We've added a subscription for Active Directory Bridge.
Enhancements
You can now install your chosen version of the Appliance Management software without performing incremental updates. Simply select the version you want to install from the Subscription Details drop-down list.
On the Subscriptions page, the Version drop down list displays the locally-installed subscription version number.
On the Client Subscription pages, we’ve updated the available options in the Versions drop-down:
Do Not Update (formerly 0.0.0): No changes are made to downstream clients.
`version.number`: Unlock the selected version to all downstream clients.
Issues resolved
When you update the Endpoint Privilege Management: Web Policy Editor Bundle, BT Updater now stops the underlying services before installing.
When you update Endpoint Privilege Management for Unix/Linux using BT Updater 3.3.0, the updater no longer creates any numbered folders and instead downloads all files directly in the C:\ProgramData\BeyondTrust\Pbsmc\Software folder.
Some users who attempted to subscribe to AD Bridge received an incorrect error message stating they could not subscribe without first installing AD Bridge; however, the subscription was successful. That error message no longer displays erroneously.
An issue where some correctly-updated users experienced a Warning: for BeyondInsight/Password Safe you are required to manually update to the same lock version on all BeyondTrust Updaters or it could result in a loss of service error message is resolved.
Resolved an issue when the Appliance User Interface page was used to change the username and password, and the SALT and Encryption string displayed in the Updater log file.
Now, upon subscription, EPM bundles auto-lock as expected.
Dependency management provides visibility into the underlying frameworks that support's a product suite. The frameworks are updated by the Security Update Package Installer (SUPI) as part of the monthly Supporting Software update, which automatically:
removes unnecessary .NET frameworks, freeing up resources and reducing potential security risks.
processes new additions and upgrades.
processes removals without dependent products.
ℹ️
Note
For removals with dependencies, guidance is provided directly within the product(s) that must be updated to allow for the safe removal of the dependency. You can run the removal again after you upgrade the dependent product(s).
Enhancements
SUPI service upgrade
We've upgraded the SUPI service from .NET 6 to .NET 8.
Known Issues:
If a 4.0/SUPI 3.2 box has multiple updates that include "cumulative" subscriptions, the packages that would be skipped are incorrectly included in the Estimated Time Required. This can significantly overstate the estimate.
Notes:
Upgrade to .NET 8.0.0 or later (available through BT Updater via Supporting Software SUPI subscription).
.NET 8.0.0 or later (available through BT Updater via Supporting Software SUPI subscription)
SUPI 3.2 (available through BT Updater)
BeyondInsight 24.1
New features
Dependency management provides visibility into the underlying frameworks that supports BeyondTrust’s product suite. The frameworks are updated by the Security Update Package Installer (SUPI) as part of the monthly Supporting Software update, which automatically:
removes unnecessary .NET frameworks, freeing up resources and reducing potential security risks.
OAuth authentication is available as an authentication method when configuring the Discovery Agent on the Features page.
Set the event service (local or remote) and the authentication method.
New appliance on version 4.3: The only authentication method is OAuth Authentication.
Appliance on an earlier version: The authentication method is Certificate + User Authentication. If you are working on BeyondInsight 24.1 and database version 24.2.0.150 or later, then you can select OAuth Authentication.
Appliance upgraded from an earlier version to 4.3: Displays both authentication types.
Cannot change the port to a number greater than 9999 for the BeyondInsight for Unix & Linux database.
Updated the maximum port number to 49151.
Client connections
Removing HHRS entries from the appliance UI does not remove the configuration from IIS.
When removing HHRS entries in the appliance removes the entry from IIS.
High availability
On the High Availability page, the database size is reporting 10 places after the decimal.
The database size show the value in a unit that is proportional to the size. (e.g. MB, KB, GB, etc.)
Upgrades
Appliance Management Update from 4.1 to Version 4.2 fails on Hyper-V.
Upgrades are successful from 4.2. to 4.3 on a Hyper-V environment.
Licensing
The Expiry Date field is blank on the License page is blank when the BIPS license expires.
The Expiry Date field displays the date when the license expired.
Email settings
On the Email page, an error displays when a valid port number greater than 2056 is enter.
Valid port numbers are confirmed and added successfully.
SQL free appliance
The SQL Server Database Password page fails to load in SQL free appliances.
Credentials aren't required on a SQL free appliance. The prompt is removed.
SQL free appliance
When configuring database access on the Appliance Feature Configuration page, an unclear error notification displays when the server name is wrong.
A readable error notification displays when there are configuration errors.
Backup configuration
The 15-character password requirement is not enforced when adding a password on the Backup page.
The 15-character limit is enforced on the Backups page.
SQL free appliance
BeyondTrust Instance unique ID does not get regenerated during Configuration wizard.
SQL free appliance
The Configure Performance Counter Thresholds page displays incorrect values on the usage sliders.
The usage counters display correct values.
High availability
Unnecessary text on High Availability configuration page. Text exists to describe a functionality in area on page that doesn’t apply.
The text is removed.
Installed Software page
Error occurs when selecting a product name listed on the Software and Licensing > Installed Software page.
Errors no longer occur when selecting a product in the list.
