June 10, 2025

🆕 New features

Added a new setting that lets admins customize how Password Safe works. Now, you can choose to have accounts automatically rotated when a session ends and the integration releases the account.

✨ Enhancements

  • There is a new (optional) attribute to the OptionalIncludes configuration that gives admins more control. You can now choose how account names are formatted—like UsernameOnly, OriginalName, UPN, or DownLevel—when they’re returned from a specific section in the optional includes.
  • Updated the default behavior to make it easier to search for External Endpoints using just wildcards. By default, you’ll now get up to 100 results.

🛠️ Issues resolved

  • Addressed an issue in which accounts may not be retrieved for Web Jump Items that do not have a domain.

🗒️Notes

  • Supports upgrades from any prior release

📝Requirements

  • Requires BeyondTrust ECM v1.6.0+

June 10, 2025

📘

  • This update is available through BT Updater or as a manual installer from the download tool.
  • Before proceeding with the installation, we strongly recommend a system reboot as certain system dependencies may need to be reset before applying this update.

🆕 New features

Tell your appliance to delete an archived session recording file

You can now tell your appliance to delete an archived session recording file when the session record is deleted.

New BeyondInsight Services for Scan Processing and Purging

We've add two new features to your BeyondInsight Services:

  • Scan processing & purging services are available in the Monitored Services list.
  • Logs for new for new services are available on the Log File Export and Appliance Logs page.

✨ Enhancements

UI component upgrades

We've refined our interface with multiple enhancements, including:

  • Updated tool tip text
  • Reformatted Config Wizard Signup/Login page
  • Translation Service - Replace Deprecated Methods with new Methods
  • Standardized colors
  • Theme selection now displays on first login
  • Adjusted positioning of High Availability Step panel
  • Added cell padding to separate Page Banner from Page Headers/cards
  • Branded color scheme
  • Fixed inconsistent spacing on the Diagnostics tools page
  • Fixed inconsistent card border colors for Dark mode
  • Replaced top navigation icons/label with new controls
  • Added Match System Theme option in theme selector
  • Fixed inconsistent text in the Show Password button
  • Session Monitoring Archive: Fixed color for the Test Connection message in the Dark mode
Improved performance and memory consumption in the Backup and Restore process

We've improved the memory consumption and handling for backups of large databases in the Backup and Restore process.

🛠️ Issues resolved

IssueResolution
EPM Event Collector Service is missing in the log file if there are no files.Stopped filtering out non-existent log files/directories to display a list of all ‘supported' logs for export/download. As exported/downloaded, non-existent items are skipped.
INSTALLED SOFTWARE - SQLFREE - PMR DB is showing as Unknown Version (SQL shows as Not Installed).If the database is not present, show as “Not Installed”
Can activate BI Database Access Feature without database connection details via the API.Field validation added.
Appliance SQLFree - Generate Certificate shows error: “(failed) net::ERR_CERT_AUTHORITY_INVALID”.Redundant SSRS URL refresh operation is not executed on SQLFree Appliance.
ACCESSIBILITY - at 1280 x 800 resolution, the bottom scroll bar is difficult to access.Scroll bar is consistently displayed in Chrome browser regardless screen resolution.
Inconsistent HHRS (HostHeadersRestriction) API(GET, POST) URL path (missing "ClientConnections") .Updated endpoints to be consistent.
Deployment Wizard - browser does not resume after reboot.Deployment Wizard resumes after reboot.
Appliance User Interface licensing page does not handle licensing errors the same as the deployment wizard.Response codes are handled in a consistent way.
Tool tip text on Deployment user signup page is outdated.Tool tip text was updated.
CONFIG WIZARD - BIUL - the wizard fails to complete the Features step at the end when BIUL SQL account has a semi-colon.Semi-colon is not allowed.
Cannot save IPv4 settings without refreshing the page.Field validation enforced.
configureuser API : Different return codes for "Administrator" and "LocalAdmin" username. Return code should be 422 on both LocalAdmin & Administrator.Added “LocalAdmin” to the validation of the data structure. Return code is now the same.
CERTIFICATE MANAGEMENT - Upload Certificate is not handling the "bind to IIS" when using a wildcard certificate.InstallCertToIIS endpoint now expects certificate name in request Body, not in a URL, which allowed a wildcard in a name.
DEPLOYMENT WIZARD - Internet connection - On Proxy Server page (both ConfigWizard and Appliance) UI Validation should fail if Proxy Address includes http or https.Added validation in the Proxy Address field to fail if invalid proxy address is entered.
DEPLOYMENT - Internet Connection: IPv6 address with and without square brackets should pass UI validation on SMTP Settings and Proxy Server configuration pagesAdded validation for IPv6 addresses with and without square brackets to pass UI validation on SMTP Settings and Proxy Server configuration pages.
DEPLOYMENT WIZARD - the ? icon for tooltip text is out of alignment.Adjusted alignment.
Appliance Software install failed to install Backup Service MSI and triggered a rollback.Added logic to check if a service was already running.
When making a change in the Features Editor all settings for all features are validated rather than just the feature being changed.Updated to only validate changed data.
When installing a new build the previous version in add/remove programs is not removed.The function that removed the config wizard service was modified. The main installer now removes all multiple versions of the appliance software.
Appliance UI: Location is not found for some logs.Added UX message when location for log is not found.
Session Monitoring files not included in backups when Session Monitoring Archiving feature is disabled.Backup selected Features, regardless of Feature state.
Appliance UI: If changes for the Local Computer policy Digitally Sign Communications are canceled, the button behavior stays inactive forever until the next hard refresh page.User interface validation updated.
HA - Can't make backup on Active primary ApplianceFixed in the performance improvement (Memory handling for backups of large databases was improved)

