BeyondInsight and Password Safe 25.1 release
June 5, 2025
For a list of supported platforms for the latest version of BeyondInsight and Password Safe, see Supported Platforms.
Supported Platforms for previous versions of BeyondInsight and Password Safe can be found in the BeyondInsight, Password Safe, and U-Series Appliance Documentation Archive.
On-premises customers using the U-series Appliance with SQL 2019 must install March SQL Server Updates 250301 prior to upgrading to BeyondInsight/Password Safe 25.1.
Customers using SQL Free appliances with a standalone SQL Server 2019 installation must install Cumulative Update Package 32 for SQL Server 2019 - KB5054833 prior to upgrading to BeyondInsight/Password Safe 25.1.
🆕 New features
Workforce Passwords for Pathfinder
With Password Safe 25.1, Workforce Passwords is fully compatible with Pathfinder! Previously, the extension didn’t work when customers were activated in Pathfinder. Now, everything runs as expected.
Plus, there’s a great new feature on the login screen: a handy dropdown menu that lets you choose your login portal. Simply select Pathfinder to sign in via beyondtrust.io, then enter your Pathfinder credentials to access your Workforce Passwords secrets with ease.
For more information, see Workforce passwords deployable extension.
Mobile Application Session Timeout Setting
In Password Safe Cloud and on-prem, you’re in control - configure the Mobile app to auto-timeout after a set number of minutes!
Deployable WFP Extension
Workforce Passwords makes it easy and secure to store and access business credentials right from your browser. And now with Password Safe 25.1, deploying the WFP browser extension is smoother than ever!
Admins can effortlessly roll out the extension across Chrome, Edge, and Firefox on Windows systems using the Group Policy Management Editor and Group Policy Objects (GPOs) - no more asking users to install it themselves.
Even better, admins can pre-configure the Workforce Passwords server URL, giving users a seamless, ready-to-go experience from the moment they log in.
For more information, see Workforce passwords deployable extension.
Direct Links to Secrets
Accessing secrets in Secrets Safe just got easier! You can now jump straight to a secret’s details using a direct link (URL).
Authenticated users can use the link to go directly to the secret within its designated safe.
The URL includes the secret’s title and sub-folder path, and it’s easy to grab - just copy it from the UI or your browser’s address bar. Provide this link to users who have access for quick, no-hassle navigation right to the info they need!
Copy secret link
For more information, see Workforce passwords deployable extension.
✨ Enhancements
Limit Webconsole Login Sessions
To enhance security and streamline access, web console login sessions are now limited to one session per user.
And more good news - if you have multiple tabs open in the same browser, you can seamlessly use the same session across all of them. No interruptions, just a smoother, more secure experience!
Performed backend updates to allow for future support of IPv6 addresses
More information will be available in a future release.
Updated Algorithms and Ciphers
Security just got a boost! With Password Safe 25.1, devices now use stronger, modern ciphers to keep your data safer than ever.
We’ve added support for the latest encryption algorithms and are phasing out older, less secure ones to ensure top-tier protection across the board.
API Updates
- Secrets Safe API
- Added SecretType information in response of GET Secrets-Safe/Secrets/{secretId:guid}.
- User can now set a Prior Expiration Date for Safe Permissions with new ExpiresOn field.
- Password Safe API
- Added RequestorName and RequestorUserID to Get Requests
- Added paging support with 2 new optional quire parameters: limit and offset
For more information, see Secrets Safe APIs and Password Safe APIs.
Secrets Safe Enhancements
We've made some great updates to improve clarity and consistency in Secrets Safe:
- User names are now displayed as Last Name, First Name in grids, and First Name, Last Name everywhere else, making it easier to quickly find who you're looking for.
- For secrets shared from a personal folder, ownership is now locked for added control. You’ll see the owner’s name, but the Manage Ownership option is hidden to keep things tidy.
- The Owner dropdown in the Secrets grid now shows all owners at a glance - and yes, you can filter secrets by owner for faster navigation!
