Session Monitoring Agent (pbsmd) 25.1.38 is included.
Enhanced Session Monitoring Agent (pbpsmon) 25.1.38 is included.
PS Automate build 12638027310 is included.
BeyondTrust customers can download this release from their Password Safe Cloud portal by navigating to Configuration > Resource Zones and clicking Download Installer.
The MD5 signature is: B24AFAA01C9B6FFAD3A57520EF5364F1
The SHA-1 signature is: 87C8214A63CDA3C0FB410B5D925E9A6DED707B55
The SHA-256 signature is: 13C132BEDC5C040FFEAD25E95410E963B5ABF0437674E0258CFDE9BFD9D7701D
On-premises customers using the U-series Appliance with SQL 2019 must install March SQL Server Updates 250301 prior to upgrading to BeyondInsight/Password Safe 25.1.
Customers using SQL Free appliances with a standalone SQL Server 2019 installation must install Cumulative Update Package 32 for SQL Server 2019 - KB5054833 prior to upgrading to BeyondInsight/Password Safe 25.1.
🆕 New features
Workforce Passwords for Pathfinder
With Password Safe 25.1, Workforce Passwords is fully compatible with Pathfinder! Previously, the extension didn’t work when customers were activated in Pathfinder. Now, everything runs as expected.
Plus, there’s a great new feature on the login screen: a handy dropdown menu that lets you choose your login portal. Simply select Pathfinder to sign in via beyondtrust.io, then enter your Pathfinder credentials to access your Workforce Passwords secrets with ease.
Great news! The Password Safe mobile app is available on both the Apple App Store (iOS) and Google Play (Android). With the app, you can easily view, check out/check in, and request credentials—right from your mobile device.
That’s not all - you’ll also have quick access to your Secrets Safe entries and credentials stored in your personal folder, making it easier than ever to stay secure on the go!
iOS Login
ℹ️
The mobile app requires customers to be on version 25.1 or later.
Mobile Application Session Timeout Setting
In Password Safe Cloud and on-prem, you’re in control - configure the Mobile app to auto-timeout after a set number of minutes!
Deployable WFP Extension
Workforce Passwords makes it easy and secure to store and access business credentials right from your browser. And now with Password Safe 25.1, deploying the WFP browser extension is smoother than ever!
Admins can effortlessly roll out the extension across Chrome, Edge, and Firefox on Windows systems using the Group Policy Management Editor and Group Policy Objects (GPOs) - no more asking users to install it themselves.
Even better, admins can pre-configure the Workforce Passwords server URL, giving users a seamless, ready-to-go experience from the moment they log in.
Accessing secrets in Secrets Safe just got easier! You can now jump straight to a secret’s details using a shareable URL.
Authenticated users can use the link to go directly to the secret within its designated safe. The URL includes the secret’s title and sub-folder path, and it’s easy to grab - just copy it from the UI or your browser’s address bar.
Share it with others who have access for quick, no-hassle navigation right to the info they need!
To enhance security and streamline access, web console login sessions are now limited to one session per user.
And more good news - if you have multiple tabs open in the same browser, you can seamlessly use the same session across all of them. No interruptions, just a smoother, more secure experience!
Performed backend updates to allow for future support of IPv6 addresses
More information will be available in a future release.
Updated Algorithms and Ciphers
Security just got a boost! With Password Safe 25.1, devices now use stronger, modern ciphers to keep your data safer than ever.
We’ve added support for the latest encryption algorithms and are phasing out older, less secure ones to ensure top-tier protection across the board.
API Updates
Secrets Safe API
Added SecretType information in response of GET Secrets-Safe/Secrets/{secretId:guid}.
User can now set a Prior Expiration Date for Safe Permissions with new ExpiresOn field.
Password Safe API
Added RequestorName and RequestorUserID to Get Requests
Added paging support with 2 new optional quire parameters: limit and offset
We've made some great updates to improve clarity and consistency in Secrets Safe:
User names are now displayed as Last Name, First Name in grids, and First Name, Last Name everywhere else, making it easier to quickly find who you're looking for.
For secrets shared from a personal folder, ownership is now locked for added control. You’ll see the owner’s name, but the Manage Ownership option is hidden to keep things tidy.