📝 Requirements

  • .NET 8.0.0 or later (available through BT Updater via Supporting Software SUPI subscription)
  • SUPI 3.3 (available through BT Updater)

🧩 Dependencies

  • Security Management Appliance Installer is dependent on BeyondInsight 24.1.
  • Security Management Appliance package in BT Updater is dependent on BeyondInsight 24.1.

⏰ Deprecation notice: Support for BITS for session archiving

With this release, support for BITS for session archiving is removed, and archiving ceases to work with BITS. The Features page will recognize if your system was set to BITS and notifies you that the feature is deprecated.

June 10, 2025

✨ Enhancements

Dependency management

Dependency management provides visibility into the underlying frameworks that support's a product suite. The frameworks are updated by the Security Update Package Installer (SUPI) as part of the monthly Supporting Software update, which automatically:

  • removes unnecessary .NET frameworks, freeing up resources and reducing potential security risks.
  • processes new additions and upgrades.
  • processes removals without dependent products.
Improved estimated size and time required

The estimated time for an update to run was including packages that would be skipped in the update. The estimated time displayed now more accurately reflects the actual time it will take to run the update.

🛠️ Issues resolved

DescriptionResolution
Issue with packages remaining in the Updates folder after applying all updates.Resolved. Packages no longer remain in updates folder after updates applied.
Issue with run order determined by creation date of the package instead of version.Resolved. Run order is determined version.
The updater should run only the latest minor version when there is more than one minor version related to a major version.Resolved. The updater does not skip over minor versions for the same major version.
Issue with BT Updater not displaying the build number in the UI.Resolved. BT Updater displays the build number in the UI.
Issue with the .Net Upgrade process in an ERROR status in the UI but was upgraded successfully.Resolved. The .Net Upgrade process is no longer in ERROR status in the UI when upgraded successfully.
Issue with the updater creating duplicate entries for a given combination of packages.Resolved. The updater no longer creates duplicate entries for a given combination of packages.
Response code 3010 (reboot required) missing.Resolved. Added response code 3010 (reboot required) after installation.
SUPI command line tool has been deprecated.Resolved. SUPI command line tool has been removed.

June 5, 2025

🆕 New features

There are no new features.

✨ Enhancements

There are no enhancements.

🛠️ Issues resolved

  • None

📝 Requirements

  • We recommend a restart after this update.

🗒️Notes

  • Direct upgrades to 25.1.0.1933 are supported from all previous versions.
  • This release bundles version 25.1.0.1704 of the BeyondTrust Discovery Agent. View the Discovery Agent25.1.0.1704 release notes.
  • .NET hosting bundle v8.0.16 is included.
  • Session Monitoring Agent (pbsmd) 25.1.38 is included.
  • Enhanced Session Monitoring Agent (pbpsmon) 25.1.38 is included.
  • PS Automate build 12638027310 is included.
  • BeyondTrust customers can download this release from their Password Safe Cloud portal by navigating to Configuration > Resource Zones and clicking Download Installer.
  • The MD5 signature is: B24AFAA01C9B6FFAD3A57520EF5364F1
  • The SHA-1 signature is: 87C8214A63CDA3C0FB410B5D925E9A6DED707B55
  • The SHA-256 signature is: 13C132BEDC5C040FFEAD25E95410E963B5ABF0437674E0258CFDE9BFD9D7701D

June 5, 2025

ℹ️

For a list of supported platforms for the latest version of BeyondInsight and Password Safe, see Supported platforms.

