June 1, 2023

New features and enhancements:

General

• Updated remaining areas in management console and user portal UI to abide by newer UX recommendations and improve performance and accessibility.
• Added support to create a Directory Query with new Directory Credential from the Smart Rule editor.
• Added support for sending scan credentials on demand to BeyondTrust Discovery Agent.
• Added support for using an email address as username for login.
• Added Quick Navigation feature, including support for saving favorite destinations within the UI.
• Added option to sync AD groups on a schedule, globally, and with the option to make exceptions for individual groups.
• Removed SQL 2012 from supported installation prerequisites.
• Updated display of local user password policy compliance in Reset, Change, and initial set password areas.
• Renamed Send Analysis to Support section on About page to BeyondInsight Analysis.
• Removed deprecated Send Analysis to Support and the Request Deletion of Previously Submitted Reports options from the About page.
• Removed all remaining references to Attack and Malware data from Smart Rules and Configuration areas.
• Save/Submit/Update buttons in configuration cards are now always enabled.
• Updated display names of former McAfee connector types to Trellix.

Analytics and Reporting

• Updated remaining areas in Analytics & Reporting UI to abide by newer UX recommendations and improve accessibility.
• Updated Password Activity Report to include details about who initiated any manual password change.
• Added new report, Reviewed Sessions, to provided details on whether sessions were reviewed, when, and by whom.
• Added new report, Smart Rule Overlap, to provide diagnostic information about assets or accounts that are selected for management in Password Safe by multiple Smart Rules.
• Added new report, Application Audit, to provide a list of who has administrative access to applications.
• Added new report, User Audit, to provide capability to report on the activity of BeyondInsight users.
• Removed all remaining Vulnerability Management, Attack, and Malware reports from the product.
• Removed all remaining references to Attack and Malware data from reports in the product.

Endpoint Privilege Management

• Updated remaining Endpoint Privilege Management UI to abide by newer UX recommendations and improve accessibility (on-premises only).
• Added support for integration with 23.4 release of Policy Editor (on-premises only), including:
  • Simplified installation process
  • Support for policy edits initiated by Privilege Management Reporting 23.4
• Added support for integration with Privilege Management Reporting 23.4 (on-premises only), including:
  • AngularJS-free UI
  • Capability to add applications to policies from events in the reporting UI
  • Simplified installation process
• Added support to leverage existing connector types to forward Privilege Management Reporting Events (on-premises only).
• Updated visibility of Privilege Management Reporting configuration card to depend on the associated services being installed.
• Improved display of integration service names and versions on the About page.
• Renamed title of Plugin Configuration card to Privilege Management Reporting Database Configuration.

Password Safe

• Updated Password Safe Web Portal: The updated web portal enhances productivity with fewer tabs and a new menu structure that simplifies access to credentials and systems, and provides an updated look and feel for a streamlined experience and improved accessibility.
  • Please follow this link to take a tour of the updated Password Safe Web Portal: PS 23.1 Portal Tour | BeyondTrust
• Updated remaining areas in management console and user portal UI to abide by newer UX recommendations and improve accessibility.
• OAuth authentication support has been added to the Public API.
• New Secrets Safe DevOps Integrations: Terraform and Azure DevOps.
• Password Safe Cache now supports Secrets Safe secrets (credentials, file, and text secret types).
• Enhanced RDP Session options: added support for multiple monitors, allow client application to detect best resolution, saving RDP settings for future remote sessions, and ability to specify the RDP port on a per-system basis.
• New Password Safe administration permissions, allowing administrators to delegate specific permissions resulting in fewer high level administrative users:
  • Password Safe Configuration Management
  • Password Safe Policy Management
  • Password Safe Agent Management
• Deprecation of multi-system checkout: this release has removed the multi-system checkout capability. Users can still checkout systems individually.

Password Safe Cloud

• Added CSV export format for reports.
• Restored Quarantined Account setting to the UI.
• Improved insights into metrics on product usage by integrating Gainsight to drive future priorities and customer success.

