August 27, 2024

Requirements

• BeyondTrust ECM v1.6.0+
• Modified the API call body to include rotateOnChecking=[false]. The Allow API Rotation Override option must be enabled on View Password Policy Type for relevant access policies.

New features and enhancements

This is a maintenance release and does not include any new features or enhancements.

Issues resolved

• Addressed an issue which could result in misleading statuses when the option to include availability info was enabled.
• Updated the conflict option used to create release requests to "reuse" to reduce the number of requests generated.
• Modified the API call body to include rotateOnChecking=[false]. The Allow API Rotation Override option must be enabled on View Password Policy Type for relevant access policies.
• Addressed an issue in which duplicate display values were used when a domain account was returned in multiple formats.

Notes

• This maintenance release replaces any usage of v24.1.x.
• Supports upgrades from any prior release.
• This release will be included as part of the U-Series Appliance image for the BeyondInsight and Password Safe 24.2.0 release.

BeyondTrust Appliance U-Series Software 4.2.1 release notes

June 6, 2024

Requirements

• .NET 8.0.0 or later (available through BT Updater via Supporting Software SUPI subscription)
• SUPI 3.2 (available through BT Updater)

New Features

This is a maintenance release and does not contain any new features.

Issues resolved

• Resolved an issue where the Installed Software page was slow to load and sometimes would have an incorrect version listed for a product.
  • Cause: The appliance was requesting product version information from BT Updater, causing a delay in loading the results on the page. Also, if an update had failed in BT Updater, it returned the version for the failed update, despite it not being installed.
  • Resolution: The appliance no longer contacts BT Updater for product version information.
• Resolved an issue where when attempting to create a backup on a SQLFree appliance, no options were displaying under Backup Options.
• Resolved an issue where when a backup that was created on a SQLFree appliance and contained the BeyondInsight database, a restore of that backup on the same SQLFree appliance would fail.

Known issues

• Endpoint Privilege Management (EPM) Event Collector Service is missing from the log download page or log export page if there are no log files present.
• EPM and Privileged Management Reporting (PMR) High Availability requires that the source EPM accounts match on each appliance. Accounts require manual intervention to rename.
  • Workaround: Users must manually create the EPM/PMR SQL Users in the database on the secondary node.
• Last Pass can interfere with the Deployment and Configuration Wizard.
  •  Workaround: Disable or log out of Last Pass or configure the appliance in incognito mode in the browser so that the browser extensions are not interfering with the wizard.
• When changing the EPM Database credentials on the host machine and remote collector password, if the EPM Database Access feature is turned off and then on, the user has to enter and confirm their password every time.
• The beyondtrust_user account is locked out after changing the Auth SQL Server password.
• Appliance self-signed certificate does not have subject alternate name (which does not support HSTS). For Chrome 58 and later, only the subjectAlternativeName extension (not commonName) is used to match the domain name and site certificate.
• Using High Availability in a multi-node EPM deployment that has the secondary node set up as the PMR database, when the secondary is promoted to primary, the PMR reports do not display in BeyondInsight. A red X displays in place of the charts.
  • Cause: A multi-node deployment typically uses the IP/machine name of the database host in the shared EPM config file. This pointer continues to point at the failed primary, causing the problem.
  • Workaround:
    • In BeyondInsight, from the left sidebar, click Configuration > Endpoint Privilege Management > Privileged Management Reporting Database Configuration.
      • In the Server field, update the IP address to be that of the current appliance.
    • In the appliance software, from the left sidebar, click Service Status.
      • Restart the EPM Reporting Gateway Service.

Notes:

• Security Management Appliance Installer is dependent on BeyondInsight 24.1.
• Security Management Appliance package in BT Updater is dependent on BeyondInsight 24.1.
• This update is available through BT Updater or as a manual installer from the download tool.

Resource Kit 24.1.1 Release Notes

May 23, 2024

Requirements

Requires BeyondTrust Password Safe version 24.1.1 or later release.

