BeyondInsight and Password Safe 25.1 release notes
June 5, 2025
For a list of supported platforms for the latest version of BeyondInsight and Password Safe, see Supported platforms.
On-premises customers using the U-series Appliance with SQL 2019 must install March SQL Server Updates 250301 prior to upgrading to BeyondInsight/Password Safe 25.1.
Customers using SQL Free appliances with a standalone SQL Server 2019 installation must install Cumulative Update Package 32 for SQL Server 2019 - KB5054833 prior to upgrading to BeyondInsight/Password Safe 25.1.
🆕 New features
Introducing the Password Safe mobile app for iOS and Android, available for Password Safe 25.1 users
Great news! The Password Safe mobile app is now available on both the Apple App Store (iOS) and Google Play (Android). With the app, you can easily view, check out/check in, and request credentials—right from your mobile device.
That’s not all - you’ll also have quick access to your Secrets Safe entries and credentials stored in your personal folder, making it easier than ever to stay secure on the go!
iOS Login
The mobile app requires customers to be on version 25.1 or later.
Workforce Passwords for Pathfinder
With Password Safe 25.1, Workforce Passwords is fully compatible with Pathfinder! Previously, the extension didn’t work when customers were activated in Pathfinder. Now, everything runs as expected.
Plus, there’s a great new feature on the login screen: a handy dropdown menu that lets you choose your login portal. Simply select Pathfinder to sign in via beyondtrust.io, then enter your Pathfinder credentials to access your Workforce Passwords secrets with ease.
For more information, see Workforce passwords deployable extension.
Mobile Application Session Timeout Setting
In Password Safe Cloud and on-prem, you’re in control - configure the Mobile app to auto-timeout after a set number of minutes!
Deployable WFP Extension
Workforce Passwords makes it easy and secure to store and access business credentials right from your browser. And now with Password Safe 25.1, deploying the WFP browser extension is smoother than ever!
Admins can effortlessly roll out the extension across Chrome, Edge, and Firefox on Windows systems using the Group Policy Management Editor and Group Policy Objects (GPOs) - no more asking users to install it themselves.
Even better, admins can pre-configure the Workforce Passwords server URL, giving users a seamless, ready-to-go experience from the moment they log in.
For more information, see Workforce passwords deployable extension.
Direct Links to Secrets
Accessing secrets in Secrets Safe just got easier! You can now jump straight to a secret’s details using a direct link (URL).
Authenticated users can use the link to go directly to the secret within its designated safe.
The URL includes the secret’s title and sub-folder path, and it’s easy to grab - just copy it from the UI or your browser’s address bar. Provide this link to users who have access for quick, no-hassle navigation right to the info they need!
Copy secret link
For more information, see Workforce passwords deployable extension.
✨ Enhancements
Limit Webconsole Login Sessions
To enhance security and streamline access, web console login sessions are now limited to one session per user.
And more good news - if you have multiple tabs open in the same browser, you can seamlessly use the same session across all of them. No interruptions, just a smoother, more secure experience!
Performed backend updates to allow for future support of IPv6 addresses
More information will be available in a future release.
Updated Algorithms and Ciphers
Security just got a boost! With Password Safe 25.1, devices now use stronger, modern ciphers to keep your data safer than ever.
We’ve added support for the latest encryption algorithms and are phasing out older, less secure ones to ensure top-tier protection across the board.
API Updates
- Secrets Safe API
- Added SecretType information in response of GET Secrets-Safe/Secrets/{secretId:guid}.
- User can now set a Prior Expiration Date for Safe Permissions with new ExpiresOn field.
- Password Safe API
- Added RequestorName and RequestorUserID to Get Requests
- Added paging support with 2 new optional quire parameters: limit and offset
For more information, see Secrets Safe APIs and Password Safe APIs.
Secrets Safe Enhancements
We've made some great updates to improve clarity and consistency in Secrets Safe:
- User names are now displayed as Last Name, First Name in grids, and First Name, Last Name everywhere else, making it easier to quickly find who you're looking for.
- For secrets shared from a personal folder, ownership is now locked for added control. You’ll see the owner’s name, but the Manage Ownership option is hidden to keep things tidy.
- The Owner dropdown in the Secrets grid now shows all owners at a glance - and yes, you can filter secrets by owner for faster navigation!
Web Policy Editor: Local AD Search in Beyond Insight
Beyond Insight 25.1 brings a powerful new enhancement for Endpoint Privilege Management customers! You can now easily search your connected Local AD environments right from the Web Policy Editor.
Quickly find and add users or groups to Windows Workstyle Filters, Messages > Designated Users, Application Rule Filters, On-Demand Application Rule Filters, and Custom Tokens (for groups) - all in just a few clicks!