Web Policy Editor: Local AD Search in Beyond Insight
Beyond Insight 25.1 brings a powerful new enhancement for Endpoint Privilege Management customers! You can now easily search your connected Local AD environments right from the Web Policy Editor.
Quickly find and add users or groups to Windows Workstyle Filters, Messages > Designated Users, Application Rule Filters, On-Demand Application Rule Filters, and Custom Tokens (for groups) - all in just a few clicks!
Improved Session Replay
Session Replay just got a major upgrade! You can now zoom in on specific areas of a recording, making it easier than ever to see and read details—especially when working with high-resolution displays or multi-monitor setups.
Crystal-clear visibility, right where you need it!
For more information, see View Recorded Sessions.
Screen Responsiveness
Further improved page responsiveness based on screen resolution.
Pathfinder - Directory attributes disabled
We’ve removed the Directory Attributes Match option from the Dedicated Account smart rule filter in Pathfinder instances. If any Smart Rules are included that filter before upgrading to Pathfinder, you’ll now see empty drop downs when editing that smart rule post-upgrade; affected Smart Rules should be reviewed and edited as needed.
Directory Attribute Match smart rule filter continues to be available for Cloud and On-prem.
📋 Reports
New Usage Folder
A new folder named Usage is now available in Analytics and Reporting. The following reports are included in this folder:
- The Workforce Passwords Usage Summary report
- The Active Users report
- The System Usage Statistics report (new)
New report - Scheduled Tasks Account Usage
Have you ever wondered which accounts used for Scheduled Task management are managed by Password Safe? Now you can see this information for any system that has associated Scheduled Task scan data, just by running the new Scheduled Tasks Account Usage report!
New report - IIS Application Pool Account Usage
Have you ever wondered which IIS Application Pool identity accounts are managed by Password Safe? Now you can see this information for any system that has associated IIS Application Pool scan data, just by running the new IIS Application Pool Account Usage report!
New report - System Usage Statistics
The new System Usage Statistics report gives you a clear snapshot of overall system usage - tracking unique logins over your selected time period and providing key insights into the number of Managed Systems and Managed Accounts available at the time of the report.
Database Platforms Added to Database User List Report
Prior to 25.1, only Oracle, MS SQL, and MySQL were included. We now include all database platforms present in Password Safe.
Improved Initial Load Time of Reports Home Page
We’ve improved load times on the Analytics & Reporting home page.
🔜 Coming Soon
Improved Initial Load Time of Reports Home Page
Great news! The Password Safe mobile app is available on both the Apple App Store (iOS) and Google Play (Android). With the app, you can easily view, check out/check in, and request credentials—right from your mobile device.
That’s not all - you’ll also have quick access to your Secrets Safe entries and credentials stored in your personal folder, making it easier than ever to stay secure on the go!
iOS Login
The mobile app requires customers to be on version 25.1 or later.
🛠️ Issues resolved
🔧 Password Safe
| Product Area | Description | Resolution |
|---|---|---|
| Password Safe | Managed Systems and Managed Accounts can be deleted when there are open sessions. | Resolved. If sessions are open, managed systems and accounts cannot be deleted. |
| Password Rotation | When attempting to rotate managed accounts on decommissioned systems, the attempt will time out eventually, but it is not respecting the Managed System timeout setting, which can cause bloat in the queue table and may cause delays of other password changes. | Timeout values are honored now by all Password Safe platforms supported by Password Safe plugins. |
| Password Safe Cloud | Parsing issue of malformed keystroke JSON caused a memory leak. PWS Cloud 24.3.0 W3WP.exe Alert 'Memory gates checking failed because the free memory' was fired. | Resolved memory leak and improved response time under invalid or high volumes of keystroke input. |
| BeyondInsight/Password Safe | When attempting to connect to some oracle instances, an error occurs -ORA-28040: The database does not accept your client's authentication protocol; login denied. | The issue has been resolved. Connections to Oracle 19 databases are successful. |
| Password Safe Sessions | When reviewing sessions, scrolling in the keystrokes list can cause the list to jump to a previous point. | Resolved. The scroll window no longer jumps back in time. |