API

• Custom Platform import/export support.
  • New APIs:
    • GET CustomPlatforms/
    • GET CustomPlatforms/{id}
    • POST CustomPlatforms/Import}
    • POST CustomPlatforms/{id}/Export
• OAuth and API Registration support.
  • New APIs:
    • GET ApiRegistrations/
    • GET ApiRegistrations/{id}
    • POST ApiRegistrations
    • PUT ApiRegistrations/{id}
    • DELETE ApiRegistrations/{id}
    • POST ApiRegistrations/{id}/Rotate
    • GET ApiRegistrations/{id}/Key
    • POST Users/{id}/RecycleClientSecret
    • POST Auth/Connect/Token
  • Updated APIs:
    • GET Users/{id}
    • GET Users/
    • POST Users/
    • PUT Users/{id}
    • POST Auth/SignAppIn
• Secrets Safe added additional search/filter capabilities.
  • GET Secrets-Safe/Secrets

Issues resolved:

23.1.0

• Determined that some measures in the pivot grid not accurately representing the value stored in the cube were limited to development systems and ddid not occur on customer environments; removed this from the Known issues list.
• Determined that the display of UNKNOWN for some Asset Advanced Details fields is expected behavior when this is all that BeyondInsight knows about the asset; removed this from the Known issues list.
• Resolved an issue in new asset creation in which the previously selected asset’s details were populated in the new asset creation form.
• Resolved an issue with the User Type filter on the Asset Advanced Details – Users tab. It now works for domain user, local user, and administrator.
• Resolved an issue with the user fields in the edit panel appearing cleared when editing a user from the User Details edit panel.
• Resolved an issue with deletion of directory credentials if the name is longer than 80 characters.
• Resolved an issue with access to Endpoint Privilege Management Events page from main menu by a user with read-only permission to Endpoint Privilege Management.
• Resolved an issue which enabled the Global Credential Key when upgrading from 22.3.0.1270. After upgrading from 22.3.0.1270 to 22.4.0.1101, if the Global Credential Key switch was off prior to the upgrade, it will be enabled after the upgrade. Workaround: Update it to the desired setting in the Configuration area, either switching it off, or setting a global key for use with any pre-existing.
• Resolved ed an issue with SSH credential edits showing with an error indicating that there are invalid fields if no private key was included in the edit action.
• Resolved an issue with duplicate Discard Changes? confirmation prompts when cancelling the creation of a new propagation action.
• Resolved an issue with an error preventing the deletion of an Active Directory managed system that contains one or more Active Directory managed accounts that have at least one propagation action assigned.
• Resolved an issue with filtering by more than one type in the Configuration - Propagation Actions grid.
• Resolved an issue with new session mask creation sometimes failing with a One or more fields are invalid error message.
• Resolved an issue with the Functional Account domain field being used rather than the Instance URL when using a Jira Connector for ticket system validation.

Known issues:

23.1.0

• Searching in the Authentication Type dropdown in the create form of a MS SQL Server Discovery Credential does not work. Workaround: The list of Authentication Types is very short; use the keyboard up and down arrows or a mouse to select the desired one. This will be fixed in an upcoming release.
• Creating a scan using a new MS SQL Server Credential (added using the Create New Credential link within the Scan Wizard) gives an error. Workaround: Either use a pre-existing MS SQL Server credential, or run the Scan Wizard a second time (using the credential created the first time). This will be fixed in an upcoming release.
• In the Scan Wizard, when searching for a subset of credentials, and using Select All, all credentials (even those that don’t match the search) are selected. Workaround: Manually select the credential(s) to be used, rather than using the Select All function. The current and expected behavior is being reviewed with UX and might be updated in the future.
• In the Scan Wizard, when choosing credentials and selecting, then deselecting some or all, (so that none are selected), clicking Next prompts to validate credential keys, but does not list any credentials. Workaround: Cancel, and select at least one credential from the list, and then proceed. Alternately, click Validate, and a warning will be shown that a credential must be selected from the list. Then select at least one credential from the list and proceed. This will be fixed in an upcoming release.
• In the Scan Wizard, when entering a custom credential, if you’ve previously selected/deselected any credentials in the Existing Credentials list, clicking Next prompts to validate credential keys, but does not list any credentials. Workaround: Click Validate, then proceed. This will be fixed in an upcoming release.
• When editing Scheduled Scan Detailed Discovery Options, the UI might display a value in the Deploy Local Scan Service dropdown, which does not reflect the value that was originally set upon scan creation. Workaround: Do not be alarmed if the UI on the edit screen shows the wrong value. The scanner will respect the original setting. Edits to other aspects of the scheduled scan will not change the value of Deploy Local Scan Service behind the scenes. Editing this field on a scheduled scan may not appear to adhere in the UI, but the value that is chosen will be used behind the scenes.
• In the Scan Wizard, when customizing the options for a detailed discovery scan, a validation error occurs if entering more than 100 users in the Limit accounts returned option. Workaround: this warning can be ignored. It does not prevent you from saving, and the value entered by the user gets submitted to the scanner.
• After saving a change to the target Smart Rule on a recurring scan edit, the user may receive an unsaved changes warning when attempting to navigate away. Workaround: It is safe to click Discard Changes; the updated target has been saved. This will be fixed in an upcoming release.
• In the Schedule tab of a recurring scan edit, there is an option to change the scan from Recurring to Immediate. Using this option gives an error message and does not save the changes. Workaround: Please do not use this option; it is not valid in this location. If it is desired to run a scheduled scan immediately, use the Run Now option from the Active/Completed Scans grid. This Immediate schedule option will be removed from the UI in an upcoming release
• If a local user sets their password of a given length, and the password policy is later updated to limit password lengths to a shorter length, that user will be unable to enter their current password in the Change Password form (as the length restriction is incorrectly applied to this field). Workaround: The user can follow the reset password process to change their password, the administrator can edit the user to give them a new complaint password, or the password policy can be increased to its previous length. This will be fixed in an upcoming release.
• Cloud only: When exporting the Asset report to CSV, the first page of the report is not included in the exported CSV file. This page contains summary data. Workaround: This data can, if desired, be compiled from the individual detail records, which are included in the CSV.
• Cloud only: When exporting the Service, Software, User Account, Operating System, and Port reports to CSV, the Top 5 and Bottom 5 sections are missing from the exported CSV file. Workaround: This data can, if desired, be compiled from the individual detail records, which are included in the CSV.
• In the Asset > Advanced Details > Users grid row details, the SSH Key Count field might be zero, even if there are SSH Keys that exist for that user. Workaround: None. This will be fixed in an upcoming release.
• In an environment that uses Windows Authentication, Privilege Management Reporting will not load. This is not a typical setup and is unlikely to be encountered. However, in rare situations it might be possible. Workaround: Ensure dbo permissions for NT AUTHORITY/SYSTEM account on the BeyondInsight/RetinaCS database. Restart services and perform IIS reset.
• Any existing access policy which has location restriction enabled with X-Forwarding set to All, after upgrading to 23.1 the X-forwarding field will show blank and disabled. Workaround: Toggle the Location Restriction switch off and back on to enable the X-forwarding field.
• UI: Duration Picker control has help text on each control to show the max allowable value. However, if the bound value is updated after the control has initially rendered, the help text is not updated to reflect the change. Workaround: None; ignore the help text. Proper validation occurs at submit.
• Session archiving: When in a multi-node configuration, the Archive option is still available even if archiving is not supported by the node. Workaround: None; ignore error if archive is attempted, or set up archiving on that node.
• Session archiving: When an archive is attempted and the destination path does not exist or is wrong, then the status remains stuck in Archiving. Workaround: Fix the archive path, and reset the status in the DB manually.
• Session replay: Firefox: Viewing an active session, terminating it, and then trying to replay the session from Completed Sessions results in an error.
• Password rotation: When a view password request has been denied after the password has been viewed but before the request is checked-in or expired, then the password is not triggered for rotation. Workaround: If an Admin/Approver denied a view password request after it has already been approved (and potentially used), then we recommend that they trigger a manual rotation on that account.
• Global AD group sync can sometimes fail in Password Safe Cloud when configured to use a preferred domain controller. Workaround: Don’t use a preferred domain controller. This will be fixed in an upcoming release.
• Editing an existing functional account with an assigned DSS key incorrectly requires the DSS key to be re-uploaded when saving any change to the functional account.
• When upgrading the Policy Editor to 23.4, in some cases, the JRE folder becomes corrupted, which causes the Policy Editor to fail to load. Workaround: Uninstall and then reinstall, or, if the latest Privilege Management Reporting is installed, copy the JRE folder from there into the Web Policy Editor location.
• Global keystroke search from the Completed Sessions grid is currently not available. Keystroke searching can be accomplished per-session from the Session Replay screen and globally across sessions via the API. This functionality will be restored in an upcoming release.
• Registry Monitoring Events are not showing up on the report, and are not normalized to the database. An error about a missing stored procedure may be observed in the logs. Workaround: Contact support to restore the missing stored procedure to the database so subsequent events can be normalized. Once the daily Analytics and Reporting sync job runs, the subsequent events will show up in the report. This stored procedure will be restored to the database in an upcoming release.