Improved Session Replay
Session Replay just got a major upgrade! You can now zoom in on specific areas of a recording, making it easier than ever to see and read details—especially when working with high-resolution displays or multi-monitor setups.
Crystal-clear visibility, right where you need it!
For more information, see View Recorded Sessions.
Screen Responsiveness
Further improved page responsiveness based on screen resolution.
Pathfinder - Directory attributes disabled
We’ve removed the Directory Attributes Match option from the Dedicated Account smart rule filter in Pathfinder instances. If any Smart Rules are included that filter before upgrading to Pathfinder, you’ll now see empty drop downs when editing that smart rule post-upgrade; affected Smart Rules should be reviewed and edited as needed.
Directory Attribute Match smart rule filter continues to be available for Cloud and On-prem.
📋 Reports
New Usage Folder
A new folder named Usage is now available in Analytics and Reporting. The following reports are included in this folder:
- The Workforce Passwords Usage Summary report
- The Active Users report
- The System Usage Statistics report (new)
New report - Scheduled Tasks Account Usage
Have you ever wondered which accounts used for Scheduled Task management are managed by Password Safe? Now you can see this information for any system that has associated Scheduled Task scan data, just by running the new Scheduled Tasks Account Usage report!
New report - IIS Application Pool Account Usage
Have you ever wondered which IIS Application Pool identity accounts are managed by Password Safe? Now you can see this information for any system that has associated IIS Application Pool scan data, just by running the new IIS Application Pool Account Usage report!
New report - System Usage Statistics
The new System Usage Statistics report gives you a clear snapshot of overall system usage - tracking unique logins over your selected time period and providing key insights into the number of Managed Systems and Managed Accounts available at the time of the report.
Database Platforms Added to Database User List Report
Prior to 25.1, only Oracle, MS SQL, and MySQL were included. We now include all database platforms present in Password Safe.
Improved Initial Load Time of Reports Home Page
We’ve improved load times on the Analytics & Reporting home page.
🛠️ Issues resolved
🔧 Password Safe
| Product Area | Description | Resolution |
|---|---|---|
| Password Safe | Managed Systems and Managed Accounts can be deleted when there are open sessions. | Resolved. If sessions are open, managed systems and accounts cannot be deleted. |
| Password Rotation | When attempting to rotate managed accounts on decommissioned systems, the attempt will time out eventually, but it is not respecting the Managed System timeout setting, which can cause bloat in the queue table and may cause delays of other password changes. | Timeout values are honored now by all Password Safe platforms supported by Password Safe plugins. |
| Password Safe Cloud | Parsing issue of malformed keystroke JSON caused a memory leak. PWS Cloud 24.3.0 W3WP.exe Alert 'Memory gates checking failed because the free memory' was fired. | Resolved memory leak and improved response time under invalid or high volumes of keystroke input. |
| BeyondInsight/Password Safe | When attempting to connect to some oracle instances, an error occurs -ORA-28040: The database does not accept your client's authentication protocol; login denied. | The issue has been resolved. Connections to Oracle 19 databases are successful. |
| Password Safe Sessions | When reviewing sessions, scrolling in the keystrokes list can cause the list to jump to a previous point. | Resolved. The scroll window no longer jumps back in time. |
| Password Safe | Unable to edit Name field on the Create Managed Account form when accessing from Managed System → Advanced Details → Managed Accounts after moving focus away and then back to the Name field. | Resolved. Text box remains editable. |
| Password Safe Sessions | RDP sessions do not record keystrokes when sessions are created from a Windows 11 vm to a Windows 11 vm | Resolved. Keystrokes are now recorded. |
🔧 BeyondInsight
| Product Area | Description | Resolution |
|---|---|---|
| BeyondInsight | When 24.1.0.1398 is upgraded to 24.3, the EventCollector directory is missing Microsoft.Data.SqlClient.dll leading to failures activating new OAuth clients. | Ensured that new Endpoint Privilege Management clients can be activated for OAuth regardless of the upgrade paths followed to get to BeyondInsight 25.1. |
| BeyondInsight | Users with User Account Management and Password Safe Role Management are still not able to manage Password Safe roles on Smart Groups from the User Group management area. | Permissions check was updated to grant ability to assign Password Safe roles to smart groups with either Password Safe Role Management or Password Safe Policy Management feature access. |
| BeyondInsight | Modernize terms throughout. | Language updated to replace instances of ‘abort’ with ‘stop’. |
| BeyondInsight/Password Safe | When attempting to connect to some oracle instances, an error occurs -ORA-28040: The database does not accept your client's authentication protocol; login denied. | The issue has been resolved. Connections to Oracle 19 databases are successful. |