New features and enhancements

• Updated Platform SDK to support Password Safe 24.1.1
  • Platform plugins updated to use .NET 8

Notes

• The SHA-256 signature is: a4ff16e52d5e322cfeae3e96f03d45554833f151ea7bf939139fa1da0cd63936
• This release is available to download for BeyondTrust customers at https://beyondtrustcorp.service-now.com/csm.

May 23, 2024

Requirements

• We recommend a restart after this update.

New features and enhancements

• This release bundles version 24.1.0.1426 of the BeyondTrust Discovery Agent. Corresponding release notes are available on the BeyondInsight and Password Safe Release Notes page.
• All components and services using .NET 6/7 have been updated to .NET 8.
  • .NET hosting bundle v8.0.4 is included.

Issues resolved

• None

Notes

• Direct upgrades to 24.1.1.1843 are supported from all previous versions.
• BeyondTrust customers can download this release from their Password Safe Cloud portal by navigating to Configuration > Resource Zones and clicking Download Installer.
• The MD5 signature is: 4C6EDD2EBF8EB69258D77A383FD85E35
• The SHA-1 signature is: 09DACD5B2D8C551F08179A7C61900A631D2F48AF
• The SHA-256 signature is: 6C0D31BF6B72A1129DE0A021878089566FA655C299E8A6EC8F5879285F55C670

May 23, 2024

Requirements:

• There is a product dependency on having the .NET 8 Hosting package installed.
• A reboot of the system may be required.

New features and enhancements:

• Updated the scanner to .NET 8.
• Added support for scanning IPv6 targets.
• Added an external configuration file for secondary SSH prompts.
• Added logging of remote agent extension and plug-in versions.
• Added support for the enumeration of scheduled tasks for Linux. This includes support for servicectl, CRON, and AT jobs.
• Added a new runtime option to all the Windows Domains to be used instead of the DNS Domain for the Workgroup/Domain Name asset field.

Issues resolved:

• Resolved a scenario where a scan fails to complete when connecting to the target's registry. Changed the default value for the remote registry connect timeout to 60 seconds.
• Resolved a scenario where a scan fails to complete due to inability to acquire the Yum command lock on Linux targets.
• Resolved a condition which could cause a failure to cache the Domain information.
• Resolved an exception which could occur when special characters are included in JSON data.

Known issues:

• The installation dialogs have string substitutions errors.
• This release depends on having the .NET 8 hosting package pre-installed. If the .msi installer is run without the prerequisite .NET 8, the scanner is left in an uninstalled state. The .exe installer must be used in this situation to ensure that the proper .NET package is installed. A reboot of the system may be required.

Notes:

• Direct upgrades to this version are supported from versions 20.1.0 and later releases.
• This release is available by download from the BeyondTrust Client Portal at https://www.beyondtrust.com/support/.
• The MD5 signature is: 297e9a5d6a53472a206c906effe13342
• The SHA-1 signature is: c6a8a41bb1fac9520809d9db8856f8fb9660df47
• The SHA256 (exe) signature is: 74116cda6b6e1513dac0a9db1afef3637e6c2a69ca5b90b3ee2376469d3ec6ff
• The SHA256 (msi) signature is: 1d98dc75afe75dbb61079c8b777ac13b1edb7ab3b52cdd148952fe3fbc96ede2

May 23, 2024

Requirements

• Requires .NET 4.7.2 or later
• Requires IIS to be enabled on host

New features and enhancements

• Added Subscription for Endpoint Privilege Management: Data Collection Bundle
• Added Subscription for Endpoint Privilege Management: Web Policy Editor Bundle

Issues resolved

None

Known issues

None

May 23, 2024

New features and enhancements

Configuration

• SAML Configuration has been updated so that incoming SAML communications (Assertions, Response) can no longer be signed using SHA1 by the Identity Provider (IdP). This is disabled for security purposes.