The Owner dropdown in the Secrets grid now shows all owners at a glance - and yes, you can filter secrets by owner for faster navigation!
Web Policy Editor: Local AD Search in Beyond Insight
Beyond Insight 25.1 brings a powerful new enhancement for Endpoint Privilege Management customers! You can now easily search your connected Local AD environments right from the Web Policy Editor.
Quickly find and add users or groups to Windows Workstyle Filters, Messages > Designated Users, Application Rule Filters, On-Demand Application Rule Filters, and Custom Tokens (for groups) - all in just a few clicks!
Improved Session Replay
Session Replay just got a major upgrade! You can now zoom in on specific areas of a recording, making it easier than ever to see and read details—especially when working with high-resolution displays or multi-monitor setups.
Crystal-clear visibility, right where you need it!
Further improved page responsiveness based on screen resolution.
Pathfinder - Directory attributes disabled
We’ve removed the Directory Attributes Match option from the Dedicated Account smart rule filter in Pathfinder instances. If any Smart Rules are included that filter before upgrading to Pathfinder, you’ll now see empty drop downs when editing that smart rule post-upgrade; affected Smart Rules should be reviewed and edited as needed.
Directory Attribute Match smart rule filter continues to be available for Cloud and On-prem.
📋 Reports
New Usage Folder
A new folder named Usage is now available in Analytics and Reporting. The following reports are included in this folder:
The Workforce Passwords Usage Summary report
The Active Users report
The System Usage Statistics report (new)
New report - Scheduled Tasks Account Usage
Have you ever wondered which accounts used for Scheduled Task management are managed by Password Safe? Now you can see this information for any system that has associated Scheduled Task scan data, just by running the new Scheduled Tasks Account Usage report!
New report - IIS Application Pool Account Usage
Have you ever wondered which IIS Application Pool identity accounts are managed by Password Safe? Now you can see this information for any system that has associated IIS Application Pool scan data, just by running the new IIS Application Pool Account Usage report!
New report - System Usage Statistics
The new System Usage Statistics report gives you a clear snapshot of overall system usage - tracking unique logins over your selected time period and providing key insights into the number of Managed Systems and Managed Accounts available at the time of the report.
Database Platforms Added to Database User List Report
Prior to 25.1, only Oracle, MS SQL, and MySQL were included. We now include all database platforms present in Password Safe.
Improved Initial Load Time of Reports Home Page
We’ve improved load times on the Analytics & Reporting home page.
🛠️ Issues resolved
🔧 Password Safe
Product Area
Description
Resolution
Password Safe
Managed Systems and Managed Accounts can be deleted when there are open sessions.
Resolved. If sessions are open, managed systems and accounts cannot be deleted.
Password Rotation
When attempting to rotate managed accounts on decommissioned systems, the attempt will time out eventually, but it is not respecting the Managed System timeout setting, which can cause bloat in the queue table and may cause delays of other password changes.
Timeout values are honored now by all Password Safe platforms supported by Password Safe plugins.
Password Safe Cloud
Parsing issue of malformed keystroke JSON caused a memory leak. PWS Cloud 24.3.0 W3WP.exe Alert 'Memory gates checking failed because the free memory' was fired.
Resolved memory leak and improved response time under invalid or high volumes of keystroke input.
BeyondInsight/Password Safe
When attempting to connect to some oracle instances, an error occurs -ORA-28040: The database does not accept your client's authentication protocol; login denied.
The issue has been resolved. Connections to Oracle 19 databases are successful.
Password Safe Sessions
When reviewing sessions, scrolling in the keystrokes list can cause the list to jump to a previous point.
Resolved. The scroll window no longer jumps back in time.
Password Safe
Unable to edit Name field on the Create Managed Account form when accessing from Managed System → Advanced Details → Managed Accounts after moving focus away and then back to the Name field.
Resolved. Text box remains editable.
Password Safe Sessions
RDP sessions do not record keystrokes when sessions are created from a Windows 11 vm to a Windows 11 vm
Resolved. Keystrokes are now recorded.