| BeyondInsight | If a Directory Credential has SSL enabled and it is used to sync an AD group, the sync status does not update. However, when using a credential that isn’t SSL enabled, it completes and updates. | Group sync status is now reliably updated whether or not the Directory Credential used for the sync has SSL enabled or not. |
| BeyondInsight | Some fields are not populating upon Update in Oracle credential. | Resolved. All fields are now populating on update. |
| BeyondInsight | If a user changes their theme during a session, the theme value is reset when they manually logout. | Resolved. Theme remains as is on logout. |
| BeyondInsight | On edit, if a smart rule contains multiple dedicated account filters, including a Directory Attribute Match filter, some inputs are missing their selected value. | Resolved. Filters have all of their inputs filled as they were on creation, and the dropdowns contain the correct options for the filter type. |
| BeyondInsight | Test functionality in SNMP connector gives a permission error. | Resolved. Test functionality in SNMP Connector no longer gives permission error. |
| BeyondInsight | Updating an Attribute Type used in a Smart Rule sometimes results in an unusable smart rule. “Edit Smart Rule” loads an empty smart rule and returns an error. | Resolved. No Error. Smart Rule opens with new Attribute type name visible. |
| BeyondInsight | Excessive network traffic observed when testing an Entra ID Directory Credential. | Entra ID Directory Credential test logic modified to reduce the amount of network traffic to only the essentials. |
| BeyondInsight | The last login date on the User Profile and User's details are not updating. | Resolved. The last login date now displays correctly in the User Profile and User’s details. |
🔧 Secrets Safe
| Product Area | Description | Resolution |
|---|---|---|
| Secrets Safe | When editing a secret with no valid owners (owners without correct permissions), an incorrect/unhelpful warning displays. The invalid owner is not shown in the list. | Editing shows the invalid owner so they can be removed. If left selected and Update is clicked, the correct error now displays. |
| Secrets Safe | When saving a secret with invalid owners, an error displays. | Editing non-owner fields still allows saving. Editing the owner list fails if invalid owners exist. Removing one of several invalid owners allows saving. |
| Secrets Safe | The PrincipalGrid_FindPagedResults stored procedure performs poorly with large datasets. Fetching All or Unassigned times out. Running in SSMS with All takes 20 minutes. | The stored procedure was refactored. All principals now return in seconds. |
| Secrets Safe | The credentials grid is slow to load with large datasets (e.g., 150,000 credentials and owners). | Querying Credential_Owner was optimized. |
| Secrets Safe | "Remove Share" is incorrectly available for origin secrets that haven’t been shared. | "Remove Share" only shows if the origin has been shared. |
| Secrets Safe | "Remove Share" doesn't appear in the menu until the user refreshes manually. | Resolved. It appears immediately without a refresh. |
| Secrets Safe | Audit logs report a user as reading a secret even when blocked by a 403 (due to missing permissions). | The system now checks permissions before writing audit logs. |
| Secrets Safe | Selecting "All Secrets" and then secrets in the grid does not show action icons like Delete. | Create and Share are hidden, but Delete now appears correctly. |
| Secrets Safe | Partially imported passwords display the same error multiple times. | Errors are now clearly explained and not duplicated. |
| Secrets Safe | Added owners sometimes do not display in the UI. | Resolved. New owners now always appear immediately. |
| Secrets Safe | Inactive groups still show as enabled in the Access Management grid and can be assigned. | Resolved. Inactive groups no longer appear active. |
| Secrets Safe | Deleting a parent folder containing a subfolder with shared secrets results in an error. | Deletion is now allowed even if subfolders contain shared secrets. |
| Secrets Safe | Editing only the date of expiration also changes the time unexpectedly. | Time remains unchanged when only the date is updated. |
| Secrets Safe | Users with access to a shared safe can't edit secrets if they lack access to the original safe. | Resolved. Shared safe access now allows updates to secrets, even if the origin safe is restricted. |
| Secrets Safe | API fails to retrieve secrets stored three levels deep in folder structure. | Resolved. API can now access secrets from deeply nested folders. |
| Secrets Safe | Temporary access sessions allow continued secret access even after expiration. | After access expiration, secrets are no longer viewable. A refresh clears expired content from "All Secrets." |
| Secrets Safe | Sorting the Owners grid causes incorrect owners to appear checked. | Resolved. Grid sorting no longer changes selection states. |
| Secrets Safe | Secrets can be shared to folders they already belong to, causing duplicates. | An error message is now shown if the secret already exists in the destination. |