ℹ️

Note

Issues discovered after release can be found within our product Knowledge Base.

Notes:

• Removed Status column from the Linked Accounts and Domain Linked Accounts grids. This feature will be re-added in an upcoming release.
• Direct upgrades to 23.1.0 are supported from BeyondInsight versions 21.2 or higher.
• This release is available by download for BeyondTrust customers (https://beyondtrustcorp.service-now.com/csm) and by using the BeyondTrust BT Updater.
• The MD5 signature is: ce72fe03e6770e3d171a5bd2f176e376
• The SHA-1 signature is: a83f2d3b09807064323e68e900adce75b360b33b
• The SHA-256 signature is: 573730d220ebcaf57588472c95edfe7e68ee8415c3fff17b131d75d4465f77ab

May 4, 2023

New features and enhancements:

• Implemented a Loading spinner on grids.

Issues resolved:

• Resolved issue in which the displayed text for Lock and Unlock Client Subscriptions did not have the same functionality as the icon.
• Resolved a client subscriptions versioning issue in which changes to one client affected other clients.
• Resolved an issue in which the Client Subscription page was missing the client name on the grid.
• Resolved an issue in which user data for check for updates was showing IIS_APPPool\Updatersettings when logged in as btadmin.
• Resolved issue in which it was unclear how to get back to the previous screen when viewing the Client list. The chevron that was pointing in the wrong direction has been updated and made consistent with other listing screens.
• Resolved a display issue that occurred when the server or browser did not have internet access.
• Resolved the issue with the inability to view and update the Lock/Unlock status of an item by clicking the icon and the issue with the Lock/Unlock feature not functioning properly. Additionally, the listing page now accurately reflects the Lock/Unlock status of the items.

Known issues:

• The clear cache pop-up confirmation continues to be displayed after the login session ends.
• For settings through API, a password can be changed to contain one character.
• For settings through API, an email address can be changed against the format rules.

Notes:

• Requires .NET 4.7.2+.
• This update is available via BT Updater.

March 14, 2023

Issues resolved:

• Removed header cache-control from root website.

Known issues:

• Restarting the BeyondTrust Appliance System Information service causes dependent services to stop.
• In air-gapped environments, the Test Email button on the Email page generates 500 Unexpected internal error has occurred page.
• A timeout on completion of the Configuration Wizard forces the wizard to re-run.
• When disabling multiple roles, such as, Event Collector, BeyondInsight Management Console, SQL Server Database, at once, applying the roles may time out.

Notes:

• This update is available through BT Updater or as a manual installer from the download tool.
• .NET Core 3.1.22 or later is required (available through BT Updater via Supporting Software SUPI subscription).
• .NET 6.0.13 or later is required (available through BT Updater via Supporting Software SUPI subscription).
• SUPI 3.2 is required (available through BT Updater).
• The Deployment and Configuration Wizard is dependent on BeyondInsight 21.2.

February 23, 2023

New features and enhancements:

• Improved security by preventing data access for lower privileged users.
• Removed eEye Digitial Security SyncIt from the UI (legacy BeyondTrust product).
• Added appliance software notifications for Windows Defender alerts.

Issues resolved:

• Resolved issue in which the Microsoft Product Key input box on the Product Licensing page was too wide on smaller resolutions.
• Resolved issue in which a POST Request Error `ErrorCode: 400` was received when changing BeyondInsight Admin password from the Maintenance page.
• Resolved issue in which the Request Software Updates button was always disabled on the Maintenance page.
• Resolved issue in which when timeouts occurred on the Completion screen in the Configuration Wizard, resulting in the final steps not completing and the wizard not restarting.
• Resolved CryptoKey mismatches and provided auditing on CryptoKey changes for high availability.
• Resolved issue retrieving Active Directory data and logging in to BeyondInsight after switching roles in a high availability pair, due to unable to decrypt data errors.
• Resolved issue in which the ECM Plugin was missing high availability support.
• Resolved issue in which, for releases 3.5 and 4.0, a system access error occurred when changing the Omni Worker service back to automatic from disabled after turning off the role.
• Resolved issue in which services and logs were missing from Diagnostics page.
• Resolved issue in which Appliance did not remake impersonation database upon login.
• Resolved issue in which the SQL maximum memory was set higher than the limit.
• Resolved issue in which backups scheduled using the Configuration Wizard failed to run, while backups scheduled post configuration ran successfully.
• Resolved issue in which 443 (HTTPS) did not work when configuring Analytics and Reporting, but did after refreshing endpoints from Maintenance.
• Resolved issue in which changing Windows credentials from the Maintenance page didn't work.
• Resolved error in which a 401 error was received after the Create Admin step was completed for Server 2022 in the Deployment Wizard.
• Resolved error that occurred while applying roles in the Configuration Wizard.
• Resolved issue in which the Windows license expiry banner was not displayed for Server 2022.
• Resolved issue in which Installer didn't install three high availability service files.
• Corrected spelling of the hint for the password policy tooltip in the Configuration Wizard.
• Resolved issue in which the session archiving service crashed due to missing Microsoft.Win32.Registry file.
• Resolved issue in which the Windows OS and SQL versions were not being detected for Server 2022 on the Product Licensing page.
• Resolved issue in which the Appliance Details page error banner displayed any package, rather than for only failed packages.
• Resolved issue in which the Recipient Address format validation was missing on the Email page.
• Resolved issue for multiple appliance SUPI, in which the field labels referencing Browser vs Appliance Time did not translate easily.
• Resolved issue in which the path to the executable file on the Properties > General tab for the BeyondTrust Appliance High Availability Monitor service was not in quotes when it should have been.
• Resolved issue in which the /UpdaterSettings site logs you out if you are logged into /UpdaterSettings, and then you log into Maintenance in a new tab.
• Resolved issue in which applying role settings times out when BeyondInsight is 22.3 or later.
• Resolved issue in which turning off the Event Collector role may remain in a pending state when BeyondInsight is 22.3 or later.

Known issues:

• Restarting the BeyondTrust Appliance System Information service causes dependent services to stop.
• In air-gapped environments, the Test Email button on the Email page generates 500 Unexpected internal error has occurred page.
• A timeout on completion of the Configuration Wizard forces the wizard to re-run.
• When disabling multiple roles, such as, Event Collector, BeyondInsight Management Console, SQL Server Database, at once, applying the roles may time out.

Notes:

• This update is available through BT Updater or as a manual installer from the download tool.
• .NET Core 3.1.22 or later is required (available through BT Updater via Supporting Software SUPI subscription).
• .NET 6.0.13 or later is required (available through BT Updater via Supporting Software SUPI subscription).
• SUPI 3.2 is required (available through BT Updater).
• The Deployment and Configuration Wizard is dependent on BeyondInsight 21.2.

February 14, 2023

New features and enhancements:

• Angular rewrite for BT Updater web application.
• Added subscriptions to support new Appliances running on Windows Server 2022.
• Removed certificate pinning.

Issues resolved:

• Resolved issue in which BT Updater was not processing packages on either of the four Server 2022 (SQL 2019) subscriptions.
• Resolved issue in which the BeyondTrust Discovery Agent was not showing as delivered in BT Updater on Server 2022.

Known issues:

• The clear cache pop-up confirmation continues to be displayed after the login session has ended.
• When modifying settings via the API, the password can be changed to contain one character only.
• When modifying settings via the API, the email address can be changed to one that does not adhere to format rules.

Notes:

• Requires .NET 4.7.2+.
• This update is available via BT Updater.

December 8, 2022

New features and enhancements:

• Added support for Microsoft Windows Server 2022 and Microsoft SQL Server 2019.

Issues resolved:

• Updated headers on appliance management sites.
• Proper management software version now displayed on footer.
• Resolved issue when setting static IP during deployment.
• Resolved issue in which some U-Series Appliance binaries were not digitally signed.
• Resolved issue in which the Deployment Wizard on a 2022-R6 SQL-Free appliance image produced an internal 499 error: SQL Expiration days left.
• Resolved issue on the Config IP page in which the Next button was enabled before the user had entered valid adapter settings, or had clicked the Save Adapter button.
• Resolved issue in the Configuration Wizard in which an error was encountered while preparing the local BeyondInsight database.

