Added a new setting that lets admins customize how Password Safe works. Now, you can choose to have accounts automatically rotated when a session ends and the integration releases the account.
✨ Enhancements
There is a new (optional) attribute to the OptionalIncludes configuration that gives admins more control. You can now choose how account names are formatted—like UsernameOnly, OriginalName, UPN, or DownLevel—when they’re returned from a specific section in the optional includes.
Updated the default behavior to make it easier to search for External Endpoints using just wildcards. By default, you’ll now get up to 100 results.
🛠️ Issues resolved
Addressed an issue in which accounts may not be retrieved for Web Jump Items that do not have a domain.
This update is available through BT Updater or as a manual installer from the download tool.
Before proceeding with the installation, we strongly recommend a system reboot as certain system dependencies may need to be reset before applying this update.
🆕 New features
Tell your appliance to delete an archived session recording file
You can now tell your appliance to delete an archived session recording file when the session record is deleted.
New BeyondInsight Services for Scan Processing and Purging
We've add two new features to your BeyondInsight Services:
Scan processing & purging services are available in the Monitored Services list.
Logs for new for new services are available on the Log File Export and Appliance Logs page.
✨ Enhancements
UI component upgrades
We've refined our interface with multiple enhancements, including:
Updated tool tip text
Reformatted Config Wizard Signup/Login page
Translation Service - Replace Deprecated Methods with new Methods
Standardized colors
Theme selection now displays on first login
Adjusted positioning of High Availability Step panel
Added cell padding to separate Page Banner from Page Headers/cards
Branded color scheme
Fixed inconsistent spacing on the Diagnostics tools page
Fixed inconsistent card border colors for Dark mode
Replaced top navigation icons/label with new controls
Added Match System Theme option in theme selector
Fixed inconsistent text in the Show Password button
Session Monitoring Archive: Fixed color for the Test Connection message in the Dark mode
Improved performance and memory consumption in the Backup and Restore process
We've improved the memory consumption and handling for backups of large databases in the Backup and Restore process.
🛠️ Issues resolved
Issue
Resolution
EPM Event Collector Service is missing in the log file if there are no files.
Stopped filtering out non-existent log files/directories to display a list of all ‘supported' logs for export/download. As exported/downloaded, non-existent items are skipped.
INSTALLED SOFTWARE - SQLFREE - PMR DB is showing as Unknown Version (SQL shows as Not Installed).
If the database is not present, show as “Not Installed”
Can activate BI Database Access Feature without database connection details via the API.
Deployment Wizard - browser does not resume after reboot.
Deployment Wizard resumes after reboot.
Appliance User Interface licensing page does not handle licensing errors the same as the deployment wizard.
Response codes are handled in a consistent way.
Tool tip text on Deployment user signup page is outdated.
Tool tip text was updated.
CONFIG WIZARD - BIUL - the wizard fails to complete the Features step at the end when BIUL SQL account has a semi-colon.
Semi-colon is not allowed.
Cannot save IPv4 settings without refreshing the page.
Field validation enforced.
configureuser API : Different return codes for "Administrator" and "LocalAdmin" username. Return code should be 422 on both LocalAdmin & Administrator.
Added “LocalAdmin” to the validation of the data structure. Return code is now the same.
CERTIFICATE MANAGEMENT - Upload Certificate is not handling the "bind to IIS" when using a wildcard certificate.
InstallCertToIIS endpoint now expects certificate name in request Body, not in a URL, which allowed a wildcard in a name.
DEPLOYMENT WIZARD - Internet connection - On Proxy Server page (both ConfigWizard and Appliance) UI Validation should fail if Proxy Address includes http or https.
Added validation in the Proxy Address field to fail if invalid proxy address is entered.
DEPLOYMENT - Internet Connection: IPv6 address with and without square brackets should pass UI validation on SMTP Settings and Proxy Server configuration pages
Added validation for IPv6 addresses with and without square brackets to pass UI validation on SMTP Settings and Proxy Server configuration pages.
DEPLOYMENT WIZARD - the ? icon for tooltip text is out of alignment.
Adjusted alignment.