🛑

On-premises customers using the U-series Appliance with SQL 2019 must install March SQL Server Updates 250301 prior to upgrading to BeyondInsight/Password Safe 25.1.

Customers using SQL Free appliances with a standalone SQL Server 2019 installation must install Cumulative Update Package 32 for SQL Server 2019 - KB5054833 prior to upgrading to BeyondInsight/Password Safe 25.1.

🆕 New features

Introducing the Password Safe mobile app for iOS and Android, available for Password Safe 25.1 users

Great news! The Password Safe mobile app is now available on both the Apple App Store (iOS) and Google Play (Android). With the app, you can easily view, check out/check in, and request credentials—right from your mobile device.

That’s not all - you’ll also have quick access to your Secrets Safe entries and credentials stored in your personal folder, making it easier than ever to stay secure on the go!

iOS Login

iOS Login

ℹ️

The mobile app requires customers to be on version 25.1 or later.

Workforce Passwords for Pathfinder

With Password Safe 25.1, Workforce Passwords is fully compatible with Pathfinder! Previously, the extension didn’t work when customers were activated in Pathfinder. Now, everything runs as expected.

Plus, there’s a great new feature on the login screen: a handy dropdown menu that lets you choose your login portal. Simply select Pathfinder to sign in via beyondtrust.io, then enter your Pathfinder credentials to access your Workforce Passwords secrets with ease.

ℹ️

For more information, see Workforce passwords deployable extension.

Mobile Application Session Timeout Setting

In Password Safe Cloud and on-prem, you’re in control - configure the Mobile app to auto-timeout after a set number of minutes!

Deployable WFP Extension

Workforce Passwords makes it easy and secure to store and access business credentials right from your browser. And now with Password Safe 25.1, deploying the WFP browser extension is smoother than ever!

Admins can effortlessly roll out the extension across Chrome, Edge, and Firefox on Windows systems using the Group Policy Management Editor and Group Policy Objects (GPOs) - no more asking users to install it themselves.

Even better, admins can pre-configure the Workforce Passwords server URL, giving users a seamless, ready-to-go experience from the moment they log in.

ℹ️

For more information, see Workforce passwords deployable extension.

Direct Links to Secrets

Accessing secrets in Secrets Safe just got easier! You can now jump straight to a secret’s details using a direct link (URL).
Authenticated users can use the link to go directly to the secret within its designated safe.

The URL includes the secret’s title and sub-folder path, and it’s easy to grab - just copy it from the UI or your browser’s address bar. Provide this link to users who have access for quick, no-hassle navigation right to the info they need!

Copy secret link

Copy secret link

ℹ️

For more information, see Workforce passwords deployable extension.

✨ Enhancements

Limit Webconsole Login Sessions

To enhance security and streamline access, web console login sessions are now limited to one session per user.

And more good news - if you have multiple tabs open in the same browser, you can seamlessly use the same session across all of them. No interruptions, just a smoother, more secure experience!

Performed backend updates to allow for future support of IPv6 addresses

More information will be available in a future release.

Updated Algorithms and Ciphers

Security just got a boost! With Password Safe 25.1, devices now use stronger, modern ciphers to keep your data safer than ever.

We’ve added support for the latest encryption algorithms and are phasing out older, less secure ones to ensure top-tier protection across the board.

API Updates
  • Secrets Safe API
    • Added SecretType information in response of GET Secrets-Safe/Secrets/{secretId:guid}.
    • User can now set a Prior Expiration Date for Safe Permissions with new ExpiresOn field.
  • Password Safe API
    • Added RequestorName and RequestorUserID to Get Requests
    • Added paging support with 2 new optional quire parameters: limit and offset

ℹ️

For more information, see Secrets Safe APIs and Password Safe APIs.

