DocumentationRelease Notes
Log In
Release Notes

24.2.0 release notes (Sept 3, 2024)

ℹ️

Note

For a list of supported platforms for the latest version of BeyondInsight and Password Safe, see Supported Platforms.

Supported Platforms for previous versions of BeyondInsight and Password Safe can be found in the BeyondInsight, Password Safe, and U-Series Appliance Documentation Archive.

New features

Increased security with Passwordless FIDO2 Authentication

Password Safe now supports Passwordless FIDO2 authentication, which allows local BeyondInsight users to authenticate more securely using a security key or a biometric method, such as a fingerprint or face recognition.

Enable the Passwordless FIDO2 Authentication option from the Configuration > Authentication Management > Authentication Options page in BeyondInsight.

Once enabled for your instance, users can then configure FIDO2-certified authenticators for their account. Administrators can also see/remove any authenticators that a user may have configured.

Automatically synchronize Microsoft Entra ID groups on a scheduled basis

Microsoft Entra ID group membership no longer requires manual synchronization for individual groups. Users can now enable global group synchronization and schedule it to occur automatically on a daily, weekly, or monthly basis.

Enable and schedule group synchronization from the Configuration > Role Based Access > Microsoft Entra ID Group Synchronization page.

Automate the onboarding of AWS Credentials

Administrators can now create a Smart Rule to discover and onboard AWS IAM users into Password Safe for credential management, without the need to perform a discovery scan.

Create a Managed Account Smart Rule with the new Amazon IAM Query condition for the selected the Amazon Cloud Managed System, set to re-run every X hours, and assign the Manage Account Settings action.

Synchronize K8s secrets and Password Safe secrets

The Kubernetes External Secrets Operator (ESO) now includes a Password Safe extension to retrieve secrets managed by Password Safe and synchronize them into K8s secrets. This ensures applications can continue to leverage K8s secrets without changing their applications or workflows.

New reports

Custom Attributes

A new report that lists assets and their custom attributes was added to the Assets folder for both on-premises and cloud.

Database User List

The Database User List is now available in the Account folder in Password Safe Cloud. It was previously only available in on-premises installs.

Enhancements

Increased security for SAML authentication

Password Safe now has a Force Re-authentication option when configuring a SAML identity provider in BeyondInsight. Enabling this option requires users to re-authenticate with the identity provider for each BeyondInsight session, even if they already have a valid session.

Enable the Force Re-authentication option for the identity provider from the Configuration > Authentication Management > SAML Configuration page.

Increased security for Discovery Agents

Discovery Agents can now be configured to use OAuth authentication for communications with BeyondInsight by leveraging the existing Installer Activation Keys feature.

Configure a key from the Configuration > Authentication Management > Installer Activation Keys page for use when setting up Discovery Agents with OAuth authentication.

Improved UI accessibility

Accessibility improvements made in many areas of the BeyondInsight and Password Safe UI:

  • Improved page responsiveness based on screen resolution
  • Appropriate screen reader cues added to input fields, drop-downs, and grids:
    • Input fields can now indicate their invalid state or error messages to screen readers via ARIA tags.
    • Searchable input fields and drop-downs now announce the number of results available and announce every time the number of results change.
    • Areas in grids that have the focus are now announced.
  • Improved Session Replay Viewer progress bar to support keyboard interactions and added ARIA properties.
Report updates

Run reports for exact dates and date ranges

On-premises users can now quickly determine what actions were performed during specific time periods by running reports for exact dates and ranges.

More auditing information in the Password Release Activity report

The Password Release Activity report now includes the reason for the password release. The reason, ticket number, ticket system, and approver are now included when SIEM events are forwarded.

GET Users API now supports inactive users

The Password Safe GET Users API now has the ability to return users that are flagged as inactive. Releases prior to 24.2.0 only supported returning active users.

Encrypt secrets with an external hardware security module (HSM)

Password Safe now supports encryption of the Secrets Safe vault using an external HSM configuration. This builds on existing support for HSM encryption of the Password Safe vault and system credentials.