Appliance Software install failed to install Backup Service MSI and triggered a rollback.
Added logic to check if a service was already running.
When making a change in the Features Editor all settings for all features are validated rather than just the feature being changed.
Updated to only validate changed data.
When installing a new build the previous version in add/remove programs is not removed.
The function that removed the config wizard service was modified. The main installer now removes all multiple versions of the appliance software.
Appliance UI: Location is not found for some logs.
Added UX message when location for log is not found.
Session Monitoring files not included in backups when Session Monitoring Archiving feature is disabled.
Backup selected Features, regardless of Feature state.
Appliance UI: If changes for the Local Computer policy Digitally Sign Communications are canceled, the button behavior stays inactive forever until the next hard refresh page.
User interface validation updated.
HA - Can't make backup on Active primary Appliance
Fixed in the performance improvement (Memory handling for backups of large databases was improved)
📝 Requirements
.NET 8.0.0 or later (available through BT Updater via Supporting Software SUPI subscription)
SUPI 3.3 (available through BT Updater)
🧩 Dependencies
Security Management Appliance Installer is dependent on BeyondInsight 24.1.
Security Management Appliance package in BT Updater is dependent on BeyondInsight 24.1.
⏰ Deprecation notice: Support for BITS for session archiving
With this release, support for BITS for session archiving is removed, and archiving ceases to work with BITS. The Features page will recognize if your system was set to BITS and notifies you that the feature is deprecated.
Dependency management provides visibility into the underlying frameworks that support's a product suite. The frameworks are updated by the Security Update Package Installer (SUPI) as part of the monthly Supporting Software update, which automatically:
removes unnecessary .NET frameworks, freeing up resources and reducing potential security risks.
processes new additions and upgrades.
processes removals without dependent products.
Improved estimated size and time required
The estimated time for an update to run was including packages that would be skipped in the update. The estimated time displayed now more accurately reflects the actual time it will take to run the update.
🛠️ Issues resolved
Description
Resolution
Issue with packages remaining in the Updates folder after applying all updates.
Resolved. Packages no longer remain in updates folder after updates applied.
Issue with run order determined by creation date of the package instead of version.
Resolved. Run order is determined version.
The updater should run only the latest minor version when there is more than one minor version related to a major version.
Resolved. The updater does not skip over minor versions for the same major version.
Issue with BT Updater not displaying the build number in the UI.
Resolved. BT Updater displays the build number in the UI.
Issue with the .Net Upgrade process in an ERROR status in the UI but was upgraded successfully.
Resolved. The .Net Upgrade process is no longer in ERROR status in the UI when upgraded successfully.
Issue with the updater creating duplicate entries for a given combination of packages.
Resolved. The updater no longer creates duplicate entries for a given combination of packages.
Response code 3010 (reboot required) missing.
Resolved. Added response code 3010 (reboot required) after installation.
SUPI command line tool has been deprecated.
Resolved. SUPI command line tool has been removed.
Session Monitoring Agent (pbsmd) 25.1.38 is included.
Enhanced Session Monitoring Agent (pbpsmon) 25.1.38 is included.
PS Automate build 12638027310 is included.
BeyondTrust customers can download this release from their Password Safe Cloud portal by navigating to Configuration > Resource Zones and clicking Download Installer.
The MD5 signature is: B24AFAA01C9B6FFAD3A57520EF5364F1
The SHA-1 signature is: 87C8214A63CDA3C0FB410B5D925E9A6DED707B55
The SHA-256 signature is: 13C132BEDC5C040FFEAD25E95410E963B5ABF0437674E0258CFDE9BFD9D7701D
For a list of supported platforms for the latest version of BeyondInsight and Password Safe, see Supported platforms.
🛑
On-premises customers using the U-series Appliance with SQL 2019 must install March SQL Server Updates 250301 prior to upgrading to BeyondInsight/Password Safe 25.1.
Customers using SQL Free appliances with a standalone SQL Server 2019 installation must install Cumulative Update Package 32 for SQL Server 2019 - KB5054833 prior to upgrading to BeyondInsight/Password Safe 25.1.
