DocumentationRelease Notes
Release Notes

BeyondTrust Discovery Agent 25.2.0.1791 release notes

October 9, 2025

ℹ️

This release is available by download from the BeyondTrust Client Portal.

🆕 New features

Additional Kerberos support

Added support for Kerberos only environments by creating connections using the hostname instead of IP address.

Improved enumeration of MSSQL Databases

Improved support for enumerating MSSQL DB on ports not included in the scan/target port list.

Additional logic for scanners Added logic to make sure the scanner doesn't restart a running scan until we geta valid CP packet. This is needed to account for version dependent features.
Ability to report SSH Key Added the ability to report back SSH keys for Windows Users. This Supports OpenSSH on Windows.
Refinement to Phoenix.Core.log files Eliminated the excess Phoenix.Core.log file. The contents of that log are now in the Phoenix.Service.log.
Restrict execution of DLL and EXE files Restricted the execution of DLLs and EXEs via the Remote Agent to signed executables.

✨ Enhancements

With this release, we've added the following enhancements to the BeyondTrust Discovery Agent:

  • Removed unnecessary logfile warnings for MSSQL SID formatting.
  • Resolved issue where IOS XR OS information was missing.
  • Added support for long running SSH commands.
  • Improved SSH prompt detection.
  • Resolved the issue where a user enumeration would fail if the registry value was not a properly formatted SID.
  • Fixed a Checkpoint Gaia user enumeration parsing error

🛠️ Issues resolved

DescriptionResolution
Unnecessary logfile warnings for unexpected DB columnsRemoved unnecessary logfile warnings
Windows PowerShell doesn't properly send the command line options for btdiscovery.cmd to the program.Windows PowerShell commands work correctly.
There is an issue running the Discovery Agent with .NET Hosting 8.0.1.Either downgrade to 8.0.0 or upgrade to 8.0.2 or greater.
When you attempt to use Sybase authentication with IPv6, it does not authenticate.Sybase authentication is not supported for IPv6.
When you try to use MySQL9 on Linux, the connection does not validate.MySQL 9 on Linux enumeration is not supported at that time.

📝 Requirements

  • There is a product dependency on having the .NET 8 Hosting package installed.
  • OAuth authorization is dependent on having BI version 24.2.0
  • The Central Policy message to retrieve all scheduled scans is dependent on BI version 24.3.0 and higher.
  • Support for SSH Session encryption using the SHA1 cipher is removed. SHA256 or higher should be used.
  • Support for DSA encryption as an SSH authentication cipher has been removed.

⚙️ Signatures

  • The MD5 signature is: 9db142657e6431ef7fc3d00fdc6e9911
  • The SHA-1 signature is: 1b95664c97922e68cb4bb3ecbddd5537a33b1b2d
  • The SHA-256 signature is: c6b65d38011dea3f8cd979c880531b4d61d854feb227d46998c76fda1d609dac

⏰ Deprecation notice

Support for Windows 8 and Server 2012 as a scanner host is deprecated.

Password Safe Cloud Resource Broker 25.2.0.1936 release notes

October 9, 2025

ℹ️

You can download this release from your Password Safe Cloud portal by navigating to Configuration > Resource Zones and clicking Download Installer.

🆕 New features

This is a maintenance release. There are no new features.

✨ Enhancements

This is a maintenance release. There are no enhancements.

🛠️ Issues resolved

No issues are resolved in this release.

📝 Requirements

  • We recommend a restart after this update.

🗒️ Notes

  • Direct upgrades to 25.2.0.1936 are supported from all previous versions.
  • This release bundles version 25.1.0.1704 of the BeyondTrust Discovery Agent. View the Discovery Agent 25.1.0.1704 release notes.
  • .NET hosting bundle v8.0.20 is included.
  • Session Monitoring Agent (pbsmd) is updated to 25.1.44.
  • Enhanced Session Monitoring Agent (pbpsmon) 25.1.43 is included.
  • PS Automate build 16357480509 is included.