| Password Safe | Unable to edit Name field on the Create Managed Account form when accessing from Managed System → Advanced Details → Managed Accounts after moving focus away and then back to the Name field. | Resolved. Text box remains editable. |
| Password Safe Sessions | RDP sessions do not record keystrokes when sessions are created from a Windows 11 vm to a Windows 11 vm | Resolved. Keystrokes are now recorded. |
🔧 BeyondInsight
| Product Area | Description | Resolution |
|---|---|---|
| BeyondInsight | When 24.1.0.1398 is upgraded to 24.3, the EventCollector directory is missing Microsoft.Data.SqlClient.dll leading to failures activating new OAuth clients. | Ensured that new Endpoint Privilege Management clients can be activated for OAuth regardless of the upgrade paths followed to get to BeyondInsight 25.1. |
| BeyondInsight | Users with User Account Management and Password Safe Role Management are still not able to manage Password Safe roles on Smart Groups from the User Group management area. | Permissions check was updated to grant ability to assign Password Safe roles to smart groups with either Password Safe Role Management or Password Safe Policy Management feature access. |
| BeyondInsight | Modernize terms throughout. | Language updated to replace instances of ‘abort’ with ‘stop’. |
| BeyondInsight/Password Safe | When attempting to connect to some oracle instances, an error occurs -ORA-28040: The database does not accept your client's authentication protocol; login denied. | The issue has been resolved. Connections to Oracle 19 databases are successful. |
| BeyondInsight | If a Directory Credential has SSL enabled and it is used to sync an AD group, the sync status does not update. However, when using a credential that isn’t SSL enabled, it completes and updates. | Group sync status is now reliably updated whether or not the Directory Credential used for the sync has SSL enabled or not. |
| BeyondInsight | Some fields are not populating upon Update in Oracle credential. | Resolved. All fields are now populating on update. |
| BeyondInsight | If a user changes their theme during a session, the theme value is reset when they manually logout. | Resolved. Theme remains as is on logout. |
| BeyondInsight | On edit, if a smart rule contains multiple dedicated account filters, including a Directory Attribute Match filter, some inputs are missing their selected value. | Resolved. Filters have all of their inputs filled as they were on creation, and the dropdowns contain the correct options for the filter type. |
| BeyondInsight | Test functionality in SNMP connector gives a permission error. | Resolved. Test functionality in SNMP Connector no longer gives permission error. |
| BeyondInsight | Updating an Attribute Type used in a Smart Rule sometimes results in an unusable smart rule. “Edit Smart Rule” loads an empty smart rule and returns an error. | Resolved. No Error. Smart Rule opens with new Attribute type name visible. |
| BeyondInsight | Excessive network traffic observed when testing an Entra ID Directory Credential. | Entra ID Directory Credential test logic modified to reduce the amount of network traffic to only the essentials. |
| BeyondInsight | The last login date on the User Profile and User's details are not updating. | Resolved. The last login date now displays correctly in the User Profile and User’s details. |
🔧 Secrets Safe
| Product Area | Description | Resolution |
|---|---|---|
| Secrets Safe | When editing secret with no owners (an owner without correct permissions), an incorrect/unhelpful warning displays. The owner without permissions is not displayed in the owners list. | When another user edits the secret and clicks on the owners link, the owner that does not have access anymore shows up so that they can be removed. When another user edits the secret, clicks on the owners link, changes the owners (but leaves the invalid owner marked as checked), and clicks update, the correct error displays. |
| Secrets Safe | When saving a secret with invalid owners an error displays. | When a user has edit access to a secret and there is an invalid owner, if the user makes changes to anything other than the owner, save is successful. When a user has edit access to a secret and there is an invalid owner, if the user edits the owner list, the edit fails. When a user has edit access to a secret and there are invalid owners (at least 2) and the user removes one of the invalid owners, save is successful. |