Remove dependency on IUser\_REM account

The on-premises BeyondTrust Discovery Agent can now be configured to communicate via certificate or OAuth authentication, as is done in Password Safe Cloud. If set up this way, the BeyondTrust Discovery Agent does not require the account, and it can be removed.

Password complexity, use and lifetime restrictions

Changed local user default password policy minimum length from 14 characters to 16 characters. Upon upgrade, this change takes effect only when the policy is edited.

Last login information message to users

Password Safe now displays the user's last login in the Profile and Preferences box.

Customizable SQL Server Port

The SQL Server Port is now customizable on various configuration pages.

Better insights with X-Forwarded-For IP

The X-Forwarded-For header ensures the source client IP address is included in User Audit details for both API and web console interactions.

Removed deprecated TeamPasswords PAPI endpoints

Legacy TeamPasswords public API endpoints have been removed:

  • POST TeamPasswords/Folders
  • GET TeamPasswords/Folders
  • PUT TeamPasswords/Folders/{folderId}
  • DELETE TeamPasswords/Folders/{folderId}
  • GET TeamPasswords/Folders/{folderId}
  • POST TeamPasswords/Folders/{folderId}/Credentials
  • PUT TeamPasswords/Credentials/{id}
  • GET TeamPasswords/Credentials/
  • DELETE TeamPasswords/Credentials/{id}
  • GET TeamPasswords/Credentials/{id}
  • GET TeamPasswords/Folders/{folderId}/Credentials
Terminate and cancel session option in Active Sessions

Password Safe Portal users with appropriate permissions can terminate an active or locked session and cancel the related request.

Support storing SSH host keys in PEM files

You can now store the ssh-dss, ssh-rsa, ssh-ed25519 and ecdsa-sha2-nistp256/384/521 host keys in PEM files identified by registry values. This can be useful to ensure that a cluster of nodes behind a load balancer all share the same SSH host keys.

.NET 8 runtime version

BeyondInsight and Password Safe Cloud's resource broker is now deployed with the .NET 8.0.8 hosting bundle.

Dedicated Account Smart Rule improvements

Dedicated Account Smart Rules now allow:

  • Actions
    • Set attributes on each account
  • Filters
    • Managed System Smart Group (new filter)
    • Assigned Attributes
    • Platforms
Quickly see "Disabled at Rest" status

A new column has been added to show if Managed Accounts are enabled for the "Disabled at Rest" mode.

Refreshed UI and improved UX

In the Analytics and Reporting > Report Subscription wizard and the Configuration > Analytics and Reporting > Configuration wizard, the user interface and user experience have been reviewed for consistency and correct layout.

Filter approvals by request ID

The Approvals grid can now be filtered using the Request ID column.

Easier selection of Password Safe node, directory, and resolution filters

Filters are now multi-selectable drop-downs and are pre-populated with all available nodes, a number of standard RDP resolutions, and available directories.

View authentication status at a glance

Administrators can now use the Agents grid to see which Endpoint Privilege Management endpoint agents are using OAuth and which are still using certificate-based authentication.