🆕 New features
Introducing the Password Safe mobile app for iOS and Android, available for Password Safe 25.1 users
Great news! The Password Safe mobile app is now available on both the Apple App Store (iOS) and Google Play (Android). With the app, you can easily view, check out/check in, and request credentials—right from your mobile device.
That’s not all - you’ll also have quick access to your Secrets Safe entries and credentials stored in your personal folder, making it easier than ever to stay secure on the go!
iOS Login
ℹ️
The mobile app requires customers to be on version 25.1 or later.
Workforce Passwords for Pathfinder
With Password Safe 25.1, Workforce Passwords is fully compatible with Pathfinder! Previously, the extension didn’t work when customers were activated in Pathfinder. Now, everything runs as expected.
Plus, there’s a great new feature on the login screen: a handy dropdown menu that lets you choose your login portal. Simply select Pathfinder to sign in via beyondtrust.io, then enter your Pathfinder credentials to access your Workforce Passwords secrets with ease.
In Password Safe Cloud and on-prem, you’re in control - configure the Mobile app to auto-timeout after a set number of minutes!
Deployable WFP Extension
Workforce Passwords makes it easy and secure to store and access business credentials right from your browser. And now with Password Safe 25.1, deploying the WFP browser extension is smoother than ever!
Admins can effortlessly roll out the extension across Chrome, Edge, and Firefox on Windows systems using the Group Policy Management Editor and Group Policy Objects (GPOs) - no more asking users to install it themselves.
Even better, admins can pre-configure the Workforce Passwords server URL, giving users a seamless, ready-to-go experience from the moment they log in.
Accessing secrets in Secrets Safe just got easier! You can now jump straight to a secret’s details using a direct link (URL).
Authenticated users can use the link to go directly to the secret within its designated safe.
The URL includes the secret’s title and sub-folder path, and it’s easy to grab - just copy it from the UI or your browser’s address bar. Provide this link to users who have access for quick, no-hassle navigation right to the info they need!
To enhance security and streamline access, web console login sessions are now limited to one session per user.
And more good news - if you have multiple tabs open in the same browser, you can seamlessly use the same session across all of them. No interruptions, just a smoother, more secure experience!
Performed backend updates to allow for future support of IPv6 addresses
More information will be available in a future release.
Updated Algorithms and Ciphers
Security just got a boost! With Password Safe 25.1, devices now use stronger, modern ciphers to keep your data safer than ever.
We’ve added support for the latest encryption algorithms and are phasing out older, less secure ones to ensure top-tier protection across the board.
API Updates
Secrets Safe API
Added SecretType information in response of GET Secrets-Safe/Secrets/{secretId:guid}.
User can now set a Prior Expiration Date for Safe Permissions with new ExpiresOn field.
Password Safe API
Added RequestorName and RequestorUserID to Get Requests
Added paging support with 2 new optional quire parameters: limit and offset
We've made some great updates to improve clarity and consistency in Secrets Safe:
User names are now displayed as Last Name, First Name in grids, and First Name, Last Name everywhere else, making it easier to quickly find who you're looking for.
For secrets shared from a personal folder, ownership is now locked for added control. You’ll see the owner’s name, but the Manage Ownership option is hidden to keep things tidy.
The Owner dropdown in the Secrets grid now shows all owners at a glance - and yes, you can filter secrets by owner for faster navigation!
Web Policy Editor: Local AD Search in Beyond Insight
Beyond Insight 25.1 brings a powerful new enhancement for Endpoint Privilege Management customers! You can now easily search your connected Local AD environments right from the Web Policy Editor.
Quickly find and add users or groups to Windows Workstyle Filters, Messages > Designated Users, Application Rule Filters, On-Demand Application Rule Filters, and Custom Tokens (for groups) - all in just a few clicks!
Improved Session Replay
Session Replay just got a major upgrade! You can now zoom in on specific areas of a recording, making it easier than ever to see and read details—especially when working with high-resolution displays or multi-monitor setups.
Crystal-clear visibility, right where you need it!
Further improved page responsiveness based on screen resolution.