| Secrets Safe | The PrincipalGrid_FindPagedResults stored procedure performs poorly with a larger dataset. Used in the PrincipalGrid, it takes 6 seconds to retrieve assigned principals. When All or Unassigned is selected, the call times out in the UI after 10 minutes. Running in SSMS with All selected takes 20 minutes. | The sp was refactored. All principals are returned in seconds. |
| Secrets Safe | Credentials grid scalability issue - the credentials grid is slow to load. With 150,000 Credentials and 150,000 Credential_Owners, it takes over 20 seconds to load a page of 200 Secrets. | Query of the Credential_Owner table was updated. |
| Secrets Safe | When selecting an unshared origin secret, and then clicking ellipsis, Remove Share is present. If it is selected, a success message displays. This option should be removed from the origin secret UNLESS that origin has been shared. | Remove Share is no longer present if origin has not been shared. Remove Share is present if origin has been shared. |
| Secrets Safe | Remove Share option does not appear in menu list until manual refresh. | Resolved. Remove Share is available in menu without a manual refresh. |
| Secrets Safe | User Audit 'Read SecretsSafeSecret' entry displays for user without permission to read the secret. The User Audit reports as if the user did read the secret. The user was blocked by the expected 403 due to “CanReadCredential.Errors.Unauthorized.DoesNotHaveReadPermission“ | The code now checks permissions before auditing. |
| Secrets Safe | All Secrets checkboxes can be multi-selected, but there are no icons for any actions. For example, if All Secrets is selected, and secrets in the grid are selected, the Delete icon is not displayed. | Create and Share are hidden for All Secrets, but Delete displays. |
| Secrets Safe | Partially imported password error lines are displayed multiple times. | A clearer explanation of the error is provided for each error. |
| Secrets Safe | When adding an owner to a secret, the owner doesn't always display. | Resolved. Owners now always display when adding one to a secret. |
| Secrets Safe | Safe Advanced Details: Access Management grid does not correctly represent a group’s inactive status. Assigning Safe access to an inactive group has no effect since users in that group will not be able to access Secrets Safe. | Resolved. Disabled user groups no longer show as enabled. |
| Secrets Safe | When there is a shared secret in a subfolder, deleting an upper folder results in an error. | Resolved. It is now possible to delete a folder if it contains a subfolder with a shared secret in it. |
| Secrets Safe | The expiration date and time both change when only the date of expiration is edited. | Resolved. Time stays the same when date is edited. |
| Secrets Safe | User who does not have access to the safe where the secret originates from, but has full access to the shared safe, is blocked from editing it. | Users with access to a Safe can now successfully update secrets shared from other Safes they don’t have access to. Editing and clicking the Update button no longer results in a blocked action. |
| Secrets Safe | Cannot retrieve secret using API from a folder three levels deep. | Resolved. User is able to retrieve secret three levels deep (or more) without encountering an error. |
| Secrets Safe | Resolved an issue where users with temporary access to a Safe could continue accessing its secrets if their session remained active after the access expired. | Resolved. Once expiration occurs, if the safe remains in view, no access to owned/non owned secrets can occur. Upon refresh the safe is no longer present and All Secrets is cleared of the contents from that safe. |
| Secrets Safe | Sorting of Owners grid causes extra owners to be checked. | Resolved. No extra items are checked after sorting by the different columns. |
| Secrets Safe | User is able to share a secret to a Safe/Folder that it already belongs to, resulting in duplication of that Secret on the Secrets grid. | Resolved. A user receives an error message when trying to share a secret to the safe/folder it already belongs to. |
| Secrets Safe | Importing a malformed CSV file into Secrets Safe could return internal error messages and expose the call stack. | Improved handling of bad data in Secrets Safe import file |
🔧 Workforce Passwords
| Product Area | Description | Resolution |
|---|---|---|
| Workforce Passwords | Fresh install of Worforce Passwords Browser Extension from Firefox store is missing the Delete Credential button, until you log out of and log back into the Extension.. | In this scenario, the Delete Credential button appears as intended, without requiring any special log out/log back in steps. |
🔧 Reporting
| Product Area | Description | Resolution |
|---|---|---|