| Secrets Safe | Importing a malformed CSV file can expose internal error details and call stacks. | Improved handling of bad data. Internal errors are no longer exposed. |
🔧 Workforce Passwords
| Product Area | Description | Resolution |
|---|---|---|
| Workforce Passwords | Fresh install of Worforce Passwords Browser Extension from Firefox store is missing the Delete Credential button, until you log out of and log back into the Extension.. | In this scenario, the Delete Credential button appears as intended, without requiring any special log out/log back in steps. |
🔧 Reporting
| Product Area | Description | Resolution |
|---|---|---|
| Reporting | Password Update Activity Report - shows data even when Smart Group parameter value is a Smart Group with no results. | The Smart Group parameter was not working properly with domain accounts and functional accounts. The report now filters appropriately when the Smart Group filter is selected, and only relevant results are displayed. |
| Reporting | The Password Update Activity Report will not run if the optional Accounts parameter has no value set. | Resolved an issue retrieving the Password Update Activity for Functional Accounts, improving the performance and ensuring that the report works with or without data in the Account parameter. |
| Reporting | Reviewed Sessions Report PDF format - column pushed to next page. | Resolved. Report formatting updated. |
| Reporting | (On Premises only) When the ADOMD Client is missing from the system, the Endpoint Privilege Management Event Rollup report subreports show an error and do not work. | Resolved. We now install the required ADOMD Client so that sub-reports can function. |
| Reporting | When a user attempts to run the Password Reset-on-Release report the Account Name is a required field, when it shouldn't be required. | Resolved. Account Name is now an optional field. |
🔧 APIs
| Product Area | Description | Resolution |
|---|---|---|
| BeyondInsight API | AppAuditDetails has reached it's identity limit. | Changed the AuditDetailsID field from ‘int’ to ‘long’ to accommodate larger IDs. This change impacts the public API. |
| Secrets Safe API | Calling the GET Secrets-Safe/Secrets API with the optional Path query parameter does not properly return secrets which have been granted via group membership. | Resolved. Filtering by Path, Secret Name, afterDate, limit and offset, or any combination of all those filters, properly returns data. |
| BeyondInsight API | POST UserGroups/{id}/Permissions with SS Permission 111 fails with 400 error: Failed to create team passswords folder. | Resolved. Folder creates successfully. |
🔧 Pathfinder
| Product Area | Description | Resolution |
|---|---|---|
| Pathfinder | No error is provided in the UI when attempting to delete a custom Platform Plugin that has an associated Functional Account. | Resolved. The UI now warns the user that they cannot delete a custom Platform Plugin with an associated Functional Account. |
📝 Requirements
- Direct upgrades to 25.1.0 are supported from BeyondInsight versions 23.1 or later releases.
- BeyondInsight 25.1.0 supports SQL Server 2016 SP2 or higher
🗒️ Notes
- This release is available by download for BeyondTrust customers (https://beyondtrustcorp.service-now.com/csm) and by using the BeyondTrust BT Updater.
- The MD5 signature is: a253a8f419777df83cbbc5453b0f4c60
- The SHA-1 signature is: 951cc0076a2971e6e5474e614f48ed488f698a75
- The SHA-256 signature is: 69e2dca017e880b344c9623519f29803972af2775345799ffc4a919777a121bd
⏰ Deprecation notices
Licensing Folder Removed
The Licensing folder has been deprecated. Due to folder reorganization, any report saved views, report subscriptions, or subscriptions to saved views relating to the following reports no longer function and must be recreated from the new Usage folder if still required:
- Workforce Passwords Usage Summary
- Active Users
Password Safe User Licensing report deprecated
The Password Safe User Licensing report that lived within the Licensing folder has been deprecated. Any report saved views, report subscriptions, or subscriptions to saved views of this report no longer function. Users should consider creating fresh views and subscriptions based on the System Usage Statistics report, which has replaced the Password Safe User Licensing report.
Removing PMUL support in BIPS
In 25.1, we have begun the process to deprecate and remove Endpoint Privilege Management for Unix and Linux (PMUL) and Solr functionality in Password Safe.
The first step is to no longer receive and process PMUL and Solr events.
In an upcoming release, we will remove all user interface components, reports and event forwarding functionality.
Support for Outbound TLS 1.3
In an upcoming release, BeyondInsight and Password Safe will phase out the use of mutual TLS (mTLS) to support the adoption of TLS 1.3, which eliminates support for optional mTLS (client certificate renegotiation) on inbound connections. The following product areas will be affected:
- Client certificates will no longer be supported as an authentication method for API registrations.
- The option to download a client certificate from the System > Downloads configuration page will be removed.
API Updates
The POST Imports and POST Imports/QueueImportFile APIs have been deprecated, and will be removed in an upcoming release.