⚙️ Signatures

  • The MD5 signature is: 6A7BDC9ED6FD09FC63133B49166BD095
  • The SHA-1 signature is: 808093AA342C740F9D0069EE20207B35719C27B4
  • The SHA-256 signature is: DEB158663F5BC9CA023F54A1937259CB8F38F754F1C558DF377F18D78526DA65

Password Safe Cloud Resource Broker 25.1.0.1936 release notes

October 9, 2025

ℹ️

You can download this release from your Password Safe Cloud portal by navigating to Configuration > Resource Zones and clicking Download Installer.

🆕 New features

This is a maintenance release, and there are no new features.

✨ Enhancements

This is a maintenance release, and there are no enhancements.

🛠️ Issues resolved

No issues are resolved in this release.

📝 Requirements

  • We recommend a restart after this update.

🗒️ Notes

  • Direct upgrades to 25.1.0.1936 are supported from all previous versions.
  • This release bundles version 25.1.0.1704 of the BeyondTrust Discovery Agent. View the Discovery Agent 25.1.0.1704 release notes.
  • .NET hosting bundle v8.0.20 is included.
  • Session Monitoring Agent (pbsmd) is updated to 25.1.43.
  • Enhanced Session Monitoring Agent (pbpsmon) 25.1.38 is included.
  • PS Automate build 16357480509 is included.

⚙️ Signatures

  • The MD5 signature is: 4C5AC0DD72980BAECA121BBB55CFD8DF
  • The SHA-1 signature is: 70289306F850E279701E5E3BFD4DEE903E4EC44F
  • The SHA-256 signature is: 97F42EE620D55D73C157491989BE2145F09A7069CDF8CA8BCBD12F703D0579F7

Password Safe Mobile App 1.2.0 for Android and iOS release notes

October 9, 2025

To support enterprise users who need secure access on the go, Password Safe is introducing a mobile app for both Apple iOS and Android.

🆕 New features

  • Added support for SAML single sign-on.

📝 Requirements

  • Password Safe 25.1 or later

PS Cloud Resource Broker 25.2.0.1935 release notes

September 11, 2025

ℹ️

You can download this release from your Password Safe Cloud portal by navigating to Configuration > Resource Zones and clicking Download Installer.

🆕 New features

This is a maintenance release. There are no new features.

✨ Enhancements

This is a maintenance release. There are no enhancements.

🛠️ Issues resolved

No issues are resolved in this release.

📝 Requirements

  • We recommend a restart after this update.

🗒️ Notes

  • Direct upgrades to 25.2.0.1935 are supported from all previous versions.
  • This release bundles version 25.1.0.1704 of the BeyondTrust Discovery Agent. View the Discovery Agent 25.1.0.1704 release notes.
  • .NET hosting bundle v8.0.16 is included.
  • Session Monitoring Agent (pbsmd) is updated to 25.1.44.
  • Enhanced Session Monitoring Agent (pbpsmon) 25.1.43 is included.
  • PS Automate build 16357480509 is included.

⚙️ Signatures

  • The MD5 signature is: D83A2B3CFDAEE7B192BF0638DF351215
  • The SHA-1 signature is: B37A46A4D7EA448B3D79BB3D238B1FD25535DCC2
  • The SHA-256 signature is: 42D4848B7FDD74586009B8560C5DE6B4EEC1E2DAEC3BCFAFEE2D0891F01B4DF4

Security Update Package Installer 3.3.2 release notes

September 23, 2025

🆕 New features

Remove/replace dependency on the U-Series Authentication Service

Removed code dependencies on an older service that managed internal authentication calls.

Digitally sign CAB files and Powershell scripts used in SUPI

SUPI packages are digitally signed and validated by the SUPI engine before being run.

Restore WUSA installation of MSU files instead of workaround

A workaround to handle sub-installers was removed and replaced with a more modern approach..

✨ Enhancements

There are no enhancements in this release.

🛠️ Issues resolved

IssueResolution
Files being deleted that should remainUpdated to be less aggressive when deleting files that are currently being processed.
c:\Appliance\Updater\ folder exists with the original files after upgradingCleaned older directories on upgrading.

U-Series Appliance 4.4.2 release notes

September 23, 2025

🆕 New features

Improvement to the Admin Password Reset Process

U-Series has a new password reset feature. If your password was changed by the existing Emergency Access feature, you are prompted to update it the first time you log in with a new password. This ensures only you know your current password and helps maintain account security.