Secrets Safe Enhancements

We've made some great updates to improve clarity and consistency in Secrets Safe:

  • User names are now displayed as Last Name, First Name in grids, and First Name, Last Name everywhere else, making it easier to quickly find who you're looking for.
  • For secrets shared from a personal folder, ownership is now locked for added control. You’ll see the owner’s name, but the Manage Ownership option is hidden to keep things tidy.
  • The Owner dropdown in the Secrets grid now shows all owners at a glance - and yes, you can filter secrets by owner for faster navigation!
Web Policy Editor: Local AD Search in Beyond Insight

Beyond Insight 25.1 brings a powerful new enhancement for Endpoint Privilege Management customers! You can now easily search your connected Local AD environments right from the Web Policy Editor.

Quickly find and add users or groups to Windows Workstyle Filters, Messages > Designated Users, Application Rule Filters, On-Demand Application Rule Filters, and Custom Tokens (for groups) - all in just a few clicks!

Improved Session Replay

Session Replay just got a major upgrade! You can now zoom in on specific areas of a recording, making it easier than ever to see and read details—especially when working with high-resolution displays or multi-monitor setups.

Crystal-clear visibility, right where you need it!

ℹ️

For more information, see View Recorded Sessions.

Screen Responsiveness

Further improved page responsiveness based on screen resolution.

Pathfinder - Directory attributes disabled

We’ve removed the Directory Attributes Match option from the Dedicated Account smart rule filter in Pathfinder instances. If any Smart Rules are included that filter before upgrading to Pathfinder, you’ll now see empty drop downs when editing that smart rule post-upgrade; affected Smart Rules should be reviewed and edited as needed.

Directory Attribute Match smart rule filter continues to be available for Cloud and On-prem.

📋 Reports

New Usage Folder

A new folder named Usage is now available in Analytics and Reporting. The following reports are included in this folder:

  • The Workforce Passwords Usage Summary report
  • The Active Users report
  • The System Usage Statistics report (new)
New report - Scheduled Tasks Account Usage

Have you ever wondered which accounts used for Scheduled Task management are managed by Password Safe? Now you can see this information for any system that has associated Scheduled Task scan data, just by running the new Scheduled Tasks Account Usage report!

New report - IIS Application Pool Account Usage

Have you ever wondered which IIS Application Pool identity accounts are managed by Password Safe? Now you can see this information for any system that has associated IIS Application Pool scan data, just by running the new IIS Application Pool Account Usage report!

New report - System Usage Statistics

The new System Usage Statistics report gives you a clear snapshot of overall system usage - tracking unique logins over your selected time period and providing key insights into the number of Managed Systems and Managed Accounts available at the time of the report.

Database Platforms Added to Database User List Report

Prior to 25.1, only Oracle, MS SQL, and MySQL were included. We now include all database platforms present in Password Safe.

Improved Initial Load Time of Reports Home Page

We’ve improved load times on the Analytics & Reporting home page.

🛠️ Issues resolved

🔧 Password Safe

Product AreaDescriptionResolution
Password SafeManaged Systems and Managed Accounts can be deleted when there are open sessions.Resolved. If sessions are open, managed systems and accounts cannot be deleted.
Password RotationWhen attempting to rotate managed accounts on decommissioned systems, the attempt will time out eventually, but it is not respecting the Managed System timeout setting, which can cause bloat in the queue table and may cause delays of other password changes.Timeout values are honored now by all Password Safe platforms supported by Password Safe plugins.
Password Safe CloudParsing issue of malformed keystroke JSON caused a memory leak. PWS Cloud 24.3.0 W3WP.exe Alert 'Memory gates checking failed because the free memory' was fired.Resolved memory leak and improved response time under invalid or high volumes of keystroke input.
BeyondInsight/Password SafeWhen attempting to connect to some oracle instances, an error occurs -ORA-28040: The database does not accept your client's authentication protocol; login denied.The issue has been resolved. Connections to Oracle 19 databases are successful.
Password Safe SessionsWhen reviewing sessions, scrolling in the keystrokes list can cause the list to jump to a previous point.Resolved. The scroll window no longer jumps back in time.
Password SafeUnable to edit Name field on the Create Managed Account form when accessing from Managed System → Advanced Details → Managed Accounts after moving focus away and then back to the Name field.Resolved. Text box remains editable.
Password Safe SessionsRDP sessions do not record keystrokes when sessions are created from a Windows 11 vm to a Windows 11 vmResolved. Keystrokes are now recorded.