Known issues:

• Some services might be slow to start on Server 2012 systems, which can impact deployment or configuration wizards.

Notes:

• This update is available via the BT Updater or as a manual installer from the download tool.
• .NET Core 3.1.22 or later and is required (available through BT Updater).
• .NET 6.0.4 or later is required (available through BT Updater).
• SUPI 3.2 is required (available through BT Updater)
• The Deployment and Configuration Wizard is dependent on BeyondInsight 21.2.

October 25, 2022

New features and enhancements:

• Central management of SUPI updates across multiple Appliances.
• Updated Software Versions grid.
• Updated API Keys grid.
• Now supports AWS RDS when creating a database.
• Removed wipe appliance option.
• Removed legacy calls for App Bus and Central Policy.
• Deprecated support for the discovery tool.
• Added date, time, and timezone to the blue Appliance header.
• Disabled the ability to change BeyondInsight password if the version installed is earlier than 21.1.
• Removed dark mode colors.

Issues resolved:

• Resolved issue which caused the pre-logon banner to be bypassed.
• Resolved issue in which 2012 Appliances that did not have WebSockets enabled did not display a message stating so.
• Resolved issue that was triggering High Availability because BeyondInsight services were not shutting down in a timely manner.

Notes:

• This update is available via the BT Updater or as a manual installer from the download tool.
• .NET Core 3.1.22 or later and is required (available through BT Updater).
• .NET 6.0.4 or later is required (available through BT Updater).
• The Deployment and Configuration Wizard is dependent on BeyondInsight 21.2.

October 18, 2022

New features and enhancements:

• Multi-Appliance SUPI support.
• Upgraded SUPI service from .NET 3.1 to .NET 6.

Issues resolved:

• Resolved issue in which SUPI Service API allowed creation of duplicate schedules, which broke processing (not the UI).
• SUPI packages designed for 2012 OS that are downloaded on 2016 are no longer imported to the SUPI database.

Notes:

• This update is available as an automatic update over BT Updater.
• The desktop SUPI.EXE no longer has a user interface, but can still be used at the command prompt to support scripting.
• SUPI 3.2.0 is a prerequisite to installing UVM Software 4.0.0 and later.

June 14, 2022

New features and enhancements:

• Users can now use SSO to authenticate from BeyondInsight into Appliance application.
• Added an Appliance > Shell page, to display a Welcome Screen when there is a new release.
• Date & Time Synchronization features have been moved to the Appliance > Enterprise Integrations page.
• Product Serial Numbers have been moved to the Appliance > Software & Licensing page.
• Software Versions have been moved to the Appliance > Software & Licensing page.
• Email features have been moved to the Enterprise Integrations page.
• Health Event Forwarding has been moved to the Enterprise Integrations page.
• Appliance API Keys has been moved to the Enterprise Integrations page.
• Log File Export has been moved to the Enterprise Integrations page.
• The ability to change the BeyondInsight admin password is now limited to the BeyondInsight Administrator user.
• Added Legacy App menu item to Appliance application.
• Added certificate authority cert to the API key exchange blob.
• Implemented generic error handling to display a better looking error page.
• Updated Retina warning banner to indicate Retina scanners are no longer supported.

Issues resolved:

• Resolved issue in which the PBW-API service failed to activate the PBW policy when the Appliance was configured.

Notes:

• This update is available via the BT Updater or as a manual installer from the download tool.
• .NET Core 3.1.22 or later and is required (available through BT Updater).
• .NET 6.0.4 or later is required (available through BT Updater).
• The Deployment and Configuration Wizard is dependent on BeyondInsight 21.2.

May 17, 2022

New features and enhancements:

• Updated handling for signing certificates.
• Resolved issue in which the SUPI service would crash when removing completed Security Update if the file was locked by another process.

Known issues:

• SUPI Service API allows creating duplicate schedules, which breaks processing (not UI).

Notes:

• This update is available as an automatic update over BT Updater.
• The desktop SUPI.EXE no longer has a user interface but can still be used at the command prompt to support scripting.
• SUPI 3.x.x is a prerequisite to installing UVM Software 3.2.2 and later.