Pathfinder - Directory attributes disabled
We’ve removed the Directory Attributes Match option from the Dedicated Account smart rule filter in Pathfinder instances. If any Smart Rules are included that filter before upgrading to Pathfinder, you’ll now see empty drop downs when editing that smart rule post-upgrade; affected Smart Rules should be reviewed and edited as needed.
Directory Attribute Match smart rule filter continues to be available for Cloud and On-prem.
📋 Reports
New Usage Folder
A new folder named Usage is now available in Analytics and Reporting. The following reports are included in this folder:
The Workforce Passwords Usage Summary report
The Active Users report
The System Usage Statistics report (new)
New report - Scheduled Tasks Account Usage
Have you ever wondered which accounts used for Scheduled Task management are managed by Password Safe? Now you can see this information for any system that has associated Scheduled Task scan data, just by running the new Scheduled Tasks Account Usage report!
New report - IIS Application Pool Account Usage
Have you ever wondered which IIS Application Pool identity accounts are managed by Password Safe? Now you can see this information for any system that has associated IIS Application Pool scan data, just by running the new IIS Application Pool Account Usage report!
New report - System Usage Statistics
The new System Usage Statistics report gives you a clear snapshot of overall system usage - tracking unique logins over your selected time period and providing key insights into the number of Managed Systems and Managed Accounts available at the time of the report.
Database Platforms Added to Database User List Report
Prior to 25.1, only Oracle, MS SQL, and MySQL were included. We now include all database platforms present in Password Safe.
Improved Initial Load Time of Reports Home Page
We’ve improved load times on the Analytics & Reporting home page.
🛠️ Issues resolved
🔧 Password Safe
Product Area
Description
Resolution
Password Safe
Managed Systems and Managed Accounts can be deleted when there are open sessions.
Resolved. If sessions are open, managed systems and accounts cannot be deleted.
Password Rotation
When attempting to rotate managed accounts on decommissioned systems, the attempt will time out eventually, but it is not respecting the Managed System timeout setting, which can cause bloat in the queue table and may cause delays of other password changes.
Timeout values are honored now by all Password Safe platforms supported by Password Safe plugins.
Password Safe Cloud
Parsing issue of malformed keystroke JSON caused a memory leak. PWS Cloud 24.3.0 W3WP.exe Alert 'Memory gates checking failed because the free memory' was fired.
Resolved memory leak and improved response time under invalid or high volumes of keystroke input.
BeyondInsight/Password Safe
When attempting to connect to some oracle instances, an error occurs -ORA-28040: The database does not accept your client's authentication protocol; login denied.
The issue has been resolved. Connections to Oracle 19 databases are successful.
Password Safe Sessions
When reviewing sessions, scrolling in the keystrokes list can cause the list to jump to a previous point.
Resolved. The scroll window no longer jumps back in time.
Password Safe
Unable to edit Name field on the Create Managed Account form when accessing from Managed System → Advanced Details → Managed Accounts after moving focus away and then back to the Name field.
Resolved. Text box remains editable.
Password Safe Sessions
RDP sessions do not record keystrokes when sessions are created from a Windows 11 vm to a Windows 11 vm
Resolved. Keystrokes are now recorded.
🔧 BeyondInsight
Product Area
Description
Resolution
BeyondInsight
When 24.1.0.1398 is upgraded to 24.3, the EventCollector directory is missing Microsoft.Data.SqlClient.dll leading to failures activating new OAuth clients.
Ensured that new Endpoint Privilege Management clients can be activated for OAuth regardless of the upgrade paths followed to get to BeyondInsight 25.1.
BeyondInsight
Users with User Account Management and Password Safe Role Management are still not able to manage Password Safe roles on Smart Groups from the User Group management area.
Permissions check was updated to grant ability to assign Password Safe roles to smart groups with either Password Safe Role Management or Password Safe Policy Management feature access.
BeyondInsight
Modernize terms throughout.
Language updated to replace instances of ‘abort’ with ‘stop’.
BeyondInsight/Password Safe
When attempting to connect to some oracle instances, an error occurs -ORA-28040: The database does not accept your client's authentication protocol; login denied.