ℹ️

For a more information, see Lost or forgotten passwords.

Consistent FileShare Interop

A new reusable Network Location control is now available on the Log Export, Session Monitoring Archive feature, Backup Locations, and ColdSpare pages. This control makes working with external file shares simpler and more consistent. No matter where you set up a file share, you’ll see the same easy-to-use control. This creates a smoother, more predictable experience every time you connect to a file share.

✨ Enhancements

Updated error logging to include key information

Error logging has been improved across both .NET Core and .NET Framework services. When an error-level message is logged, key details (such as the message, service name, file path, line number, and timestamp) are now recorded in a central location. This enhancement makes it easier to search and review issues without digging through individual log files or folders.

ℹ️

For a more information, see Service Log Analysis.

🛠️ Issues resolved

IssueResolution
On an unconfigured appliance, the /appliance home page is a blank page instead of warning page/Configuration wizard link.Added that call to the ‘exception list’ in the gateway for calls that do not return 504/510.
Config Wizard skips over Configuration Status steps and redirecting to /WebConsole page.Root cause was linked to a "finalized" flag causing premature redirection. Cleared cache early in deployment to prevent issue.
COLD SPARE - Wrong message displayed for backup password.Message now states Password required instead of Passwords do not match.
Unable to change the password for a remote location while in Cold Spare.Activate backup location tab in backup/restore while in cold spare.
System Access Service returns an error when attempting to delete a non-existent BIPS Database.Delete the BI database before the last do it page is executed. Allow the wizard to run and apply settings. Ensure that the new BI DB is made.
If appliance is named using numbers only, the deploy wizard is unable to configure Phoenix.Tool tip is updated to include what can be used for an appliance name. If user enters only numbers, an error appears beneath the Appliance Name field stating the name is invalid.
Current code allows the Create Certificate query to run without check. The customer runs an SQL command without cert name or subject. This causes issues when setting up HA.Added validation for cert name to prevent error from occurring.
COLD SPARE- Discard Changes functionality is not implemented.Button was available, but nothing happened when clicked. Functionality to discard changes has been added when button is clicked.
FEATURES - Session monitoring typo on the Test Connection reply.Corrected typo.
SECURITY UPDATES - UI artifact leftover when sizing columns.Column header for the action column was not aligned. Found a way to override proper style after SCL v19.1 upgrade.
COLD SPARE - Windows share states that local path (C:\test) is invalid but the test connection is successful.The test connection button now uses the same validation as the path validator.
COLD SPARE - Cold spare restores do not occur.Corrected recurrence code related to removal of unsupported schedule frequencies and types.

Removed redundant check for start time to be in the future validation on every schedule change.
Log File Export - Error message for failure.Updated the error message to be more user-friendly.
CONFIG WIZARD - after getting timed out during the deploy, taken back to Appliance Name page.Improved validation for authentication token.
BACKUPS - The scheduled backup during config sets a day ahead of what was selected.Corrected the logic for setting the schedule.
Removed unnecessary loggingUpdated logging functions to log necessary information only.
Improve appliance monitor acquiring dynamic counters on start up and change label.Updated initialization code for labels.
SQL memory and Disk usage not matching within appliance webpage and vm appliance.Label changed from Disk Free to Disk Space Used.
DEPLOY WIZARD - An error occurs trying to perform the internet connection test.The framework that interacts with the user database was replaced to reduce instances of a locked database
COLD SPARE - Cold Spare feature not recognizing that a scheduled backup has been deactivated.Can now edit cold spare settings when a backup schedule is disabled.
Missing Validation check for invalid characters on Cold Spare Feature.Validation check has been implemented to check for invalid characters.
COLD SPARE - temporary server name field does not enforce the Windows server naming rules.Added a validation check for Invalid characters on Cold Spare Feature.
UX - The UI is displaying the Navigate link on its own line when at our minimum supported resolution (1280 x 800).Updated UI, Navigate no longer pushed to new line.
Backup: Create Backup Now has scheduling options but runs immediately anywayScheduling options are respected regardless of how the schedule was created.
Username not being properly read.Username is displayed in Configuration Wizard after logging out and logging back in.
Backslash ( \ ) not handled properly on updating credentials for EPM.Workaround when using ( \ ):