Issues resolved

Product AreaDescriptionResolution
Secrets Safe page of the BeyondInsight ConsoleScreen readers would show some unexpected behavior.Resolved some accessibility issues involving screen readers.
Secrets Safe page of the BeyondInsight ConsoleWhen creating a new folder, focus was lost from the Secrets Safe page when the user clicked Create folder or Discard.Focus now returns to the appropriate button when a folder is created or discarded.
Internal Smart Rules processing logicA database stored procedure that affects bulk attribute updates was causing deadlocks.The stored procedure was updated to avoid deadlocks.
Custom Platforms page of the BeyondInsight ConsoleWhen checking the password of a custom platform, the first step of ELEVATIONCOMMAND was sometimes causing the attempt to time out.The first step has been changed to a LANG=en_US; whoami response for the AIX, HP-UX, Linux, Mac and Solaris custom platforms
Submit request tabIf the max concurrent request for a managed account was set to 1, users could still request and retrieve the account’s password, even if another request was still valid and displayed as unavailable.A message now states that the max concurrent requests has been reached.
Workforce Passwords Browser ExtensionWhen a website has two or more credentials saved, the username and password had to be populated individually.When a credential is selected, both the username and password populate together.
User Audits page of the BeyondInsight ConsoleIn the Audits grid, a failed Direct Connect login attempt was not showing the username.The Audits grid now shows the username that attempted to log in.
Connectors page of the BeyondInsight ConsoleWhen running a scan for Google Cloud, Middle East regions were not listed and could not be queried for scan targets.All regions are now available.
Managed Accounts page of the BeyondInsight ConsoleEditing a managed account without changing the next scheduled change date was saving an incorrect date to the database.Dates are now being saved correctly.
BeyondInsight APIEntra ID users who were members of more than 100 groups could not log in via the API.Users are now able to log in and their groups are enumerated successfully.
User Management page in the BeyondInsight ConsoleWhen editing an Active Directory user, credentials were a required field and would display an error if not filled out. Selecting a credential would allow the user to save, but opening the field again showed that the value was not saved.The credential field is no longer treated as a required field for the editing of a user. User details now save correctly.
Secrets Safe page of the BeyondInsight ConsoleWhen assigning ownership to a group or members of a group, the user could navigate away from the page without a Save/Discard prompt and lose changes.The user is now prompted to continue editing or discard changes when navigating away.
Secrets Safe page of the BeyondInsight ConsoleA secret could be saved without any owners.If a user attempts to save a secret without an owner, an error appears and the secret cannot be saved until an owner is assigned.
Workforce PasswordsWorkforce Passwords was failing to import passwords from a CSV if the password contained a comma. Additionally, if an exported password contained a quote, Workforce Passwords would import the password with the escape characters that LastPass added to the CSV.Passwords are now imported correctly.
BeyondInsight APIA SCIM PATCH request could not handle a path with a sub attribute after the filter, returning a 500 error.The attribute is now correctly changed on the given object.
Users page of the BeyondInsight Console, extension loginError messages for attempted login without access were always in English, even if the user was using a different language.The error message is now translated.
Managed Accounts page of the BeyondInsight ConsoleAfter editing a synced managed account, the description became NULL.The description is now retained when a synced managed account is edited.
Secrets Safe page of the BeyondInsight ConsoleUsers who owned all secrets within a folder received an incorrect error message: “The folder cannot be deleted. You do not own all the secrets" when attempting to delete a folder.Users now receive an accurate error message indicating that all secrets need to be deleted before the folder can be deleted.
Internal group synchronization logicSyncing an AD Group after removing a user also removed that user from all their groups, not just the group being synced.The user will now only be removed from the currently syncing AD Group during synchronization.