SQL Server
The SQL Server service (MSSQLSERVER) doesn't restart from Service Status page.
All SQL Server services restart correctly: SQL Server agent, SQL Server Launchpad, and SQL Server service.
Backup and Restore
Adding a backup location with an invalid path returns an error that one or more fields are invalid but does not indicate the invalid field.
A message displays with more accurate information on the error.
Backup and Restore
Editing an existing backup location can delete all backup files in the old location without warning.
The existing folder with existing backup files is deleted and created new folder with the same title.
Backup and Restore
A change to the backup location was not refreshing after editing the location a second time.
The changes to a backup location refresh after every change.
Network, IP Settings
Changing to DHCP network setting returns an error message that provides no information.
A warning message indicates it is not possible to redirect to the new IP address.
HA - Scheduler Service
On a passive node in a high availability pair (version 4.1), the Schedule Service was in a state of running but the status alert stated "Expected to be Stopped as a High Availability service".
Known issues
Product Area
Description
Workaround
SECURITY UPDATES - check mark icons showing under each step of a SUPI package
Blue arrow icons are appearing in step details of SUPI packages.
No workaround
HHRS - 404 page presented after updating HOST HEADERS
When you enter and save a value into Host Headers, you are taken to a 404 page.
No workaround
Appliance: Discovery Agent displays a notification error during switching it ON although the changes are saved successfully
In certain cases, Discovery Agent shows the following incorrect error message when switching it to ON: Failed to save all or some feature configuration. Please see details: Phoenix: Error execution some configuration commands: Command returned Error
Error 403: Forbidden.
No workaround
User is not notified if subscribing to hardware alerts fails
Appliance Service uses an eEyealert.exe to subscribe and listen for events from the hardware. There was an instance where this .exe was missing, and no errors or messages displayed to alert the user.
EPM - HA - when secondary is promoted to Primary, PMR reports will not work because configuration has primary's IP address
This issue only applies to a HA node set up as the PMR Database host, in a multi-node EPM deployment (i.e. has nodes other than the secondary attempting to access the database). A multi-node deployment typically uses the IP/machine name of the database host in the shared EPM config file, and this pointer will continue to point at the failed primary, causing the problem.
If the EPM solution is only made up of the HA pair itself, the config should be pointing to localhost, and will work with HA.
Appliance: Is not possible to create new local location with requires authentication option
When you create a new location with option Credentialed=Yes, the new location is actually created with option Credentialed=No.
After creating the new location, click Edit.
Click the Backup Location requires authentication option again.
Click Save, and Credentialed=Yes saves as expected.
Appliance: BT EPM Event Collector Service is missing in the log file if there are no files.
If there are no log files, on the Export Logs and Appliance Logs pages, in the Log File Export options section, the BeyondTrust EPM Event Collector Service option may be missing.
No workaround
EPM/PMR - HA - HA requires that the source EPM accounts match on each appliance, so how will we handle this since accounts require manual intervention to rename
Pre-existing accounts cannot be automatically paired because the EPM accounts don’t match.
You must manually create the EPM/PMR SQL Users in the database on the Secondary node.
LastPass can interfere with Config / Deployment Wizard
In v4.0 and 4.1, both Standard and SQL Free can be affected. When you run the Config and Deploy Wizard on an appliance with the LastPass extension installed, the Next button on the Configure Backups Page is broken.
Disable or log out of LastPass, OR configure the appliance in incognito mode in the browser so that the browser extensions are not interfering with the wizard.
Appliance - The beyondtrust_user is locked out after changing the Auth SQL Server password
The beyondtrust_user is locked out after changing the Auth SQL Server password.
No workaround
Appliance Self-signed certificate does not have subject alternate name (which does not support HSTS)
For Chrome 58 and later, only the subjectAlternativeName extension (not commonName), is used to match the domain name and site certificate. This will cause various validation problems.
Disable the check in Chrome.
Notes
Security Management Appliance Installer 4.3 is dependent on BeyondInsight 24.1.
Security Management Appliance package in BT Updater is dependent on BeyondInsight 24.1.
This update is available through BT Updater or as a manual installer from the download tool.
Managed account Smart Rules that contain a Link domain accounts to Managed Systems action that target an Asset-type Smart Group fails processing, and the logs displays a Transaction count after EXECUTE indicates a mismatching number of BEGIN and COMMIT statements error.
Managed account Smart Rules that contain a Link domain accounts to Managed Systems action that target an Asset-type Smart group are now processed without errors.
Known issues
Product Area
Description
Resolution
Analytics and Reporting interface
Using Firefox, clicking the browser back button while viewing a report causes the Analytics and Reporting interface to become unresponsive.
Clicking the browser back button again takes the user to the parameter entry view, and the UI becomes responsive again. Using the back button within the report viewer will allow for proper navigation.
Analytics and Reporting interface
Using Chrome, clicking the browser back button while viewing a sub-report takes the user back to the list of reports.
Use the back button within the report viewer for proper navigation. You may need to re-run the report if you’ve returned to the report list.
Analytics and Reporting interface
For on-premises only, if Analytics and Reporting is configured prior to SMTP settings being configured in the Report Server, the Send subscription by email option is not available.