🔧 BeyondInsight

Product AreaDescriptionResolution
BeyondInsightWhen 24.1.0.1398 is upgraded to 24.3, the EventCollector directory is missing Microsoft.Data.SqlClient.dll leading to failures activating new OAuth clients.Ensured that new Endpoint Privilege Management clients can be activated for OAuth regardless of the upgrade paths followed to get to BeyondInsight 25.1.
BeyondInsightUsers with User Account Management and Password Safe Role Management are still not able to manage Password Safe roles on Smart Groups from the User Group management area.Permissions check was updated to grant ability to assign Password Safe roles to smart groups with either Password Safe Role Management or Password Safe Policy Management feature access.
BeyondInsightModernize terms throughout.Language updated to replace instances of ‘abort’ with ‘stop’.
BeyondInsight/Password SafeWhen attempting to connect to some oracle instances, an error occurs -ORA-28040: The database does not accept your client's authentication protocol; login denied.The issue has been resolved. Connections to Oracle 19 databases are successful.
BeyondInsightIf a Directory Credential has SSL enabled and it is used to sync an AD group, the sync status does not update. However, when using a credential that isn’t SSL enabled, it completes and updates.Group sync status is now reliably updated whether or not the Directory Credential used for the sync has SSL enabled or not.
BeyondInsightSome fields are not populating upon Update in Oracle credential.Resolved. All fields are now populating on update.
BeyondInsightIf a user changes their theme during a session, the theme value is reset when they manually logout.Resolved. Theme remains as is on logout.
BeyondInsightOn edit, if a smart rule contains multiple dedicated account filters, including a Directory Attribute Match filter, some inputs are missing their selected value.Resolved. Filters have all of their inputs filled as they were on creation, and the dropdowns contain the correct options for the filter type.
BeyondInsightTest functionality in SNMP connector gives a permission error.Resolved. Test functionality in SNMP Connector no longer gives permission error.
BeyondInsightUpdating an Attribute Type used in a Smart Rule sometimes results in an unusable smart rule. “Edit Smart Rule” loads an empty smart rule and returns an error.Resolved. No Error. Smart Rule opens with new Attribute type name visible.
BeyondInsightExcessive network traffic observed when testing an Entra ID Directory Credential.Entra ID Directory Credential test logic modified to reduce the amount of network traffic to only the essentials.
BeyondInsightThe last login date on the User Profile and User's details are not updating.Resolved. The last login date now displays correctly in the User Profile and User’s details.

🔧 Secrets Safe

Product AreaDescriptionResolution
Secrets SafeWhen editing a secret with no valid owners (owners without correct permissions), an incorrect/unhelpful warning displays. The invalid owner is not shown in the list.Editing shows the invalid owner so they can be removed. If left selected and Update is clicked, the correct error now displays.
Secrets SafeWhen saving a secret with invalid owners, an error displays.Editing non-owner fields still allows saving. Editing the owner list fails if invalid owners exist. Removing one of several invalid owners allows saving.
Secrets SafeThe PrincipalGrid_FindPagedResults stored procedure performs poorly with large datasets. Fetching All or Unassigned times out. Running in SSMS with All takes 20 minutes.The stored procedure was refactored. All principals now return in seconds.
Secrets SafeThe credentials grid is slow to load with large datasets (e.g., 150,000 credentials and owners).Querying Credential_Owner was optimized.
Secrets Safe"Remove Share" is incorrectly available for origin secrets that haven’t been shared."Remove Share" only shows if the origin has been shared.
Secrets Safe"Remove Share" doesn't appear in the menu until the user refreshes manually.Resolved. It appears immediately without a refresh.
Secrets SafeAudit logs report a user as reading a secret even when blocked by a 403 (due to missing permissions).The system now checks permissions before writing audit logs.
Secrets SafeSelecting "All Secrets" and then secrets in the grid does not show action icons like Delete.Create and Share are hidden, but Delete now appears correctly.
Secrets SafePartially imported passwords display the same error multiple times.Errors are now clearly explained and not duplicated.
Secrets SafeAdded owners sometimes do not display in the UI.Resolved. New owners now always appear immediately.
Secrets SafeInactive groups still show as enabled in the Access Management grid and can be assigned.Resolved. Inactive groups no longer appear active.
Secrets SafeDeleting a parent folder containing a subfolder with shared secrets results in an error.Deletion is now allowed even if subfolders contain shared secrets.
Secrets SafeEditing only the date of expiration also changes the time unexpectedly.Time remains unchanged when only the date is updated.
Secrets SafeUsers with access to a shared safe can't edit secrets if they lack access to the original safe.Resolved. Shared safe access now allows updates to secrets, even if the origin safe is restricted.
Secrets SafeAPI fails to retrieve secrets stored three levels deep in folder structure.Resolved. API can now access secrets from deeply nested folders.
Secrets SafeTemporary access sessions allow continued secret access even after expiration.After access expiration, secrets are no longer viewable. A refresh clears expired content from "All Secrets."
Secrets SafeSorting the Owners grid causes incorrect owners to appear checked.Resolved. Grid sorting no longer changes selection states.
Secrets SafeSecrets can be shared to folders they already belong to, causing duplicates.An error message is now shown if the secret already exists in the destination.
Secrets SafeImporting a malformed CSV file can expose internal error details and call stacks.Improved handling of bad data. Internal errors are no longer exposed.