The issue has been resolved. Connections to Oracle 19 databases are successful.
BeyondInsight
If a Directory Credential has SSL enabled and it is used to sync an AD group, the sync status does not update. However, when using a credential that isn’t SSL enabled, it completes and updates.
Group sync status is now reliably updated whether or not the Directory Credential used for the sync has SSL enabled or not.
BeyondInsight
Some fields are not populating upon Update in Oracle credential.
Resolved. All fields are now populating on update.
BeyondInsight
If a user changes their theme during a session, the theme value is reset when they manually logout.
Resolved. Theme remains as is on logout.
BeyondInsight
On edit, if a smart rule contains multiple dedicated account filters, including a Directory Attribute Match filter, some inputs are missing their selected value.
Resolved. Filters have all of their inputs filled as they were on creation, and the dropdowns contain the correct options for the filter type.
BeyondInsight
Test functionality in SNMP connector gives a permission error.
Resolved. Test functionality in SNMP Connector no longer gives permission error.
BeyondInsight
Updating an Attribute Type used in a Smart Rule sometimes results in an unusable smart rule. “Edit Smart Rule” loads an empty smart rule and returns an error.
Resolved. No Error. Smart Rule opens with new Attribute type name visible.
BeyondInsight
Excessive network traffic observed when testing an Entra ID Directory Credential.
Entra ID Directory Credential test logic modified to reduce the amount of network traffic to only the essentials.
BeyondInsight
The last login date on the User Profile and User's details are not updating.
Resolved. The last login date now displays correctly in the User Profile and User’s details.
🔧 Secrets Safe
Product Area
Description
Resolution
Secrets Safe
When editing a secret with no valid owners (owners without correct permissions), an incorrect/unhelpful warning displays. The invalid owner is not shown in the list.
Editing shows the invalid owner so they can be removed. If left selected and Update is clicked, the correct error now displays.
Secrets Safe
When saving a secret with invalid owners, an error displays.
Editing non-owner fields still allows saving. Editing the owner list fails if invalid owners exist. Removing one of several invalid owners allows saving.
Secrets Safe
The PrincipalGrid_FindPagedResults stored procedure performs poorly with large datasets. Fetching All or Unassigned times out. Running in SSMS with All takes 20 minutes.
The stored procedure was refactored. All principals now return in seconds.
Secrets Safe
The credentials grid is slow to load with large datasets (e.g., 150,000 credentials and owners).
Querying Credential_Owner was optimized.
Secrets Safe
"Remove Share" is incorrectly available for origin secrets that haven’t been shared.
"Remove Share" only shows if the origin has been shared.
Secrets Safe
"Remove Share" doesn't appear in the menu until the user refreshes manually.
Resolved. It appears immediately without a refresh.
Secrets Safe
Audit logs report a user as reading a secret even when blocked by a 403 (due to missing permissions).
The system now checks permissions before writing audit logs.
Secrets Safe
Selecting "All Secrets" and then secrets in the grid does not show action icons like Delete.
Create and Share are hidden, but Delete now appears correctly.
Secrets Safe
Partially imported passwords display the same error multiple times.
Errors are now clearly explained and not duplicated.
Secrets Safe
Added owners sometimes do not display in the UI.
Resolved. New owners now always appear immediately.
Secrets Safe
Inactive groups still show as enabled in the Access Management grid and can be assigned.
Resolved. Inactive groups no longer appear active.
Secrets Safe
Deleting a parent folder containing a subfolder with shared secrets results in an error.
Deletion is now allowed even if subfolders contain shared secrets.
Secrets Safe
Editing only the date of expiration also changes the time unexpectedly.
Time remains unchanged when only the date is updated.
Secrets Safe
Users with access to a shared safe can't edit secrets if they lack access to the original safe.
Resolved. Shared safe access now allows updates to secrets, even if the origin safe is restricted.
Secrets Safe
API fails to retrieve secrets stored three levels deep in folder structure.
Resolved. API can now access secrets from deeply nested folders.
Secrets Safe
Temporary access sessions allow continued secret access even after expiration.