🔧 BeyondInsight
Product Area
Description
Resolution
BeyondInsight
When 24.1.0.1398 is upgraded to 24.3, the EventCollector directory is missing Microsoft.Data.SqlClient.dll leading to failures activating new OAuth clients.
Ensured that new Endpoint Privilege Management clients can be activated for OAuth regardless of the upgrade paths followed to get to BeyondInsight 25.1.
BeyondInsight
Users with User Account Management and Password Safe Role Management are still not able to manage Password Safe roles on Smart Groups from the User Group management area.
Permissions check was updated to grant ability to assign Password Safe roles to smart groups with either Password Safe Role Management or Password Safe Policy Management feature access.
BeyondInsight
Modernize terms throughout.
Language updated to replace instances of ‘abort’ with ‘stop’.
BeyondInsight/Password Safe
When attempting to connect to some oracle instances, an error occurs -ORA-28040: The database does not accept your client's authentication protocol; login denied.
The issue has been resolved. Connections to Oracle 19 databases are successful.
BeyondInsight
If a Directory Credential has SSL enabled and it is used to sync an AD group, the sync status does not update. However, when using a credential that isn’t SSL enabled, it completes and updates.
Group sync status is now reliably updated whether or not the Directory Credential used for the sync has SSL enabled or not.
BeyondInsight
Some fields are not populating upon Update in Oracle credential.
Resolved. All fields are now populating on update.
BeyondInsight
If a user changes their theme during a session, the theme value is reset when they manually logout.
Resolved. Theme remains as is on logout.
BeyondInsight
On edit, if a smart rule contains multiple dedicated account filters, including a Directory Attribute Match filter, some inputs are missing their selected value.
Resolved. Filters have all of their inputs filled as they were on creation, and the dropdowns contain the correct options for the filter type.
BeyondInsight
Test functionality in SNMP connector gives a permission error.
Resolved. Test functionality in SNMP Connector no longer gives permission error.
BeyondInsight
Updating an Attribute Type used in a Smart Rule sometimes results in an unusable smart rule. “Edit Smart Rule” loads an empty smart rule and returns an error.
Resolved. No Error. Smart Rule opens with new Attribute type name visible.
BeyondInsight
Excessive network traffic observed when testing an Entra ID Directory Credential.
Entra ID Directory Credential test logic modified to reduce the amount of network traffic to only the essentials.
BeyondInsight
The last login date on the User Profile and User's details are not updating.
Resolved. The last login date now displays correctly in the User Profile and User’s details.
🔧 Secrets Safe
Product Area
Description
Resolution
Secrets Safe
When editing secret with no owners (an owner without correct permissions), an incorrect/unhelpful warning displays. The owner without permissions is not displayed in the owners list.
When another user edits the secret and clicks on the owners link, the owner that does not have access anymore shows up so that they can be removed.
When another user edits the secret, clicks on the owners link, changes the owners (but leaves the invalid owner marked as checked), and clicks update, the correct error displays.
Secrets Safe
When saving a secret with invalid owners an error displays.
When a user has edit access to a secret and there is an invalid owner, if the user makes changes to anything other than the owner, save is successful.
When a user has edit access to a secret and there is an invalid owner, if the user edits the owner list, the edit fails.
When a user has edit access to a secret and there are invalid owners (at least 2) and the user removes one of the invalid owners, save is successful.
Secrets Safe
The PrincipalGrid_FindPagedResults stored procedure performs poorly with a larger dataset. Used in the PrincipalGrid, it takes 6 seconds to retrieve assigned principals. When All or Unassigned is selected, the call times out in the UI after 10 minutes. Running in SSMS with All selected takes 20 minutes.
The sp was refactored. All principals are returned in seconds.
Secrets Safe
Credentials grid scalability issue - the credentials grid is slow to load. With 150,000 Credentials and 150,000 Credential_Owners, it takes over 20 seconds to load a page of 200 Secrets.
Query of the Credential_Owner table was updated.
Secrets Safe
When selecting an unshared origin secret, and then clicking ellipsis, Remove Share is present. If it is selected, a success message displays. This option should be removed from the origin secret UNLESS that origin has been shared.
Remove Share is no longer present if origin has not been shared.