ℹ️

Note

Incoming SAML communications (Assertions, Response) must be signed using SHA-256 or higher by the IdP. SHA1 is no longer be accepted.Ensure your IdP has been updated in BeyondInsight accordingly.
Failure to update your IdP prior to upgrading BeyondInsight and Password Safe to version 24.1.1 may prevent users from logging in using SAML.

• Added a new option to the Configuration page: Identity Security Insights > Connect to Identity Security Insights.
  • Enabling this connector key allows Password Safe to forward discovery scan events to Identity Security Insights. This provides visibility into possible attack paths, identity-based threats, and identity hygiene issues.

Developer Platform

• All components and services using .NET 6/7 have been updated to .NET 8.

Analytics & Reporting

• Added a Retrieval Reason column to the Password Safe > Activity report to display the comments for any release request listed in the report.

Password Safe

• Changed API Authentication Failure email notification logic so that new deployments of BeyondInsight and Password Safe do not send email notifications when API authentication failures occur.
• Updated the bundled ECM Password Safe Plugin to version 24.1.2.
• Added Change Password after Release and Enable API Access options to the Disable at Rest onboarding Smart Rule action.

Password Safe Cloud

• Renamed the Update column on Resource Broker grids to Update Available.
• Added links to release notes in the Update Available column on Resource Brokers grids, for resource brokers that can be updated or are being updated.
• Added a DNS Name filter to the Resource Zones > Brokers grid when accessing that area from a specific resource broker.

Issues resolved

• Resolved a foreign key constraint issue with the daily sync job (relating to the Change Queue fact table and Managed Account dimension table).
  • Now, the sync job handles the data in a way that avoids this constraint issue.
• Increased security around Smart Rule editing.
• Resolved an issue where updating an existing SAML configuration prompted the user to include the IdP certificate.
  • Now, the certificate is only required on the Create page.
• Resolved an issue in the Web Policy Editor, where sometimes a Save button appeared on the policy editing page, which caused the editor to hang when used.
  • Now, only the appropriate Save & Unlock button appears, and the editor works without hanging.
• Resolved an issue in the Activation Key generated command line text that prevented OAuth communications with Endpoint Privilege Management agents in Password Safe Cloud environments.
  • New users created using the API now respect the TOTP Two-Factor Authentication restrictions as set in BeyondInsight configuration, the same as manually created users do.
• Resolved an issue affecting proper generation of user audits of Secrets Safe activity.
• IP and X-Forwarded-For authentication rules are now evaluated on every API call instead of only on authentication/sign-in.
• Resolved an issue with the IP Allow List, where attempting to enable network restrictions would fail if at least one resource broker exists that has not yet been upgraded to at least version 24.1.0.
• Resolved an issue with the IP Allow List where, upon resource broker validation, if a large number of resource brokers were not in the allow list, the notification message was taking up the entire screen.
  • The notification message has been adjusted and scrollbars added for proper visibility.
• Improved the performance for Managed Account onboarding Smart Rules for some scenarios.
• Resolved an issue where a Secrets Safe secret could not be deleted if the ownership is assigned to Entire Team.
• Resolved an issue where upgrades from versions 23.1.1 and earlier would reset the TOTP configuration settings.
• Resolved an issue where a Password Mismatch email notification was incorrectly sent when a Password Test failed against a Windows system because it was unreachable or failed to connect.
• Resolved an issue where scans were not updating the IP address for managed systems when the IP address is reverted to a previous IP.
• Resolved an issue where the Events grid in Managed Account Advanced Details was slow to populate.
• Resolved an issue where Smart Rule processing would fail due to propagation actions being applied to accounts that were not inserted into the database.
  • Now, managed accounts that are not onboarded do not cause the propagation action to fail.
• Increased the timeout for HttpClient used to proxy Endpoint Privilege Management requests.
  • Now, exports from Privilege Management Reporting within BeyondInsight succeed even with very large data sets.

Known issues

• When establishing a connection between the Workforce Passwords extension and your Password Safe instance, if there is a space at the end of the URL in the extension, a DNS address could not be found error occurs.
  • Workaround: Avoid adding any extra spaces at the end of the URL when using the Workforce Passwords extension. This issue is being resolved for an upcoming release.

