DocumentationRelease Notes
Release Notes
Back to All

BeyondInsight and Password Safe Cloud 25.2 release notes

about 2 months ago

September 11, 2025

⚠️

This update is for Cloud customers only.

🆕 New features

There are no new features in this release.

✨ Enhancements

Support for Windows Server 2025

BeyondInsight/Password Safe now supports Windows Server 2025, giving you flexibility to run in the latest Microsoft environment. You can discover systems and credentials, manage credentials, launch remote sessions, and generate OS and Asset Details reports. Resource Brokers also run smoothly on Windows Server 2025, so you can take full advantage of the new platform without sacrificing functionality.

🛠️ Issues resolved

Product AreaDescriptionResolution
Connectors, Analytics and ReportingRecently generated audit event data, when viewed in User Audits sub-report, is missing detail data.(Cloud Only) Audit event detail data is now included in User Audits sub-reports regardless of when it was generated.
ConnectorsRecently generated audit event data, when forwarded via connectors, is missing detail data.(Cloud Only) Recently generated audit event data now includes detail data for events forwarded via connectors.
SessionsIn a multi-monitor RemoteApp session using FreeRDP 3, when the primary monitor (main display) is not the leftmost monitor, the RemoteApp window appears as an unresponsive black rectangle.(Cloud only) Sessions and replay of session recordings involving a system with multiple displays where the leftmost display is not the main one now work as expected.
Secrets SafeWhen adding permissions to a safe, if the permissions contain an expiry date, the screen briefly shows an error stating 'Expires On... A date is required' while saving. The permissions then successfully saves and a success toast message displays.(Cloud only) Removed the unnecessary message about the Expires On date.
ConnectorsSyslog connector: Forwarded events severity is inverted(Cloud only) The severity of events sent via Syslog connector have been corrected to align with the Syslog severity definitions.
SAML ConfigurationSAML login ignores "local group resync" option when user mapping is enabled, causing unintended group removals.(Cloud only) SAML login code has been updated to ensure that the “local group resync” setting is respected.
SAML ConfigurationNot all attributes populated when an AD user is created via SAML login and mapping is set to "Active Directory".(Cloud only) Ensured that in the affected configuration scenario, that all attributes are populated when AD users are created during SAML login process.
APIsField length validation discrepancy between POST and PUT public APIs for Text secrets, the PUT endpoint enforces a lower character limit than the POST.(Cloud only) The PUT endpoint has been updated to allow a Text secret with a value of up to 4096 characters, to align with the limit on the POST endpoint.
ConnectorsSCIM PrivilegedData endpoint returned values have capitalized properties instead of lowercase.Corrected the SCIM API so calls to the PrivilegedData endpoint returns the properties in all lower case.
Smart RulesDirectory Query smart rules format AD user name incorrectly when the Directory Credential includes username and not UPN.Account name formatting during the connection to AD has been updated to handle this scenario.

📝 Requirements

  • Direct upgrades to 25.2.0 are supported from BeyondInsight versions 23.2 or later releases.
  • BeyondInsight 25.2.0 supports SQL Server 2016 SP2 or higher.

🗒️ Notes

This release is only available for Cloud. It is not available on the Customer Portal or in BT Updater.

⏰ Deprecation notices

Removing PMUL support in BIPS

In 25.1, we began the process to deprecate and remove Endpoint Privilege Management for Unix and Linux (PMUL) and Solr functionality in Password Safe.

The first step is to no longer receive and process PMUL and Solr events.

In an upcoming release, we will remove all user interface components, reports and event forwarding functionality.

Support for Outbound TLS 1.3

In an upcoming release, BeyondInsight and Password Safe will phase out the use of mutual TLS (mTLS) to support the adoption of TLS 1.3, which eliminates support for optional mTLS (client certificate renegotiation) on inbound connections. The following product areas will be affected:

  • Client certificates will no longer be supported as an authentication method for API registrations.
  • The option to download a client certificate from the System > Downloads configuration page will be removed.
API Updates

The POST Imports and POST Imports/QueueImportFile APIs have been deprecated, and will be removed in an upcoming release.

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.