Remove Share is present if origin has been shared.
Secrets Safe
Remove Share option does not appear in menu list until manual refresh.
Resolved. Remove Share is available in menu without a manual refresh.
Secrets Safe
User Audit 'Read SecretsSafeSecret' entry displays for user without permission to read the secret. The User Audit reports as if the user did read the secret. The user was blocked by the expected 403 due to “CanReadCredential.Errors.Unauthorized.DoesNotHaveReadPermission“
The code now checks permissions before auditing.
Secrets Safe
All Secrets checkboxes can be multi-selected, but there are no icons for any actions. For example, if All Secrets is selected, and secrets in the grid are selected, the Delete icon is not displayed.
Create and Share are hidden for All Secrets, but Delete displays.
Secrets Safe
Partially imported password error lines are displayed multiple times.
A clearer explanation of the error is provided for each error.
Secrets Safe
When adding an owner to a secret, the owner doesn't always display.
Resolved. Owners now always display when adding one to a secret.
Secrets Safe
Safe Advanced Details: Access Management grid does not correctly represent a group’s inactive status. Assigning Safe access to an inactive group has no effect since users in that group will not be able to access Secrets Safe.
Resolved. Disabled user groups no longer show as enabled.
Secrets Safe
When there is a shared secret in a subfolder, deleting an upper folder results in an error.
Resolved. It is now possible to delete a folder if it contains a subfolder with a shared secret in it.
Secrets Safe
The expiration date and time both change when only the date of expiration is edited.
Resolved. Time stays the same when date is edited.
Secrets Safe
User who does not have access to the safe where the secret originates from, but has full access to the shared safe, is blocked from editing it.
Users with access to a Safe can now successfully update secrets shared from other Safes they don’t have access to. Editing and clicking the Update button no longer results in a blocked action.
Secrets Safe
Cannot retrieve secret using API from a folder three levels deep.
Resolved. User is able to retrieve secret three levels deep (or more) without encountering an error.
Secrets Safe
Resolved an issue where users with temporary access to a Safe could continue accessing its secrets if their session remained active after the access expired.
Resolved. Once expiration occurs, if the safe remains in view, no access to owned/non owned secrets can occur. Upon refresh the safe is no longer present and All Secrets is cleared of the contents from that safe.
Secrets Safe
Sorting of Owners grid causes extra owners to be checked.
Resolved. No extra items are checked after sorting by the different columns.
Secrets Safe
User is able to share a secret to a Safe/Folder that it already belongs to, resulting in duplication of that Secret on the Secrets grid.
Resolved. A user receives an error message when trying to share a secret to the safe/folder it already belongs to.
Secrets Safe
Importing a malformed CSV file into Secrets Safe could return internal error messages and expose the call stack.
Improved handling of bad data in Secrets Safe import file
🔧 Workforce Passwords
Product Area
Description
Resolution
Workforce Passwords
Fresh install of Worforce Passwords Browser Extension from Firefox store is missing the Delete Credential button, until you log out of and log back into the Extension..
In this scenario, the Delete Credential button appears as intended, without requiring any special log out/log back in steps.
🔧 Reporting
Product Area
Description
Resolution
Reporting
Password Update Activity Report - shows data even when Smart Group parameter value is a Smart Group with no results.
The Smart Group parameter was not working properly with domain accounts and functional accounts. The report now filters appropriately when the Smart Group filter is selected, and only relevant results are displayed.
Reporting
The Password Update Activity Report will not run if the optional Accounts parameter has no value set.
Resolved an issue retrieving the Password Update Activity for Functional Accounts, improving the performance and ensuring that the report works with or without data in the Account parameter.
Reporting
Reviewed Sessions Report PDF format - column pushed to next page.
Resolved. Report formatting updated.
Reporting
(On Premises only) When the ADOMD Client is missing from the system, the Endpoint Privilege Management Event Rollup report subreports show an error and do not work.
Resolved. We now install the required ADOMD Client so that sub-reports can function.
Reporting
When a user attempts to run the Password Reset-on-Release report the Account Name is a required field, when it shouldn't be required.
Resolved. Account Name is now an optional field.
