software SUPI subscription)
- SUPI 3.3.2 (available through BT Updater)
🧩 Dependencies
- Security Management Appliance is dependent on BeyondInsight 24.1
January 8, 2026
You can download this release from your Password Safe Cloud portal by navigating to Configuration > Resource Zones and clicking Download Installer.
🆕 New features
This is a maintenance release. There are no new features.
✨ Enhancements
SAP platform password changes now set a ProgramID = PasswordSafe_SAP_Connection property to provide support for SAP gateways.
🛠️ Issues resolved
This is a maintenance release. There are no issues resolved.
📝 Requirements
- We recommend a restart after this update.
🗒️ Notes
- Direct upgrades to 25.2.0.1941 are supported from all previous versions.
- This release bundles version 25.2.0.1971 of the BeyondTrust Discovery Agent. View the Discovery Agent 25.2.0.1971 release notes.
- .NET hosting bundle v8.0.21 is included.
- Session Monitoring Agent (pbsmd) is updated to 25.1.45.
- Enhanced Session Monitoring Agent (pbpsmon) 25.1.43 is included.
- PS Automate build 16357480509 is included.
⚙️ Signatures
- The MD5 signature is: F8E2C665803AA852E4FF34F32BB5A275
- The SHA-1 signature is: 264EDABB858BC74A7AD76549F3F2FF8FF9F14BB5
- The SHA-256 signature is: 8A23E131ABFF60CBD42AB581D9D9DE17CC6182B716B64F5B940A7F457FF49FDF
December 19, 2025
🆕 New features
There are no new features with this release.
🛠️ Issues resolved
| Description | Resolution |
|---|---|
| Dependencies are not showing in the UI, but are being enforced. | Fixed a missing call to get dependencies based on the current package |
| Unable to download packages when you use an Enterprise Updater child node. | Fixed the call to get the next package for child nodes. |
December 18, 2025
🆕 New features
- TOTP feature support. This requires BIPS 25.3 or later.
- Update to support BIPS 25.3 release.
🛠️ Issues resolved
| Issue | Resolution |
|---|---|
| When you open a context menu, the app's User Interface (UI) freezes. | The UI works as expected and displays the correct menus. |
| When you sign in to Microsoft Intune on a device with your Company Portal app installed, an incorrect error message may appear. | The UI behavior has been improved. You now have option to accept and continue with Microsoft InTune Setup or dismiss it. The app remembers your choice. |
📝 Requirements
- Password Safe 25.1 or later