Either configure SMTP settings prior to configuring Analytics and Reporting, or restart the SSRS service after configuring SMTP settings.
Analytics and Reporting interface
For on-premises only, when creating a report subscription with email delivery in Analytics and Reporting, if more than 2,000 characters are entered into the To field, the subscription wizard becomes unresponsive.
Ensure that the email addresses used in the To field are a total length less than 2,000 characters.
Purging Options: Database Index Maintenance page of the BeyondInsight Console
The Database Index Maintenance job does not run in an environment configured with a low privilege SQL user.
Configure the database connection to use a privileged account.
BeyondInsight Console
If a user allows their BeyondInsightsession to time out, their theme selection reverts to BeyondTrust brand colors. This becomes apparent if they had their preference set to dark mode colors. Signing out does not have this effect.
Avoid letting the session time out, or update your preferences after logging in.
Web Policy Editor
When upgrading to Web Policy Editor 24.5.372 from an older version using BT Updater, the setup may fail with an error that indicates the wpe.log file is in use.
Stop the Web Policy Editor Service prior to upgrading, complete the upgrade to WPE 24.5.372, and then restart the service. WPE 24.5.372 contains a fix that ensures any subsequent updates (to future WPE versions) will not require the manual service state changes.
Secrets Safe
There is an unintended difference in behavior when attempting to delete a non-empty subfolder of Personal secrets if the user is an administrator or non-admin; an admin can delete the subfolder and its secrets, but a non-admin cannot delete the subfolder without first deleting the secrets.
A non-admin must first delete the secrets within the subfolder, then delete the subfolder.
Password Safe
vSphere Managed Account password changes may occasionally fail with a passwords do not match error.
Initiate another password change.
Password Safe Propagation Actions
When performing propagation actions for a domain account (i.e., domain\svc_acc1), and a local account with the same name (i.e., svc_acc1) is found on the system in the same propagation target, the local account propagation may also be incorrectly updated.
Use accounts with different names for domain vs. local.
Password Safe Application Sessions
Launching remote applications with ps_automate fails with Chrome/Edge v128.
Use Chrome/Edge v127, or use Firefox, or a hotfix is available.
BeyondInsight Console - Activation Keys for Discovery Agent Installer Type
PowerShell cannot be used to configure OAuth for BeyondTrust Discovery Scanner Central Policy or Events.
Command prompt should be used for this.
ℹ️
Note
Issues discovered after release can be found within our Customer Portal.
Notes
Direct upgrades to 24.2.1 are supported from BeyondInsight versions 22.2.3 or greater.
BeyondInsight 24.2.1 supports SQL Server 2016 SP2 or greater.
The MD5 signature is: f52eda445beb6055296c47ece4eff7ad
The SHA-256 signature is: bdf2b35773f636d8d742a78627090d095f5960cfc681e11c6c444427d109e553
Deprecation notice
Team Passwords public API endpoints have been deprecated and are no longer present in the 24.2.1 release. You must update scripts to use the corresponding Secrets Safe API endpoints instead.
BeyondInsight 24.2.1 still supports the following features, however these are planned to be removed in the next release:
Analytics & Reporting > Clarity: Clarity and related reports and configuration.
About > BeyondInsightAnalysis
The Password Safe platforms Cloud - Azure and Cloud - Office 365 will be removed in the 24.3 release. Customers should transition to using the Microsoft Entra ID platform, which offers additional functionality.
Direct upgrades to 24.2.0.1869 are supported from all previous versions.
BeyondTrust customers can download this release from their Password Safe Cloud portal by navigating to Configuration > Resource Zones and clicking Download Installer.
The MD5 signature is: C1211ABDB9037A56E5566462D2719743
The SHA-1 signature is: 0CE31E6A98AA913E5EF51038D72CA2DF2B899F8E
The SHA-256 signature is: 702D24B19A9769D610BED08F529528930CFE3E39282D20E29A1C2C72CCF53B48
There is a product dependency on having the .NET 8 Hosting package installed.
OAuth authorization is dependent on having BI version 24.2.0.
A reboot of the system may be required.
New features and enhancements:
Enumerate domain users with access to a Linux target via the sssd.conf. Support for simple configuration only.
Enhanced secondary authentication prompt response to support prompts found during authentication, as opposed to after primary SSH authentication.
Added support for the use of OAuth authorization for connectivity with the Event Collector Service.
Added support for the use of OAuth authorization for connectivity to the Central Policy Service.
Added support to configure the use of certificate based authorization for connectivity to the Central Policy Service.
Improved the validation of command line options for configuration of Central Policy Service and Event Collector Service.
Issues resolved:
Resolved a scenario where a scan fails to complete when connecting to the target's registry. Changed the default value for the remote registry connect timeout to 60 seconds.
Handled additional error codes for group member enumeration. This prevented the command from being endlessly retried even after the scan completed.
Resolved an asynchronous task issue where impersonation might not be active for group member enumeration, resulting in domain users not being found.
Resolved handling of CR/LFs in the target prompt for SSH targets.
Resolved an issue when sending a CTRL-C when a command times out for Fortinet devices. This caused commands which succeeded to be seen as errors when no output was expected.
Resolved an issue that could cause a hung scan during the SSH secondary prompt handling.