After access expiration, secrets are no longer viewable. A refresh clears expired content from "All Secrets."
Secrets Safe
Sorting the Owners grid causes incorrect owners to appear checked.
Resolved. Grid sorting no longer changes selection states.
Secrets Safe
Secrets can be shared to folders they already belong to, causing duplicates.
An error message is now shown if the secret already exists in the destination.
Secrets Safe
Importing a malformed CSV file can expose internal error details and call stacks.
Improved handling of bad data. Internal errors are no longer exposed.
🔧 Workforce Passwords
Product Area
Description
Resolution
Workforce Passwords
Fresh install of Worforce Passwords Browser Extension from Firefox store is missing the Delete Credential button, until you log out of and log back into the Extension..
In this scenario, the Delete Credential button appears as intended, without requiring any special log out/log back in steps.
🔧 Reporting
Product Area
Description
Resolution
Reporting
Password Update Activity Report - shows data even when Smart Group parameter value is a Smart Group with no results.
The Smart Group parameter was not working properly with domain accounts and functional accounts. The report now filters appropriately when the Smart Group filter is selected, and only relevant results are displayed.
Reporting
The Password Update Activity Report will not run if the optional Accounts parameter has no value set.
Resolved an issue retrieving the Password Update Activity for Functional Accounts, improving the performance and ensuring that the report works with or without data in the Account parameter.
Reporting
Reviewed Sessions Report PDF format - column pushed to next page.
Resolved. Report formatting updated.
Reporting
(On Premises only) When the ADOMD Client is missing from the system, the Endpoint Privilege Management Event Rollup report subreports show an error and do not work.
Resolved. We now install the required ADOMD Client so that sub-reports can function.
Reporting
When a user attempts to run the Password Reset-on-Release report the Account Name is a required field, when it shouldn't be required.
Resolved. Account Name is now an optional field.
🔧 APIs
Product Area
Description
Resolution
BeyondInsight API
AppAuditDetails has reached it's identity limit.
Changed the AuditDetailsID field from ‘int’ to ‘long’ to accommodate larger IDs. This change impacts the public API.
Secrets Safe API
Calling the GET Secrets-Safe/Secrets API with the optional Path query parameter does not properly return secrets which have been granted via group membership.
Resolved. Filtering by Path, Secret Name, afterDate, limit and offset, or any combination of all those filters, properly returns data.
BeyondInsight API
POST UserGroups/{id}/Permissions with SS Permission 111 fails with 400 error: Failed to create team passswords folder.
Resolved. Folder creates successfully.
🔧 Pathfinder
Product Area
Description
Resolution
Pathfinder
No error is provided in the UI when attempting to delete a custom Platform Plugin that has an associated Functional Account.
Resolved. The UI now warns the user that they cannot delete a custom Platform Plugin with an associated Functional Account.
📝 Requirements
Direct upgrades to 25.1.0 are supported from BeyondInsight versions 23.1 or later releases.
BeyondInsight 25.1.0 supports SQL Server 2016 SP2 or higher
The MD5 signature is: a253a8f419777df83cbbc5453b0f4c60
The SHA-1 signature is: 951cc0076a2971e6e5474e614f48ed488f698a75
The SHA-256 signature is: 69e2dca017e880b344c9623519f29803972af2775345799ffc4a919777a121bd
⏰ Deprecation notices
Licensing Folder Removed
The Licensing folder has been deprecated. Due to folder reorganization, any report saved views, report subscriptions, or subscriptions to saved views relating to the following reports no longer function and must be recreated from the new Usage folder if still required:
Workforce Passwords Usage Summary
Active Users
Password Safe User Licensing report deprecated
The Password Safe User Licensing report that lived within the Licensing folder has been deprecated. Any report saved views, report subscriptions, or subscriptions to saved views of this report no longer function. Users should consider creating fresh views and subscriptions based on the System Usage Statistics report, which has replaced the Password Safe User Licensing report.
Removing PMUL support in BIPS
In 25.1, we have begun the process to deprecate and remove Endpoint Privilege Management for Unix and Linux (PMUL) and Solr functionality in Password Safe.