🔧 Workforce Passwords

Product AreaDescriptionResolution
Workforce PasswordsFresh install of Worforce Passwords Browser Extension from Firefox store is missing the Delete Credential button, until you log out of and log back into the Extension..In this scenario, the Delete Credential button appears as intended, without requiring any special log out/log back in steps.

🔧 Reporting

Product AreaDescriptionResolution
ReportingPassword Update Activity Report - shows data even when Smart Group parameter value is a Smart Group with no results.The Smart Group parameter was not working properly with domain accounts and functional accounts. The report now filters appropriately when the Smart Group filter is selected, and only relevant results are displayed.
ReportingThe Password Update Activity Report will not run if the optional Accounts parameter has no value set.Resolved an issue retrieving the Password Update Activity for Functional Accounts, improving the performance and ensuring that the report works with or without data in the Account parameter.
ReportingReviewed Sessions Report PDF format - column pushed to next page.Resolved. Report formatting updated.
Reporting(On Premises only) When the ADOMD Client is missing from the system, the Endpoint Privilege Management Event Rollup report subreports show an error and do not work.Resolved. We now install the required ADOMD Client so that sub-reports can function.
ReportingWhen a user attempts to run the Password Reset-on-Release report the Account Name is a required field, when it shouldn't be required.Resolved. Account Name is now an optional field.

🔧 APIs

Product AreaDescriptionResolution
BeyondInsight APIAppAuditDetails has reached it's identity limit.Changed the AuditDetailsID field from ‘int’ to ‘long’ to accommodate larger IDs. This change impacts the public API.
Secrets Safe APICalling the GET Secrets-Safe/Secrets API with the optional Path query parameter does not properly return secrets which have been granted via group membership.Resolved. Filtering by Path, Secret Name, afterDate, limit and offset, or any combination of all those filters, properly returns data.
BeyondInsight APIPOST UserGroups/{id}/Permissions with SS Permission 111 fails with 400 error: Failed to create team passswords folder.Resolved. Folder creates successfully.

🔧 Pathfinder

Product AreaDescriptionResolution
PathfinderNo error is provided in the UI when attempting to delete a custom Platform Plugin that has an associated Functional Account.Resolved. The UI now warns the user that they cannot delete a custom Platform Plugin with an associated Functional Account.

📝 Requirements

  • Direct upgrades to 25.1.0 are supported from BeyondInsight versions 23.1 or later releases.
  • BeyondInsight 25.1.0 supports SQL Server 2016 SP2 or higher

🗒️ Notes

  • This release is available by download for BeyondTrust customers (https://beyondtrustcorp.service-now.com/csm) and by using the BeyondTrust BT Updater.
  • The MD5 signature is: a253a8f419777df83cbbc5453b0f4c60
  • The SHA-1 signature is: 951cc0076a2971e6e5474e614f48ed488f698a75
  • The SHA-256 signature is: 69e2dca017e880b344c9623519f29803972af2775345799ffc4a919777a121bd

⏰ Deprecation notices

Licensing Folder Removed

The Licensing folder has been deprecated. Due to folder reorganization, any report saved views, report subscriptions, or subscriptions to saved views relating to the following reports no longer function and must be recreated from the new Usage folder if still required:

  • Workforce Passwords Usage Summary
  • Active Users
Password Safe User Licensing report deprecated

The Password Safe User Licensing report that lived within the Licensing folder has been deprecated. Any report saved views, report subscriptions, or subscriptions to saved views of this report no longer function. Users should consider creating fresh views and subscriptions based on the System Usage Statistics report, which has replaced the Password Safe User Licensing report.