- Disable RPM DB Feature
- Delete a record of existing EPM PMR Db ConnectionString
- Re-Enable EPM DB Feature with the password containing '', if needed
Backup components are not showing proper number format for Gigabytes.Column header was changed to just “Size” and the space values specified indicate Bytes, KB, MB, or GB.
Non-standard port used for remote database is not sent to Secondary Appliance when HA is configured for services only synchronization.Column header was changed to just “Size” and the space values specified indicate Bytes, KB, MB, or GB.
HA - After failover SQL accounts for EPM database remain disabled on the new active appliance.EPM accounts will not be disabled after failover.
Backup/Restore : Could not find a part of the path issue.More controls in place to ensure multiple backup jobs cannot be running at once.
Backup and Restore : 500 error when deleting backups consecutively in Backup/Restore.Prevent simultaneous backup deletions.
Deactivated backup schedules are still firing after a service restart/reboot.Backup schedule states are preserved after service restart.
FEATURES - EPM reports are not visible after enabling the feature until an IISRESET is performedRecycle WebConsoleAppPool when toggling EPM Privilege Management Reporting feature.
After a restore, changed BDA from OAuth to Central Policy, and cannot set Discovery back to OAuthWorkflow has been addressed to allow re-configuring to a different authentication type.

📝Requirements

  • .NET 8.0 or later (available through BT Updater via Supporting Software SUPI subscription)
  • SUPI 3.3.2 (available through BT Updater)

🧩 Dependencies

  • Security Management Appliance Installer is dependent on BeyondInsight 24.1.
  • Security Management Appliance package in BT Updater is dependent on BeyondInsight 24.2.1.

BT Updater Server release notes 2.0.3

September 24, 2025

🛠️ Issues resolved

DescriptionResolution
Updater packages stuck on downloading last segment for new clients.Logic was updated to create client records when a new client first requests a download.

Password Safe Mobile app 1.1.0 release notes

July 31, 2025

To support enterprise users who need secure access on the go, Password Safe is introducing a mobile app for both Apple iOS and Android.

🆕 New features

  • Added support for Microsoft Intune for Mobile Application Management.
  • Added support for multi-factor authentication (MFA).
  • Added support for landscape mode.

🛠️Issue resolved

IssueResolution
On iOS iPhone 16, when an instance has been added and the user selects app delete, the instance remains.The instance no longer remains when the app delete is selected.
Secrets with a forward slash (/) in the secret name are not created.Secrets can now include a forward slash in the name.
When using the autofill functionality with an expired user session, the Pathfinder authentication buttons (Login With Pathfinder and Use Pathfinder) do not respond.Authentication buttons are now working as expected.
When attempting to login from BIPS that is older then 25.1, warning popup is not displayed.Warning popup is now displayed as expected.
When Intune is uninstalled on an android device, users are displayed messages letting them know Intune is no longer monitoring the app. iOS does not receive these messages.All users on both Android and iOS receive these messages.
With MFA enabled for the 3 radius options and the user selects 3, the input field is not cleared when clicking Submit.The input field is now cleared as expected.
An admin should not have access to the Requests tab, since they do not create requests.Requests tab no longer showing for admins.
Owner field under View Details does not show owner.Owner field now displaying correct contents, as expected.
Unable to create a request or view password within PS. When Submit Request, Retrieve Password, or Cancel are clicked, no action is taken.All buttons are now working as expected.

📝 Requirements

  • Password Safe 25.1 or later

BeyondInsight and Password Safe 25.1.1.165 (On-Premises only)

⚠️

This update is for On-Premises customers only. Fixes have been automatically applied to all 25.1 Password Safe Cloud deployments.

August 5, 2025

ℹ️

Note

For a list of supported platforms for the latest version of BeyondInsight and Password Safe, see Supported Platforms.

🆕 New features

This is a maintenance release. There are no new features.

✨ Enhancements

This is a maintenance release. There are no new enhancements.