Known issues:
PowerShell doesn't properly send the command line options for btdiscovery.cmd to the program. This command must be run in a standard windows command shell.
Notes:
The migration from an existing Retina configuration is deprecated and will be removed in a future release.
SSH Session encryption using the SHA1 cipher is deprecated. Use SHA256 or higher.
Direct upgrades to this version are supported from versions 20.1.0 and later releases.
Password Safe now supports Passwordless FIDO2 authentication, which allows local BeyondInsight users to authenticate more securely using a security key or a biometric method, such as a fingerprint or face recognition.
Enable the Passwordless FIDO2 Authentication option from the Configuration > Authentication Management > Authentication Options page in BeyondInsight.
Once enabled for your instance, users can then configure FIDO2-certified authenticators for their account. Administrators can also see/remove any authenticators that a user may have configured.
Microsoft Entra ID group membership no longer requires manual synchronization for individual groups. Users can now enable global group synchronization and schedule it to occur automatically on a daily, weekly, or monthly basis.
Enable and schedule group synchronization from the Configuration > Role Based Access > Microsoft Entra ID Group Synchronization page.
Administrators can now create a Smart Rule to discover and onboard AWS IAM users into Password Safe for credential management, without the need to perform a discovery scan.
Create a Managed Account Smart Rule with the new Amazon IAM Query condition for the selected the Amazon Cloud Managed System, set to re-run every X hours, and assign the Manage Account Settings action.
The Kubernetes External Secrets Operator (ESO) now includes a Password Safe extension to retrieve secrets managed by Password Safe and synchronize them into K8s secrets. This ensures applications can continue to leverage K8s secrets without changing their applications or workflows.
Custom Attributes
A new report that lists assets and their custom attributes was added to the Assets folder for both on-premises and cloud.
Database User List
The Database User List is now available in the Account folder in Password Safe Cloud. It was previously only available in on-premises installs.
Enhancements
Password Safe now has a Force Re-authentication option when configuring a SAML identity provider in BeyondInsight. Enabling this option requires users to re-authenticate with the identity provider for each BeyondInsight session, even if they already have a valid session.
Enable the Force Re-authentication option for the identity provider from the Configuration > Authentication Management > SAML Configuration page.
Discovery Agents can now be configured to use OAuth authentication for communications with BeyondInsight by leveraging the existing Installer Activation Keys feature.
Configure a key from the Configuration > Authentication Management > Installer Activation Keys page for use when setting up Discovery Agents with OAuth authentication.
Accessibility improvements made in many areas of the BeyondInsight and Password Safe UI:
Improved page responsiveness based on screen resolution
Appropriate screen reader cues added to input fields, drop-downs, and grids:
Input fields can now indicate their invalid state or error messages to screen readers via ARIA tags.
Searchable input fields and drop-downs now announce the number of results available and announce every time the number of results change.
Areas in grids that have the focus are now announced.
Improved Session Replay Viewer progress bar to support keyboard interactions and added ARIA properties.
Run reports for exact dates and date ranges
On-premises users can now quickly determine what actions were performed during specific time periods by running reports for exact dates and ranges.
More auditing information in the Password Release Activity report
The Password Release Activity report now includes the reason for the password release. The reason, ticket number, ticket system, and approver are now included when SIEM events are forwarded.
The Password Safe GET Users API now has the ability to return users that are flagged as inactive. Releases prior to 24.2.0 only supported returning active users.
Password Safe now supports encryption of the Secrets Safe vault using an external HSM configuration. This builds on existing support for HSM encryption of the Password Safe vault and system credentials.
The on-premises BeyondTrust Discovery Agent can now be configured to communicate via certificate or OAuth authentication, as is done in Password Safe Cloud. If set up this way, the BeyondTrust Discovery Agent does not require the account, and it can be removed.
Changed local user default password policy minimum length from 14 characters to 16 characters. Upon upgrade, this change takes effect only when the policy is edited.
Password Safe now displays the user's last login in the Profile and Preferences box.
The SQL Server Port is now customizable on various configuration pages.
The X-Forwarded-For header ensures the source client IP address is included in User Audit details for both API and web console interactions.
Legacy TeamPasswords public API endpoints have been removed:
POST TeamPasswords/Folders
GET TeamPasswords/Folders
PUT TeamPasswords/Folders/{folderId}
DELETE TeamPasswords/Folders/{folderId}
GET TeamPasswords/Folders/{folderId}
POST TeamPasswords/Folders/{folderId}/Credentials
PUT TeamPasswords/Credentials/{id}
GET TeamPasswords/Credentials/
DELETE TeamPasswords/Credentials/{id}
GET TeamPasswords/Credentials/{id}
GET TeamPasswords/Folders/{folderId}/Credentials
Password Safe Portal users with appropriate permissions can terminate an active or locked session and cancel the related request.
You can now store the ssh-dss, ssh-rsa, ssh-ed25519 and ecdsa-sha2-nistp256/384/521 host keys in PEM files identified by registry values. This can be useful to ensure that a cluster of nodes behind a load balancer all share the same SSH host keys.
BeyondInsight and Password Safe Cloud's resource broker is now deployed with the .NET 8.0.8 hosting bundle.