🔧 APIs
Product Area
Description
Resolution
BeyondInsight API
AppAuditDetails has reached it's identity limit.
Changed the AuditDetailsID field from ‘int’ to ‘long’ to accommodate larger IDs. This change impacts the public API.
Secrets Safe API
Calling the GET Secrets-Safe/Secrets API with the optional Path query parameter does not properly return secrets which have been granted via group membership.
Resolved. Filtering by Path, Secret Name, afterDate, limit and offset, or any combination of all those filters, properly returns data.
BeyondInsight API
POST UserGroups/{id}/Permissions with SS Permission 111 fails with 400 error: Failed to create team passswords folder.
Resolved. Folder creates successfully.
🔧 Pathfinder
Product Area
Description
Resolution
Pathfinder
No error is provided in the UI when attempting to delete a custom Platform Plugin that has an associated Functional Account.
Resolved. The UI now warns the user that they cannot delete a custom Platform Plugin with an associated Functional Account.
📝 Requirements
Direct upgrades to 25.1.0 are supported from BeyondInsight versions 23.1 or later releases.
BeyondInsight 25.1.0 supports SQL Server 2016 SP2 or higher
The MD5 signature is: a253a8f419777df83cbbc5453b0f4c60
The SHA-1 signature is: 951cc0076a2971e6e5474e614f48ed488f698a75
The SHA-256 signature is: 69e2dca017e880b344c9623519f29803972af2775345799ffc4a919777a121bd
⏰ Deprecation notices
Licensing Folder Removed
The Licensing folder has been deprecated. Due to folder reorganization, any report saved views, report subscriptions, or subscriptions to saved views relating to the following reports no longer function and must be recreated from the new Usage folder if still required:
Workforce Passwords Usage Summary
Active Users
Password Safe User Licensing report deprecated
The Password Safe User Licensing report that lived within the Licensing folder has been deprecated. Any report saved views, report subscriptions, or subscriptions to saved views of this report no longer function. Users should consider creating fresh views and subscriptions based on the System Usage Statistics report, which has replaced the Password Safe User Licensing report.
Removing PMUL support in BIPS
In 25.1, we have begun the process to deprecate and remove Endpoint Privilege Management for Unix and Linux (PMUL) and Solr functionality in Password Safe.
The first step is to no longer receive and process PMUL and Solr events.
In an upcoming release, we will remove all user interface components, reports and event forwarding functionality.
Support for Outbound TLS 1.3
In an upcoming release, BeyondInsight and Password Safe will phase out the use of mutual TLS (mTLS) to support the adoption of TLS 1.3, which eliminates support for optional mTLS (client certificate renegotiation) on inbound connections. The following product areas will be affected:
Client certificates will no longer be supported as an authentication method for API registrations.
The option to download a client certificate from the System > Downloads configuration page will be removed.
API Updates
The POST Imports and POST Imports/QueueImportFile APIs have been deprecated, and will be removed in an upcoming release.
Enhanced "Reboot Recommended" process (reboot and retry)
When installing a product for a subscription that runs an installer, and the installer requires a pending reboot:
Case 1: Auto Reboot is OFF
The subscription is not marked as published.
The machine does not reboot automatically.
The activity log shows: "update deferred (reboot needed)".
Once the user manually reboots the machine and it starts back up, it automatically tries to publish the subscription again.
Case 2: Auto Reboot is ON
The subscription is not marked as published.
The machine automatically reboots.
The activity log shows: "update deferred (reboot needed)"
After the reboot, it automatically tries to publish the subscription again.
Improve user feedback when a reboot is recommended:
Added notifications to inform user that reboot is recommended.
Added a banner to inform user that reboot is recommended.
Enhanced "Reboot Needed" process
When installing a product for a subscription that runs an installer, and any of the following system settings indicate a reboot is pending:
A reboot is required by Windows Update.
A reboot is pending from Component-Based Servicing.
A system update is scheduled on boot.
There are pending file rename operations.
Then:
The updater sets a global reboot flag.
The Updater UI displays a banner message saying "Reboot recommended".
After the machine is rebooted, the global reboot flag is resets the banner disappears.