🛠️ Issues resolved

Product AreaDescriptionResolution
Endpoint Privilege ManagementWhen an EPM agent checks-in, the IP Address for the corresponding Managed System may get reset to 127.0.0.1Resolved. If the EPM agent provides a loopback/127.0.0.1 IP Address, it is ignored by Password Safe.
RDP SessionsRDP sessions using multiple monitors may encounter an error during session initialization.Resolved. RDP sessions with multiple monitors now function as expected.
Workforce Passwords Browser ExtensionUpdating a credential via the browser extension reports successful, however the credential is not updated.Resolved. Updates to credentials made from the browser extension are saved properly.
Public APIAttempting to retrieve a large number of secrets via the GET Secrets-Safe/Secrets API can fail with a timeout.Resolved. Increased the default client timeout.
ReportingWhen the Password Safe Password And Session Activity report is exported as a CSV, some cells may incorrectly contain line breaks, which causes a row to be split into two incomplete rows.Resolved. Line breaks from the Reason field are automatically removed.
Directory CredentialsWhen using a directory credential with a username formatted as a UPN, directory queries using this credential do not work as expected.Resolved. Directory credentials with UPN usernames are now properly handled.
SCIM APIWhen making a call to retrieve PrivilegedData from the SCIM API, the returned values have the properties defined as Name, Description, and Type. As per the schema, these properties should be all lower case.Resolved. The json properties are now all in lower case.
SAMLSAML login ignores the Enable Group Resync configuration option when user mapping is set to Local and always resyncs the local groups.Resolved. Groups will no longer be resynced if the Enable Group Resync option is disabled.
SAMLWhen using a SAML configuration that uses Active Directory as the mapping type, if an Active Directory user gets created during a SAML login, that user is missing several user attributes. This includes the domain, email and first/last name, and can cause issues with mapping or attempting to remove the user.Resolved. All attribute data is now populated during SAML login.
Propagation ActionsWhen trying to run a script propagation action on a managed system that uses a custom port, the propagation action fails.Resolved. The port setting on the managed system is now properly handled during propagation actions.
ReportingThe Active Users report only returns records with users that have been active within the last few months. The value in the parameter Used In X Days is not respected.Resolved. The Used In X Days report parameter is properly applied.
Event ForwardingWhen using a connector that uses the syslog format, the event severity in the priority field is the inverse of what’s expected for syslog events.Resolved. Syslog events are now sent with the correct severity.
Public APIWhen creating a new Active Directory user via the POST Users AP, the Disable forms login for new directory accounts configuration setting is ignored.Resolved. When creating new Active Directory users, the Disable forms login setting is properly applied.
Functional AccountsLocal functional accounts on managed systems that have a DNS Name containing a period (.) are not properly tested via the Password Test Agent.Resolved. Local functional accounts are now tested properly.
Database UpgradeIn some scenarios, the upgrade to 25.1.0 could fail during the database upgrade if an asset is associated with invalid IP Address data.Resolved. The invalid IP Address data is adjusted to the latest data or reset if none exists.
Mobile App / Secrets SafeSecrets are not being properly returned to the mobile app from Secrets Safe personal folders when the user is a member of the Administrators group.Resolved. Users who are members of the Administrators group can now access secrets found in their personal folders.
Mobile AppAn authentication error occurs when attempting to login via the Mobile App using an Active Directory or LDAP user account.Resolved. Active Directory and LDAP users can now successfully login via the Mobile App.

📝 Requirements

  • Direct upgrades to 25.1.1 are supported from BeyondInsight versions 23.1 or later releases.
  • BeyondInsight 25.1.1 supports SQL Server 2016 SP2 or higher.

🗒️ Notes

  • This release is available by download for BeyondTrust customers (https://beyondtrustcorp.service-now.com/csm) and by using the BeyondTrust BT Updater.
  • The MD5 signature is: cf9b9d17c1b9c8a7831d2da2c8707991
  • The SHA-1 signature is: b62b975d76139426f68ab01f5cec037aa236eb9c
  • The SHA-256 signature is: b4b414a8e997caf55c674a8bdee111a95d4dae277cec79af3b63e89ef1a6ec3e

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.