Dedicated Account Smart Rules now allow:
Actions
Set attributes on each account
Filters
Managed System Smart Group (new filter)
Assigned Attributes
Platforms
A new column has been added to show if Managed Accounts are enabled for the "Disabled at Rest" mode.
In the Analytics and Reporting > Report Subscription wizard and the Configuration > Analytics and Reporting > Configuration wizard, the user interface and user experience have been reviewed for consistency and correct layout.
The Approvals grid can now be filtered using the Request ID column.
Filters are now multi-selectable drop-downs and are pre-populated with all available nodes, a number of standard RDP resolutions, and available directories.
Administrators can now use the Agents grid to see which Endpoint Privilege Management endpoint agents are using OAuth and which are still using certificate-based authentication.
Issues resolved
Product Area
Description
Resolution
Secrets Safe page of the BeyondInsight Console
Screen readers would show some unexpected behavior.
Resolved some accessibility issues involving screen readers.
Secrets Safe page of the BeyondInsight Console
When creating a new folder, focus was lost from the Secrets Safe page when the user clicked Create folder or Discard.
Focus now returns to the appropriate button when a folder is created or discarded.
Internal Smart Rules processing logic
A database stored procedure that affects bulk attribute updates was causing deadlocks.
The stored procedure was updated to avoid deadlocks.
Custom Platforms page of the BeyondInsight Console
When checking the password of a custom platform, the first step of <
elevationcommand
> was sometimes causing the attempt to time out. | The first step has been changed to a LANG=en_US; whoami response for the AIX, HP-UX, Linux, Mac and Solaris custom platforms |
| Submit request tab | If the max concurrent request for a managed account was set to 1, users could still request and retrieve the account’s password, even if another request was still valid and displayed as unavailable. | A message now states that the max concurrent requests has been reached. |
| Workforce Passwords Browser Extension | When a website has two or more credentials saved, the username and password had to be populated individually. | When a credential is selected, both the username and password populate together. |
| User Audits page of the BeyondInsight Console | In the Audits grid, a failed Direct Connect login attempt was not showing the username. | The Audits grid now shows the username that attempted to log in. |
| Connectors page of the BeyondInsight Console | When running a scan for Google Cloud, Middle East regions were not listed and could not be queried for scan targets. | All regions are now available. |
| Managed Accounts page of the BeyondInsight Console | Editing a managed account without changing the next scheduled change date was saving an incorrect date to the database. | Dates are now being saved correctly. |
| BeyondInsight API | Entra ID users who were members of more than 100 groups could not log in via the API. | Users are now able to log in and their groups are enumerated successfully. |
| User Management page in the BeyondInsight Console | When editing an Active Directory user, credentials were a required field and would display an error if not filled out. Selecting a credential would allow the user to save, but opening the field again showed that the value was not saved. | The credential field is no longer treated as a required field for the editing of a user. User details now save correctly. |
| Secrets Safe page of the BeyondInsight Console | When assigning ownership to a group or members of a group, the user could navigate away from the page without a Save/Discard prompt and lose changes. | The user is now prompted to continue editing or discard changes when navigating away. |
| Secrets Safe page of the BeyondInsight Console | A secret could be saved without any owners. | If a user attempts to save a secret without an owner, an error appears and the secret cannot be saved until an owner is assigned. |
| Workforce Passwords | Workforce Passwords was failing to import passwords from a CSV if the password contained a comma. Additionally, if an exported password contained a quote, Workforce Passwords would import the password with the escape characters that LastPass added to the CSV. | Passwords are now imported correctly. |
| BeyondInsight API | A SCIM PATCH request could not handle a path with a sub attribute after the filter, returning a 500 error. | The attribute is now correctly changed on the given object. |
| Users page of the BeyondInsight Console, extension login | Error messages for attempted login without access were always in English, even if the user was using a different language. | The error message is now translated. |
| Managed Accounts page of the BeyondInsight Console | After editing a synced managed account, the description became NULL. | The description is now retained when a synced managed account is edited. |
| Secrets Safe page of the BeyondInsight Console | Users who owned all secrets within a folder received an incorrect error message: “The folder cannot be deleted. You do not own all the secrets" when attempting to delete a folder. | Users now receive an accurate error message indicating that all secrets need to be deleted before the folder can be deleted. |
| Internal group synchronization logic | Syncing an AD Group after removing a user also removed that user from all their groups, not just the group being synced. | The user will now only be removed from the currently syncing AD Group during synchronization. |
| Smart Rules page of the BeyondInsight Console | There is an option to clear existing mappings when creating a Smart Rule to apply propagation mappings via an action. If users switched mapping from Smart Rule to scan data or vice versa, the previous mappings were not cleared correctly. This resulted in mappings for both scan data and discovery on a Smart Rule. | When the clear option is enabled, all previous mappings are now cleared. |
| Internal logic | When checking if a hostname had a valid DNS entry, the comparison was case-sensitive. Also, there was no debug logging on a failed DNS lookup. | DNS comparison is now case-insensitive, and debug logging has been added to improve troubleshooting. |