Prevent installs if reboot requested (including deferred reboots)
The system uses the installer’s recommended reboot exit code as a natural signal to pause.
When the installer returns this code:
The updater knows a reboot is required and does not mark the install as complete.
The installation automatically retries after the machine is rebooted.
If the user clicks "Update Now" before rebooting, the installer may return the same reboot recommended code again, since the reboot still hasn’t occurred.
🛠️ Issues resolved
Description
Resolution
Exception logs are generated in root c:\ drive without cleanup.
Logs are now being stored in the usual Updater log area.
Dependent package versions are not listed in the web interface.
Dependent package versions are now listed in the web user interface.
Login page does not display properly in dark mode.
Login page changed to identify dark mode.
Package (*.pkg) not delivered by Updater and placed on an Enterprise Updater can cause child nodes to crash.
Package files are deleted if they are invalid.
Dark Mode Background colors are incorrect.
Dark mode colors fixed.
No feedback given to user if an invalid file is downloaded.
Remove unnecessary verbiage in https://productupdates.beyondtrust.com/: Click here to view Incapsula's IP addresses that you will need to allow through your firewall.
Verbiage removed
While subscriptions are locked, the associate package does not download.
Incorrect locking handling removed.
When looking at the Offline tool to create an offline package, BeyondInsight 24.3 is not shown in the list for downloads. Able to be downloaded from Updater.
Fixed filtering for the Offline tool.
Changes in the backend caused packages in QA mode to show as Live. SUPI packages that are shown as live are downloadable in Updater.
Fixed filtering.
When accessing Client Subscriptions under BeyondInsight, the 24.3 release is not displayed.
Incorrect locking handling removed.
BT Updater version 3.4.1.1743 cannot download the locked Appliance Management version unless it is the latest version 4.3.3.
Session Monitoring Agent (pbsmd) 24.3.18 is included.
Enhanced Session Monitoring Agent (pbpsmon) 24.3.17 is included.
PS Automate build 12239790337 is included.
BeyondTrust customers can download this release from their Password Safe Cloud portal by navigating to Configuration > Resource Zones and clicking Download Installer.
The MD5 signature is: 9F5AB94868FA7FDE51F310E39F78B848
The SHA-1 signature is: C6CEE92AD30E060B280BE9E9136F11398348A4A7
The SHA-256 signature is: E158B7507ABD4F4EED1F9A99B2D89B78A21D8C88C5FE350D5FBA2B98DE483ADE
Session Monitoring Agent (pbsmd) has been updated to 24.3.18.
Enhanced Session Monitoring Agent (pbpsmon) has been updated to 24.3.18.
PS Automate has been updated to build 12239790337.
BeyondTrust customers can download this release from their Password Safe Cloud portal by navigating to Configuration > Resource Zones and clicking Download Installer.
The MD5 signature is: 7B519B614D635DCC0A8ED3014D81D1C9
The SHA-1 signature is: 1FF50AA330F81011EACAD97235FAEF72AF972B29
The SHA-256 signature is: 23F924450A46EF43E711A3E2C0F98E737366542C09BD68BDF8BD7C30458B3632
A failure occurred when a user who is in multiple groups attempted to create or edit a secret because all of the user groups did not have the Secret Safe Read and Create permissions
Now, when a user is in multiple groups, if at least one of those groups has the Secret Safe Read and Create permissions, the secret creation is successful.
PS Automate
When downloading the msedge driver for Microsoft Edge from the PS Automate build, a Chrome driver downloads.
When downloading the msedge driver for Microsoft Edge from PS Automate, the correct msedge driver downloads as expected. We also updated the enhancedsessionutility download from the website.
Smart Rules
When attempting to upgrade to 24.3.0, if there are deprecated Smart Rules, the upgrade failed and did not remove any references to deprecated Smart Rules that were assigned to user groups.
This issue is resolved. Now, when you attempt to upgrade to 24.3.0 using this build, the failure does not occur and references to deprecated Smart Rules are removed from user groups as expected.
Notes
Direct upgrades to 24.3.0.1237 are supported from BeyondInsight versions 23.1 or later releases.
BeyondInsight 24.3.0.1237 supports SQL Server 2016 SP2 or higher.