Smart Rules page of the BeyondInsight ConsoleThere is an option to clear existing mappings when creating a Smart Rule to apply propagation mappings via an action. If users switched mapping from Smart Rule to scan data or vice versa, the previous mappings were not cleared correctly. This resulted in mappings for both scan data and discovery on a Smart Rule.When the clear option is enabled, all previous mappings are now cleared.
Internal logicWhen checking if a hostname had a valid DNS entry, the comparison was case-sensitive. Also, there was no debug logging on a failed DNS lookup.DNS comparison is now case-insensitive, and debug logging has been added to improve troubleshooting.
Workforce Passwords Browser ExtensionWhen the URL field on a Secrets Safe secret has a trailing space, the Workforce Passwords Browser Extension displayed an error when that Secret was used.Trailing spaces in URLs on Secrets no longer cause errors with Workforce Passwords Browser Extension.
Secrets Safe Entitlement ReportWhen exporting a PDF or TIFF Software Entitlement Report, each page of the report would also generate a second blank page. The first entry into Secret Safe would not show in the report, but subsequent entries appeared.Reports now generate with all data and without extra pages.
Configuration page of the BeyondInsight ConsoleSHA1 was available as a signature method option, but support was recently removed for this option.Due to weaknesses in SHA1 and remove of support for it in various third-party libraries, we have removed it as a signature method option.
Smart Rules page of the BeyondInsight ConsoleIf a child Smart Rule was a Managed Account quick group, processing any Smart Rules with the child could fail with an error referencing the DisabledAtRest column.Smart Rule processing now runs without error.
Smart Rule internal processingSome timeout errors may occur during onboarding Smart Rules processing.Performance improvements were made to some queries that are executed during Smart Rule internal processing. This helps avoid timeout processing.
Secrets Safe page of the BeyondInsight ConsoleInsufficient validation checks in the Import Secrets API.An authorization check now ensures the calling user has sufficient access to the target folder when using the Import Secrets API.
SCIM APIA long wait time occurred when a large number of results were returned when attempting to access /scim/v2/Users or /scim/v2/Groups via the SCIM API.All results are returned as expected at a much faster speed.
SCIM APIAn attempt to query more than one attribute for a SCIM endpoint was not supported.The SCIM API now supports multiple attributes in a query.
User Management page of the BeyondInsight ConsoleThe username field in the database was too short to handle Azure User Principal Names (UPNs), causing them to be truncated.The username field size has been increased to accommodate Azure User Principal Names (UPNs).
Public APICertain API calls were taking longer than expected. This was because a cache accessed by the API was reloading its entries after about ten minutes.The cache was adjusted so that it no longer requires a reload after the first hit.
Internal logicPBSMD SSH fingerprints were not unique across multiple U-Series Appliances in a user’s environment.Internal logic has been updated to ensure that PBSMD receives unique SSH fingerprints across multiple U-Series Appliances in an environment.
Asset page of the BeyondInsight ConsoleThe Users grid would fail to load when the last logon date contained certain non-English date formatting.The Asset > Asset Advanced Details > Users grid now loads appropriately even if the last logon date contains non-English date formatting.
Internal logicWhen the Graph API would throw ODataError exceptions, not much information was provided about what the specific error was.More details are now captured in the log.
Start menu shortcuts for BeyondInsight Configuration and BeyondInsight ConsoleShortcuts were displayed in the eEye Digital Security folder instead of the BeyondTrust folder.Removed eEye Digital Security folder from Start menu. Shortcuts now display in the BeyondTrust folder.
Proxy Settings page of the BeyondInsight ConsoleErrors messages when retrieving Entra ID groups for EPM clients did not include helpful information.More details are now captured in the log.
Installer Activation Keys page of the BeyondInsight ConsoleThe Cloud installation command, BeyondInsight URL, and endpoint were incorrect when viewing system generated key details.The installation command, BeyondInsight URL, and endpoint have been corrected for Cloud.
User Management page of the BeyondInsight ConsoleWhen large AD groups were added or synced, the stored procedure that updates external attributes caused blocking in the database.The stored procedure has been modified to prevent blocks.
Password Update Activity page of the BeyondInsight ConsoleThe Password Update Activity report was missing the Asset column for Functional Accounts.The report now has an Asset column in the Functional Account table.