| Workforce Passwords Browser Extension | When the URL field on a Secrets Safe secret has a trailing space, the Workforce Passwords Browser Extension displayed an error when that Secret was used. | Trailing spaces in URLs on Secrets no longer cause errors with Workforce Passwords Browser Extension. |
| Secrets Safe Entitlement Report | When exporting a PDF or TIFF Software Entitlement Report, each page of the report would also generate a second blank page. The first entry into Secret Safe would not show in the report, but subsequent entries appeared. | Reports now generate with all data and without extra pages. |
| Configuration page of the BeyondInsight Console | SHA1 was available as a signature method option, but support was recently removed for this option. | Due to weaknesses in SHA1 and remove of support for it in various third-party libraries, we have removed it as a signature method option. |
| Smart Rules page of the BeyondInsight Console | If a child Smart Rule was a Managed Account quick group, processing any Smart Rules with the child could fail with an error referencing the DisabledAtRest column. | Smart Rule processing now runs without error. |
| Smart Rule internal processing | Some timeout errors may occur during onboarding Smart Rules processing. | Performance improvements were made to some queries that are executed during Smart Rule internal processing. This helps avoid timeout processing. |
| Secrets Safe page of the BeyondInsight Console | Insufficient validation checks in the Import Secrets API. | An authorization check now ensures the calling user has sufficient access to the target folder when using the Import Secrets API. |
| SCIM API | A long wait time occurred when a large number of results were returned when attempting to access /scim/v2/Users or /scim/v2/Groups via the SCIM API. | All results are returned as expected at a much faster speed. |
| SCIM API | An attempt to query more than one attribute for a SCIM endpoint was not supported. | The SCIM API now supports multiple attributes in a query. |
| User Management page of the BeyondInsight Console | The username field in the database was too short to handle Azure User Principal Names (UPNs), causing them to be truncated. | The username field size has been increased to accommodate Azure User Principal Names (UPNs). |
| Public API | Certain API calls were taking longer than expected. This was because a cache accessed by the API was reloading its entries after about ten minutes. | The cache was adjusted so that it no longer requires a reload after the first hit. |
| Internal logic | PBSMD SSH fingerprints were not unique across multiple U-Series Appliances in a user’s environment. | Internal logic has been updated to ensure that PBSMD receives unique SSH fingerprints across multiple U-Series Appliances in an environment. |
| Asset page of the BeyondInsight Console | The Users grid would fail to load when the last logon date contained certain non-English date formatting. | The Asset > Asset Advanced Details > Users grid now loads appropriately even if the last logon date contains non-English date formatting. |
| Internal logic | When the Graph API would throw ODataError exceptions, not much information was provided about what the specific error was. | More details are now captured in the log. |
| Start menu shortcuts for BeyondInsight Configuration and BeyondInsight Console | Shortcuts were displayed in the eEye Digital Security folder instead of the BeyondTrust folder. | Removed eEye Digital Security folder from Start menu. Shortcuts now display in the BeyondTrust folder. |
| Proxy Settings page of the BeyondInsight Console | Errors messages when retrieving Entra ID groups for EPM clients did not include helpful information. | More details are now captured in the log. |
| Installer Activation Keys page of the BeyondInsight Console | The Cloud installation command, BeyondInsight URL, and endpoint were incorrect when viewing system generated key details. | The installation command, BeyondInsight URL, and endpoint have been corrected for Cloud. |
| User Management page of the BeyondInsight Console | When large AD groups were added or synced, the stored procedure that updates external attributes caused blocking in the database. | The stored procedure has been modified to prevent blocks. |
| Password Update Activity page of the BeyondInsight Console | The Password Update Activity report was missing the Asset column for Functional Accounts. | The report now has an Asset column in the Functional Account table. |
| BeyondInsight Console | Customized logos were not appearing in the web console. | Updated how custom logos are handled so that existing instructions on replacing these will continue to work. Custom logos may still need to be replaced after product upgrades. |
| SCIM API | Updating a group via the SCIM API would cause unexpected settings changes. | Only the attributes what were changed in the request are now changed. |
| Password Safe Sessions | Password Safe was unable to validate system fields from a ServiceNow ticket. | If a user does not have access to a particular managed system, the ServiceNow ticket validator fails and the user is denied access. |
| BeyondInsight internal communication | Identity Service would not update the client ID when creating a client. | The client ID is now updated so that the two client IDs match. |
| User login (Active Directory) | Active Directory users were unable to log in to BeyondInsight after being renamed in Active Directory. | The logic in the login process has been updated to handle this scenario correctly. Renamed AD users can log in without requiring a group sync to occur first. |
| Smart Rule Processing | When deploying Endpoint Privilege Management Policy, the Smart Rule failed to process in some environments. | Performance has improved when processing Smart Rules that include the deploy Endpoint Privilege Management Policy action. |
| Password Safe Sessions | When selecting “User ID Mapping : UPN format” in a ServiceNow connector, an error was returned stating “Logged in user ID is null or empty”. | The UserPrincipalName (UPN) can now validate ServiceNow tickets for Entra ID users. |
| User Management page of the BeyondInsight Console | Details sometimes did not switch when editing a different Password Safe role for a mapped smart group. | Switching between roles now correctly switches the details. |