ℹ️

Note

Issues discovered after release can be found within our product Knowledge Base.

Notes

• Direct upgrades to 24.1.1 are supported from BeyondInsight versions 22.2 or later releases.
• BeyondInsight 24.1.1 supports SQL Server 2016 SP2 or higher.
• This release is available by download for BeyondTrust customers (https://beyondtrustcorp.service-now.com/csm) and by using the BeyondTrust BT Updater.
• The MD5 signature is: cfee455464f5589b49d2143872441f55
• The SHA-1 signature is: 1bdcef294a47e6e201a62b5edaafcd435d3deaab
• The SHA-256 signature is: ce70c722ba9c99e4b3e791a94eef88d5ce8b22ef6cebe286c0ac0c7f9abf2756

Deprecation notice

BeyondInsight 24.1.1 still supports the following features that are planned to be removed in upcoming releases:

• Team Passwords Public API Endpoints: Planned for the 24.2 release. You must update scripts to use the corresponding Secrets Safe API endpoints.
• Analytics & Reporting > Clarity: Clarity and related reports and configuration. Release to be determined.
• About > BeyondInsight Analysis: Release to be determined.

May 7, 2024

Requirements

• BeyondTrust ECM v1.6Ms.0+

New features and enhancements

This is a maintenance release and does not include any new features or enhancements.

Issues resolved

• Resolved an issue in which recently used external endpoints were not being returned.
• Resolved an issue in which available credentials were not being returned when using U-Series Appliance deployed ECMs.

Notes

• This maintenance release replaces any usage of v24.1.1.
• Supports upgrades from any prior release.
• This release will be included as part of the U-Series Appliance image for the BeyondInsight and Password Safe 24.1.1 maintenance release.

May 2, 2024

Requirements

• We recommend a restart after this update.

New features and enhancements:

• There are no new features or enhancements.

Issues resolved:

• None

Notes:

• Direct upgrades to 24.1.0.1832 are supported from all previous versions.
• .NET Core hosting bundle updated from 6.0.27 to 6.0.29.
• .NET hosting bundle updated from 7.0.17 to 7.0.18.
• BeyondTrust customers can download this release from their Password Safe Cloud portal by navigating to Configuration > Resource Zones and clicking Download Installer.
• This release bundles version 23.2.1.1376 of the BeyondTrust Discovery Scanner. Corresponding release notes are available here: https://www.beyondtrust.com/docs/release-notes/beyondinsight-password-safe/index.htm.
• The MD5 signature is: 85A942B8C48018EFCEBC806511BCB2C8
• The SHA-1 signature is: 5F9E8677C1E44EA8BC7E9E7CA4E04259B430B2FC
• The SHA-256 signature is: 1DEFE3988932DCFFF2B70B0E2CCE919A60F7D188A129930D972B8F50ABEFD1D3

May 2, 2024

Requirements

• We recommend a restart after this update.

New features and enhancements:

• There are no new features or enhancements.

Issues resolved:

• None

Notes:

• Direct upgrades to 23.3.0.1794 are supported from all previous versions.
• .NET Core hosting bundle updated from 6.0.27 to 6.0.29.
• .NET hosting bundle updated from 7.0.16 to 7.0.18.
• BeyondTrust customers can download this release from their Password Safe Cloud portal by navigating to Configuration > Resource Zones and clicking Download Installer.
• This release bundles version 23.2.1.1375 of the BeyondTrust Discovery Scanner. Corresponding release notes are available here: https://www.beyondtrust.com/docs/release-notes/beyondinsight-password-safe/index.htm.
• The MD5 signature is: 2076D89FCC094FA9DFAF49C6BE6FD624
• The SHA-1 signature is: B9CDDA7677F9F5926F077F68C8DFAFA03553E5D8
• The SHA-256 signature is: 5ADC6430A6DF97751E3BAF77570C81C8014388D7C2994BB2904ED2EB2188A5EA