BeyondInsight ConsoleCustomized logos were not appearing in the web console.Updated how custom logos are handled so that existing instructions on replacing these will continue to work. Custom logos may still need to be replaced after product upgrades.
SCIM APIUpdating a group via the SCIM API would cause unexpected settings changes.Only the attributes what were changed in the request are now changed.
Password Safe SessionsPassword Safe was unable to validate system fields from a ServiceNow ticket.If a user does not have access to a particular managed system, the ServiceNow ticket validator fails and the user is denied access.
BeyondInsight internal communicationIdentity Service would not update the client ID when creating a client.The client ID is now updated so that the two client IDs match.
User login (Active Directory)Active Directory users were unable to log in to BeyondInsight after being renamed in Active Directory.The logic in the login process has been updated to handle this scenario correctly. Renamed AD users can log in without requiring a group sync to occur first.
Smart Rule ProcessingWhen deploying Endpoint Privilege Management Policy, the Smart Rule failed to process in some environments.Performance has improved when processing Smart Rules that include the deploy Endpoint Privilege Management Policy action.
Password Safe SessionsWhen selecting “User ID Mapping : UPN format” in a ServiceNow connector, an error was returned stating “Logged in user ID is null or empty”.The UserPrincipalName (UPN) can now validate ServiceNow tickets for Entra ID users.
User Management page of the BeyondInsight ConsoleDetails sometimes did not switch when editing a different Password Safe role for a mapped smart group.Switching between roles now correctly switches the details.
API Registrations page of the BeyondInsight ConsoleChanges to API registrations were not being audited.User Audits now appropriately shows changes.
BeyondInsight Password ServicesPassword Services could crash after attempting multiple “keyboard-interactive” mode connections via SSH if the initial connection attempt was only partially successful.The service has been updated to limit the number of “keyboard-interactive” attempts made.
BeyondInsight APIAny failed API authentication would send an email to the administrator email account.This has been deprecated, and emails for failed API authentications are no longer sent.
Access Policies page of the BeyondInsight ConsoleIf an admin created an access policy not attached to a requestor group, and then a requestor with a different access policy created and actioned a request, admins were unable to delete the new access policy.The dependency check logic around access policy deletion is improved. Admins can now delete new access policies in this scenario.
BeyondInsight Configuration > Secure Remote Access > Connect to Secure Remote Access areaMissing validation and empty default values could lead to errors in the log files if these values were saved by the user.The field validation and default port value were updated on this form.
Internal logicInsufficient validation was used on LDAP query creation.Enhanced validation for directory queries to mitigate the creation of invalid LDAP queries.
Smart RulesThe ordering of actions displayed in a Smart Rule when editing was not consistent between creation and editing.The Smart Rule actions are now sorted consistently regardless of whether the Smart Rule is being created or edited.
Sessions gridOn the Sessions grid in the Password Safe portal, the column picker contained a duplicate “Status” column entry.The duplicate “Status” column has been removed.
BeyondInsight Configuration > IP Allow ListWhen configuring an IP Allow List rule with an IP range, there was no validation to prevent a user from entering a “From IP Address” value which was higher than the “To IP Address” value. Attempting to save a rule with this misconfiguration would display a generic error message.The IP address range is now validated in the input form, with informative messaging if the data is not valid.
Password SafeIf a ticket was supplied when creating a request and ticket validation failed, only a generic validation error was shown, which may have been insufficient to troubleshoot the error.Additional error messaging is now shown in the details of the error message that occurs in this scenario.
Workforce Passwords Browser ExtensionIf a Workforce Passwords extension was in use while the Password Safe instance was upgraded, new features did not always appear right away.The Workforce Passwords Browser Extension now shows new features right away when the Password Safe instance is upgraded, even if the extension is in use.