The first step is to no longer receive and process PMUL and Solr events.
In an upcoming release, we will remove all user interface components, reports and event forwarding functionality.
Support for Outbound TLS 1.3
In an upcoming release, BeyondInsight and Password Safe will phase out the use of mutual TLS (mTLS) to support the adoption of TLS 1.3, which eliminates support for optional mTLS (client certificate renegotiation) on inbound connections. The following product areas will be affected:
Client certificates will no longer be supported as an authentication method for API registrations.
The option to download a client certificate from the System > Downloads configuration page will be removed.
API Updates
The POST Imports and POST Imports/QueueImportFile APIs have been deprecated, and will be removed in an upcoming release.
With Password Safe 25.1, Workforce Passwords is fully compatible with Pathfinder! Previously, the extension didn’t work when customers were activated in Pathfinder. Now, everything runs as expected.
Plus, there’s a great new feature on the login screen: a handy dropdown menu that lets you choose your login portal. Simply select Pathfinder to sign in via beyondtrust.io, then enter your Pathfinder credentials to access your Workforce Passwords secrets with ease.
Deployable WFP Extension
Workforce Passwords makes it easy and secure to store and access business credentials right from your browser. And now with Password Safe 25.1, deploying the WFP browser extension is smoother than ever!
Admins can effortlessly roll out the extension across Chrome, Edge, and Firefox on Windows systems using the Group Policy Management Editor and Group Policy Objects (GPOs) - no more asking users to install it themselves.
Even better, admins can pre-configure the Workforce Passwords server URL, giving users a seamless, ready-to-go experience from the moment they log in.
Fresh install of Worforce Passwords Browser Extension from Firefox store is missing the Delete Credential button, until you log out of and log back into the Extension..
In this scenario, the Delete Credential button appears as intended, without requiring any special log out/log back in steps.
📝 Requirements
Requires BeyondTrust Password Safe version 23.2.0 or later release.
Enhanced "Reboot Recommended" process (reboot and retry)
When installing a product for a subscription that runs an installer, and the installer requires a pending reboot:
Case 1: Auto Reboot is OFF
The subscription is not marked as published.
The machine does not reboot automatically.
The activity log shows: "update deferred (reboot needed)".
Once the user manually reboots the machine and it starts back up, it automatically tries to publish the subscription again.
Case 2: Auto Reboot is ON
The subscription is not marked as published.
The machine automatically reboots.
The activity log shows: "update deferred (reboot needed)"
After the reboot, it automatically tries to publish the subscription again.
Improve user feedback when a reboot is recommended:
Added notifications to inform user that reboot is recommended.
Added a banner to inform user that reboot is recommended.
Enhanced "Reboot Needed" process
When installing a product for a subscription that runs an installer, and any of the following system settings indicate a reboot is pending:
A reboot is required by Windows Update.
A reboot is pending from Component-Based Servicing.
A system update is scheduled on boot.
There are pending file rename operations.
Then:
The updater sets a global reboot flag.
The Updater UI displays a banner message saying "Reboot recommended".
After the machine is rebooted, the global reboot flag is resets the banner disappears.
Prevent installs if reboot requested (including deferred reboots)
The system uses the installer’s recommended reboot exit code as a natural signal to pause.
When the installer returns this code:
The updater knows a reboot is required and does not mark the install as complete.
The installation automatically retries after the machine is rebooted.
If the user clicks "Update Now" before rebooting, the installer may return the same reboot recommended code again, since the reboot still hasn’t occurred.
🛠️ Issues resolved
Description
Resolution
Exception logs are generated in root c:\ drive without cleanup.
Logs are now being stored in the usual Updater log area.
Dependent package versions are not listed in the web interface.
Dependent package versions are now listed in the web user interface.
Login page does not display properly in dark mode.
Login page changed to identify dark mode.
Package (*.pkg) not delivered by Updater and placed on an Enterprise Updater can cause child nodes to crash.
Package files are deleted if they are invalid.
Dark Mode Background colors are incorrect.
Dark mode colors fixed.
No feedback given to user if an invalid file is downloaded.