Removing PMUL support in BIPS

In 25.1, we have begun the process to deprecate and remove Endpoint Privilege Management for Unix and Linux (PMUL) and Solr functionality in Password Safe.

The first step is to no longer receive and process PMUL and Solr events.

In an upcoming release, we will remove all user interface components, reports and event forwarding functionality.

Support for Outbound TLS 1.3

In an upcoming release, BeyondInsight and Password Safe will phase out the use of mutual TLS (mTLS) to support the adoption of TLS 1.3, which eliminates support for optional mTLS (client certificate renegotiation) on inbound connections. The following product areas will be affected:

  • Client certificates will no longer be supported as an authentication method for API registrations.
  • The option to download a client certificate from the System > Downloads configuration page will be removed.
API Updates

The POST Imports and POST Imports/QueueImportFile APIs have been deprecated, and will be removed in an upcoming release.


June 3, 2025

🆕 New features

There are no new features with this release.

✨ Enhancements

Enhanced "Reboot Recommended" process (reboot and retry)

When installing a product for a subscription that runs an installer, and the installer requires a pending reboot:

  • Case 1: Auto Reboot is OFF
    • The subscription is not marked as published.
    • The machine does not reboot automatically.
    • The activity log shows: "update deferred (reboot needed)".
    • Once the user manually reboots the machine and it starts back up, it automatically tries to publish the subscription again.
  • Case 2: Auto Reboot is ON
    • The subscription is not marked as published.
    • The machine automatically reboots.
    • The activity log shows: "update deferred (reboot needed)"
    • After the reboot, it automatically tries to publish the subscription again.

Improve user feedback when a reboot is recommended:

  • Added notifications to inform user that reboot is recommended.
  • Added a banner to inform user that reboot is recommended.

Enhanced "Reboot Needed" process

When installing a product for a subscription that runs an installer, and any of the following system settings indicate a reboot is pending:

  • A reboot is required by Windows Update.
  • A reboot is pending from Component-Based Servicing.
  • A system update is scheduled on boot.
  • There are pending file rename operations.

Then:

  • The updater sets a global reboot flag.
  • The Updater UI displays a banner message saying "Reboot recommended".
  • After the machine is rebooted, the global reboot flag is resets the banner disappears.
Prevent installs if reboot requested (including deferred reboots)

The system uses the installer’s recommended reboot exit code as a natural signal to pause.

When the installer returns this code:

  • The updater knows a reboot is required and does not mark the install as complete.
  • The installation automatically retries after the machine is rebooted.
  • If the user clicks "Update Now" before rebooting, the installer may return the same reboot recommended code again, since the reboot still hasn’t occurred.

🛠️ Issues resolved

DescriptionResolution
Exception logs are generated in root c:\ drive without cleanup.Logs are now being stored in the usual Updater log area.
Dependent package versions are not listed in the web interface.Dependent package versions are now listed in the web user interface.
Login page does not display properly in dark mode.Login page changed to identify dark mode.
Package (*.pkg) not delivered by Updater and placed on an Enterprise Updater can cause child nodes to crash.Package files are deleted if they are invalid.
Dark Mode Background colors are incorrect.Dark mode colors fixed.
No feedback given to user if an invalid file is downloaded.An icon shows for invalid files.

📝 Requirements

  • .NET 4.7.2 or later
  • IIS to be enabled on host

June 3, 2025

ℹ️

This release is available by download from the BeyondTrust Client Portal.

🆕 New features

Retry option for RPC service

You can now use Retry to see if your RPC service is running when you're executing a BTDiscovery.cmd client command.

Runtime option in the port scan

Use the new runtime option to allow for additional ports in your port scan.