Known issues

Product AreaDescriptionWorkaround
Managed Account Smart RulesManaged Account Smart Rules that contain a Link domain accounts to Managed Systems action that target an Asset-type Smart group will fail processing, and the logs display a Transaction count after EXECUTE indicates a mismatching number of BEGIN and COMMIT statements error.Contact BeyondTrust Support for a hot fix.
 
This issue will be resolved in an upcoming maintenance release.
Analytics and Reporting interfaceUsing Firefox, clicking the browser back button while viewing a report causes the Analytics and Reporting interface to become unresponsive.Clicking the browser back button again takes the user to the parameter entry view, and the UI becomes responsive again. Using the back button within the report viewer will allow for proper navigation.
Analytics and Reporting interfaceUsing Chrome, clicking the browser back button while viewing a sub-report actually takes the user back to the list of reports.Use the back button within the report viewer for proper navigation. You may need to re-run the report if you’ve ended up back at the report list.
Analytics and Reporting interfaceFor on-premises only, if Analytics and Reporting is configured prior to SMTP settings being configured in the Report Server, the “Send subscription by email” option is not available.Either configure SMTP settings prior to configuring Analytics and Reporting, or restart the SSRS service after configuring SMTP settings.
Analytics and Reporting interfaceFor on-premises only, when creating a report subscription with email delivery in Analytics and Reporting, if more than 2,000 characters are entered into the To field, the subscription wizard becomes unresponsive.Ensure that the email addresses used in the To field are a total length less than 2,000 characters.
Purging Options: Database Index Maintenance page of the BeyondInsight ConsoleThe Database Index Maintenance job will not run in an environment configured with a low privilege SQL user.Configure the database connection to use a privileged account.
BeyondInsight ConsoleIf a user allows their BeyondInsight session to time out, their theme selection reverts to BeyondTrust brand colors. This becomes apparent if they had their preference set to dark mode colors. Signing out does not have this effect.Avoid letting the session time out, or update your preferences after logging in.
Web Policy EditorWhen upgrading to Web Policy Editor 24.5.372 from an older version using BT Updater, the setup may fail with an error that indicates the wpe.log file is in use.Stop the WebPolicyEditor Service prior to upgrading, complete the upgrade to WPE 24.5.372, and the restart the service. WPE 24.5.372 contains a fix that ensures any subsequent updates (to future WPE versions) will not require the manual service state changes.
Secrets SafeThere is an unintended difference in behavior when attempting to delete a non-empty subfolder of Personal secrets depending on if the user is an administrator or not; an admin can delete the subfolder and its secrets, but a non-admin cannot delete the subfolder without first deleting the secrets.As a non-admin, to delete a subfolder, first delete the secrets within the subfolder, then delete the subfolder.
Password SafevSphere Managed Account password changes may occasionally fail with a “passwords do not match” error.Initiate another password change.
Password Safe Propagation ActionsWhen performing propagation actions for a domain account (i.e., domain\svc_acc1) and there exists a local account with the same name (i.e., svc_acc1) found on the system in the same propagation target, the local account propagation may also be incorrectly updated.Use accounts of different names for domain vs. local.
Password Safe Application SessionsLaunching remote applications with ps_automate will fail with Chrome/Edge v128.Use Chrome/Edge v127, or use Firefox, or a hotfix is available.
BeyondInsight Console - Activation Keys for Discovery Agent Installer TypePowerShell cannot be used to configure OAuth for BeyondTrust Discovery Scanner Central Policy or Events.Command prompt should be used for this.

Notes

  • Direct upgrades to 24.2.0 are supported from BeyondInsight versions 22.2.3 or later releases.
  • BeyondInsight 24.2.0 supports SQL Server 2016 SP2 or higher.
  • This release is available by download for BeyondTrust customers (https://beyondtrustcorp.service-now.com/csm) and by using the BeyondTrust BT Updater.
  • The MD5 signature is: aa5c3665679bb8b91ba179029a0711f2
  • The SHA-256 signature is: b32e3703a8cad701fe6487e611c278edfcf27ffb026baa0142777b5d71d8ff73
  • The ECM Plugin for Password Safe has been updated to version 24.1.3.

Deprecation notices

Team Passwords Public API Endpoints have been deprecated and are no longer present in the 24.2 release. You must update scripts to use the corresponding Secrets Safe API endpoints instead.

BeyondInsight 24.2.0 still supports the following features, but these are planned to be removed in the next release:

  • Analytics & Reporting > Clarity: Clarity and related reports and configuration.
  • About > BeyondInsight Analysis

The Password Safe platforms Cloud - Azure and Cloud - Office 365 are being removed in the 24.3 release. Instead, customers should transition to using the Microsoft Entra ID platform, which offers additional functionality.

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.