| Reporting | Password Update Activity Report - shows data even when Smart Group parameter value is a Smart Group with no results. | The Smart Group parameter was not working properly with domain accounts and functional accounts. The report now filters appropriately when the Smart Group filter is selected, and only relevant results are displayed. |
| Reporting | The Password Update Activity Report will not run if the optional Accounts parameter has no value set. | Resolved an issue retrieving the Password Update Activity for Functional Accounts, improving the performance and ensuring that the report works with or without data in the Account parameter. |
| Reporting | Reviewed Sessions Report PDF format - column pushed to next page. | Resolved. Report formatting updated. |
| Reporting | (On Premises only) When the ADOMD Client is missing from the system, the Endpoint Privilege Management Event Rollup report subreports show an error and do not work. | Resolved. We now install the required ADOMD Client so that sub-reports can function. |
| Reporting | When a user attempts to run the Password Reset-on-Release report the Account Name is a required field, when it shouldn't be required. | Resolved. Account Name is now an optional field. |
🔧 APIs
| Product Area | Description | Resolution |
|---|---|---|
| BeyondInsight API | AppAuditDetails has reached it's identity limit. | Changed the AuditDetailsID field from ‘int’ to ‘long’ to accommodate larger IDs. This change impacts the public API. |
| Secrets Safe API | Calling the GET Secrets-Safe/Secrets API with the optional Path query parameter does not properly return secrets which have been granted via group membership. | Resolved. Filtering by Path, Secret Name, afterDate, limit and offset, or any combination of all those filters, properly returns data. |
| BeyondInsight API | POST UserGroups/{id}/Permissions with SS Permission 111 fails with 400 error: Failed to create team passswords folder. | Resolved. Folder creates successfully. |
🔧 Pathfinder
| Product Area | Description | Resolution |
|---|---|---|
| Pathfinder | No error is provided in the UI when attempting to delete a custom Platform Plugin that has an associated Functional Account. | Resolved. The UI now warns the user that they cannot delete a custom Platform Plugin with an associated Functional Account. |
📝 Requirements
- Direct upgrades to 25.1.0 are supported from BeyondInsight versions 23.1 or later releases.
- BeyondInsight 25.1.0 supports SQL Server 2016 SP2 or higher
🗒️ Notes
- This release is available by download for BeyondTrust customers (https://beyondtrustcorp.service-now.com/csm) and by using the BeyondTrust BT Updater.
- The MD5 signature is: a253a8f419777df83cbbc5453b0f4c60
- The SHA-1 signature is: 951cc0076a2971e6e5474e614f48ed488f698a75
- The SHA-256 signature is: 69e2dca017e880b344c9623519f29803972af2775345799ffc4a919777a121bd
⏰ Deprecation notices
Licensing Folder Removed
The Licensing folder has been deprecated. Due to folder reorganization, any report saved views, report subscriptions, or subscriptions to saved views relating to the following reports no longer function and must be recreated from the new Usage folder if still required:
- Workforce Passwords Usage Summary
- Active Users
Password Safe User Licensing report deprecated
The Password Safe User Licensing report that lived within the Licensing folder has been deprecated. Any report saved views, report subscriptions, or subscriptions to saved views of this report no longer function. Users should consider creating fresh views and subscriptions based on the System Usage Statistics report, which has replaced the Password Safe User Licensing report.
Removing PMUL support in BIPS
In 25.1, we have begun the process to deprecate and remove Endpoint Privilege Management for Unix and Linux (PMUL) and Solr functionality in Password Safe.
The first step is to no longer receive and process PMUL and Solr events.
In an upcoming release, we will remove all user interface components, reports and event forwarding functionality.
Support for Outbound TLS 1.3
In an upcoming release, BeyondInsight and Password Safe will phase out the use of mutual TLS (mTLS) to support the adoption of TLS 1.3, which eliminates support for optional mTLS (client certificate renegotiation) on inbound connections. The following product areas will be affected:
- Client certificates will no longer be supported as an authentication method for API registrations.
- The option to download a client certificate from the System > Downloads configuration page will be removed.
API Updates
The POST Imports and POST Imports/QueueImportFile APIs have been deprecated, and will be removed in an upcoming release.