✨ Enhancements

With this release, we've added the following enhancements to the BeyondTrust Discovery Agent:

  • support for reporting Windows Server 2025
  • multiple SSH channels are enabled (for Posix targets only)
  • improved scanning credential selection by eliminating credentials that don't apply to the target
  • improved performance by moving DCOM Enumeration to the remote agent extension
  • support for Check Point network devices
  • improved scan results by not enumerating Domain Users in groups when the job setting for EnumerateDomainUsers is disabled

🛠️ Issues resolved

DescriptionResolution
Remote command timeout issueResolved by sending the command timeout to the remote agent when starting a new session.
A bug occurs when using SUDO elevation when the "-k" option is not supported.Resolved. Bug no longer occurs.
A parsing bug occurs which causes Linux Scheduled Task enumeration to fail.Resolved. Bug no longer occurs.
Expired password issue when no data found.When no data is found in the password expired value it reports "not expired".
Issue with IPv6 connection strings for Oracle, MongoDB, Terradata, and MySQLResolved. No longer issue with connections strings.
A bug occurs in the handling of MySQL data which results in a failure in event processing.Resolved. Bug no longer occurs.
A bug occurs where the debug log level is not working for the Remote Agent service.Resolved. Bug no longer occurs.
A false positive occurs on SSH and MongoDB credential access which is incorrectly reporting the credential access succeeded.Resolved. False positive no longer occurs.
A condition occurs where a nonexistent MSSQL instance was reported.Resolved. Condition no longer occurs.
A bug occurs when the SSH connection timeout runtime option is not being used, causing early timeouts.Resolved. Early timeouts no longer occur.
A bug occurs where targets are incorrectly identified as DCs.Resolved. Targets are no longer incorrectly identified.

📝 Requirements

  • There is a product dependency on having the .NET 8 Hosting package installed.
  • OAuth authorization is dependent on having BI version 24.2.0.
  • The new Central Policy message to retrieve all scheduled scans is dependent on BI version 24.3.0 and later.
  • A reboot of the system may be required.
  • SSH Session encryption using the SHA1 cipher is deprecated. SHA256 or higher should be used.
  • Deprecate DSA encryption as an SSH authentication cipher.

⚙️ Signatures

  • The MD5 signature is 38b53b4d08f551dc05175921b5233f8d
  • The SHA-1 signature is 1a5fb5bdca31e87e66136b2294a8c79bea8eeb64
  • The SHA256 signature is 31d291cd493d097d0db2c04804407cf77da485025ae8695ef2b9162870cf40f0

⏰ Deprecation notice

Support for Windows 8 and Server 2012 as a scanner host is deprecated.

May 1, 2025

Issues resolved

DescriptionResolution
Remove unnecessary verbiage in https://productupdates.beyondtrust.com/: Click here to view Incapsula's IP addresses that you will need to allow through your firewall.Verbiage removed
While subscriptions are locked, the associate package does not download.Incorrect locking handling removed.
When looking at the Offline tool to create an offline package, BeyondInsight 24.3 is not shown in the list for downloads. Able to be downloaded from Updater.Fixed filtering for the Offline tool.
Changes in the backend caused packages in QA mode to show as Live. SUPI packages that are shown as live are downloadable in Updater.Fixed filtering.
When accessing Client Subscriptions under BeyondInsight, the 24.3 release is not displayed.Incorrect locking handling removed.
BT Updater version 3.4.1.1743 cannot download the locked Appliance Management version unless it is the latest version 4.3.3.Incorrect locking handling removed.

April 30, 2025

Requirements

  • We recommend a restart after this update.

New features and enhancements

  • There are no new features or enhancements.

Issues resolved

  • Resolved an issue where Password Safe Plugins were not adhering to Managed System timeout setting.

Notes

  • Direct upgrades to 24.3.0.1902 are supported from all previous versions.
  • This release bundles version 24.3.0.1576 of the BeyondTrust Discovery Agent. View the Discovery Agent 24.3.0.1576 release notes.
  • .NET hosting bundle v8.0.11 is included.
  • Session Monitoring Agent (pbsmd) 24.3.18 is included.
  • Enhanced Session Monitoring Agent (pbpsmon) 24.3.17 is included.
  • PS Automate build 12239790337 is included.
  • BeyondTrust customers can download this release from their Password Safe Cloud portal by navigating to Configuration > Resource Zones and clicking Download Installer.
  • The MD5 signature is: 9F5AB94868FA7FDE51F310E39F78B848
  • The SHA-1 signature is: C6CEE92AD30E060B280BE9E9136F11398348A4A7
  • The SHA-256 signature is: E158B7507ABD4F4EED1F9A99B2D89B78A21D8C88C5FE350D5FBA2B98DE483ADE

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.