| API Registrations page of the BeyondInsight Console | Changes to API registrations were not being audited. | User Audits now appropriately shows changes. |
| BeyondInsight Password Services | Password Services could crash after attempting multiple “keyboard-interactive” mode connections via SSH if the initial connection attempt was only partially successful. | The service has been updated to limit the number of “keyboard-interactive” attempts made. |
| BeyondInsight API | Any failed API authentication would send an email to the administrator email account. | This has been deprecated, and emails for failed API authentications are no longer sent. |
| Access Policies page of the BeyondInsight Console | If an admin created an access policy not attached to a requestor group, and then a requestor with a different access policy created and actioned a request, admins were unable to delete the new access policy. | The dependency check logic around access policy deletion is improved. Admins can now delete new access policies in this scenario. |
| BeyondInsight Configuration > Secure Remote Access > Connect to Secure Remote Access area | Missing validation and empty default values could lead to errors in the log files if these values were saved by the user. | The field validation and default port value were updated on this form. |
| Internal logic | Insufficient validation was used on LDAP query creation. | Enhanced validation for directory queries to mitigate the creation of invalid LDAP queries. |
| Smart Rules | The ordering of actions displayed in a Smart Rule when editing was not consistent between creation and editing. | The Smart Rule actions are now sorted consistently regardless of whether the Smart Rule is being created or edited. |
| Sessions grid | On the Sessions grid in the Password Safe portal, the column picker contained a duplicate “Status” column entry. | The duplicate “Status” column has been removed. |
| BeyondInsight Configuration > IP Allow List | When configuring an IP Allow List rule with an IP range, there was no validation to prevent a user from entering a “From IP Address” value which was higher than the “To IP Address” value. Attempting to save a rule with this misconfiguration would display a generic error message. | The IP address range is now validated in the input form, with informative messaging if the data is not valid. |
| Password Safe | If a ticket was supplied when creating a request and ticket validation failed, only a generic validation error was shown, which may have been insufficient to troubleshoot the error. | Additional error messaging is now shown in the details of the error message that occurs in this scenario. |
| Workforce Passwords Browser Extension | If a Workforce Passwords extension was in use while the Password Safe instance was upgraded, new features did not always appear right away. | The Workforce Passwords Browser Extension now shows new features right away when the Password Safe instance is upgraded, even if the extension is in use. |
Known issues
Product Area
Description
Workaround
Managed Account Smart Rules
Managed Account Smart Rules that contain a Link domain accounts to Managed Systems action that target an Asset-type Smart group will fail processing, and the logs display a Transaction count after EXECUTE indicates a mismatching number of BEGIN and COMMIT statements error.
Contact BeyondTrust Support for a hot fix.
This issue will be resolved in an upcoming maintenance release.
Analytics and Reporting interface
Using Firefox, clicking the browser back button while viewing a report causes the Analytics and Reporting interface to become unresponsive.
Clicking the browser back button again takes the user to the parameter entry view, and the UI becomes responsive again. Using the back button within the report viewer will allow for proper navigation.
Analytics and Reporting interface
Using Chrome, clicking the browser back button while viewing a sub-report actually takes the user back to the list of reports.
Use the back button within the report viewer for proper navigation. You may need to re-run the report if you’ve ended up back at the report list.
Analytics and Reporting interface
For on-premises only, if Analytics and Reporting is configured prior to SMTP settings being configured in the Report Server, the “Send subscription by email” option is not available.
Either configure SMTP settings prior to configuring Analytics and Reporting, or restart the SSRS service after configuring SMTP settings.
Analytics and Reporting interface
For on-premises only, when creating a report subscription with email delivery in Analytics and Reporting, if more than 2,000 characters are entered into the To field, the subscription wizard becomes unresponsive.
Ensure that the email addresses used in the To field are a total length less than 2,000 characters.
Purging Options: Database Index Maintenance page of the BeyondInsight Console
The Database Index Maintenance job will not run in an environment configured with a low privilege SQL user.
Configure the database connection to use a privileged account.
BeyondInsight Console
If a user allows their BeyondInsight session to time out, their theme selection reverts to BeyondTrust brand colors. This becomes apparent if they had their preference set to dark mode colors. Signing out does not have this effect.
Avoid letting the session time out, or update your preferences after logging in.
Web Policy Editor
When upgrading to Web Policy Editor 24.5.372 from an older version using BT Updater, the setup may fail with an error that indicates the wpe.log file is in use.
Stop the WebPolicyEditor Service prior to upgrading, complete the upgrade to WPE 24.5.372, and the restart the service. WPE 24.5.372 contains a fix that ensures any subsequent updates (to future WPE versions) will not require the manual service state changes.
Secrets Safe
There is an unintended difference in behavior when attempting to delete a non-empty subfolder of Personal secrets depending on if the user is an administrator or not; an admin can delete the subfolder and its secrets, but a non-admin cannot delete the subfolder without first deleting the secrets.
As a non-admin, to delete a subfolder, first delete the secrets within the subfolder, then delete the subfolder.
Password Safe
vSphere Managed Account password changes may occasionally fail with a “passwords do not match” error.
Initiate another password change.
Password Safe Propagation Actions
When performing propagation actions for a domain account (i.e., domain\svc_acc1) and there exists a local account with the same name (i.e., svc_acc1) found on the system in the same propagation target, the local account propagation may also be incorrectly updated.
Use accounts of different names for domain vs. local.
Password Safe Application Sessions
Launching remote applications with ps_automate will fail with Chrome/Edge v128.
Use Chrome/Edge v127, or use Firefox, or a hotfix is available.
BeyondInsight Console - Activation Keys for Discovery Agent Installer Type
PowerShell cannot be used to configure OAuth for BeyondTrust Discovery Scanner Central Policy or Events.
Command prompt should be used for this.
Notes
Direct upgrades to 24.2.0 are supported from BeyondInsight versions 22.2.3 or later releases.
BeyondInsight 24.2.0 supports SQL Server 2016 SP2 or higher.
The MD5 signature is: aa5c3665679bb8b91ba179029a0711f2
The SHA-256 signature is: b32e3703a8cad701fe6487e611c278edfcf27ffb026baa0142777b5d71d8ff73
The ECM Plugin for Password Safe has been updated to version 24.1.3.
Deprecation notices
Team Passwords Public API Endpoints have been deprecated and are no longer present in the 24.2 release. You must update scripts to use the corresponding Secrets Safe API endpoints instead.
BeyondInsight 24.2.0 still supports the following features, but these are planned to be removed in the next release:
Analytics & Reporting > Clarity: Clarity and related reports and configuration.
About > BeyondInsight Analysis
The Password Safe platforms Cloud - Azure and Cloud - Office 365 are being removed in the 24.3 release. Instead, customers should transition to using the Microsoft Entra ID platform, which offers additional functionality.
Modified the API call body to include rotateOnChecking=[false]. The Allow API Rotation Override option must be enabled on View Password Policy Type for relevant access policies.
New features and enhancements
This is a maintenance release and does not include any new features or enhancements.
Issues resolved
Addressed an issue which could result in misleading statuses when the option to include availability info was enabled.
Updated the conflict option used to create release requests to "reuse" to reduce the number of requests generated.
Modified the API call body to include rotateOnChecking=[false]. The Allow API Rotation Override option must be enabled on View Password Policy Type for relevant access policies.
Addressed an issue in which duplicate display values were used when a domain account was returned in multiple formats.
Notes
This maintenance release replaces any usage of v24.1.x.
Supports upgrades from any prior release.
This release will be included as part of the U-Series Appliance image for the BeyondInsight and Password Safe 24.2.0 release.
.NET 8.0.0 or later (available through BT Updater via Supporting Software SUPI subscription)
SUPI 3.2 (available through BT Updater)
New Features
This is a maintenance release and does not contain any new features.
Issues resolved
Resolved an issue where the Installed Software page was slow to load and sometimes would have an incorrect version listed for a product.
Cause: The appliance was requesting product version information from BT Updater, causing a delay in loading the results on the page. Also, if an update had failed in BT Updater, it returned the version for the failed update, despite it not being installed.
Resolution: The appliance no longer contacts BT Updater for product version information.
Resolved an issue where when attempting to create a backup on a SQLFree appliance, no options were displaying under Backup Options.
Resolved an issue where when a backup that was created on a SQLFree appliance and contained the BeyondInsight database, a restore of that backup on the same SQLFree appliance would fail.
Known issues
Endpoint Privilege Management (EPM) Event Collector Service is missing from the log download page or log export page if there are no log files present.
EPM and Privileged Management Reporting (PMR) High Availability requires that the source EPM accounts match on each appliance. Accounts require manual intervention to rename.
Workaround: Users must manually create the EPM/PMR SQL Users in the database on the secondary node.
Last Pass can interfere with the Deployment and Configuration Wizard.
Workaround: Disable or log out of Last Pass or configure the appliance in incognito mode in the browser so that the browser extensions are not interfering with the wizard.
When changing the EPM Database credentials on the host machine and remote collector password, if the EPM Database Access feature is turned off and then on, the user has to enter and confirm their password every time.
The beyondtrust_user account is locked out after changing the Auth SQL Server password.
Appliance self-signed certificate does not have subject alternate name (which does not support HSTS). For Chrome 58 and later, only the subjectAlternativeName extension (not commonName) is used to match the domain name and site certificate.
Using High Availability in a multi-node EPM deployment that has the secondary node set up as the PMR database, when the secondary is promoted to primary, the PMR reports do not display in BeyondInsight. A red X displays in place of the charts.
Cause: A multi-node deployment typically uses the IP/machine name of the database host in the shared EPM config file. This pointer continues to point at the failed primary, causing the problem.
Workaround:
In BeyondInsight, from the left sidebar, click Configuration > Endpoint Privilege Management > Privileged Management Reporting Database Configuration.
In the Server field, update the IP address to be that of the current appliance.
In the appliance software, from the left sidebar, click Service Status.
Restart the EPM Reporting Gateway Service.
Notes:
Security Management Appliance Installer is dependent on BeyondInsight 24.1.
Security Management Appliance package in BT Updater is dependent on BeyondInsight 24.1.
This update is available through BT Updater or as a manual installer from the download tool.
