11.2.1 Release Notes
Dec 14th, 2021:
Enhancements
Enhancements available with the 11.2.1 release of Privilege Manager. Enhancements are for both versions, On-premises and Cloud, unless otherwise outlined under a specific On-prem or Cloud subtopic.
When upgrading Privilege Managerto a newer version, Delinea recommends upgrading the Directory Services Agent so that both are running on the same release version.
-
The granularity of auto-merge is enhanced to allow administrators to choose when registering agents are merged, based on machine SID, Active Directory account SID, domain\computer name and Azure AD device ID.
-
Enhancements across the application better reflect conditions that exist with duplicate resources and domain entries. These enhancements appear as new tasks. Reports that support certain conditions are also added.
In order to resolve any issues with duplicate IDs, these tasks must be run manually.
- There are two Server Tasks that are available to run the merge actions if registration has already been completed. Note: These tasks are specifically used for merging duplicate IDs; they can not be used to merge domains.
- Merge Duplicate Resources - This task attempts to merge any duplicate values it finds based on the set options.
- Merge Specific Resources - This task merges one or more resources into a selected target resource, regardless of whether they have any duplicate data.
- There are three new tasks for domain sync improvements:
- Merge Duplicate Active Directory Domains - This task removes unwanted duplicate entries, along with any children of the duplicate domain that are found with the Duplicate Active Directory Domain Merge Candidates report.
- Purge Old Unmanaged AD Computers - This task removes old unmanaged AD computers, which have been around for the default 90 days. The task allows the user to adjust the query with a user-defined number of days.
- Remove Active Directory Domain - This task is added to the maintenance config feed for customers having trouble deleting a domain.
- The Users and Groups with Duplicate SIDs report is renamed to Resources with Duplicate Global Identities (Domain\Computer name), in order to better match it to the merge actions it reports.
- New Diagnostic reports are available that support the new auto-merge tasks for duplicate IDs. Note: These reports indicate that there are duplicate resources that should be addressed by the customer, using the Merge Duplicate Resources and Merge Specific Resources tasks. The reports do NOT indicate duplicate domains. They include:
- Resources with Duplicate Azure Device IDs, lists Computers associated with the Privilege ManagerServer that have identical Device IDs.
- Resources with Duplicate machine (Domain) SIDs, lists Computers associated with the Privilege ManagerServer that have identical Domain SIDs.
- Resources with Duplicate Account SIDs, lists Computers, Domain User, and Domain Groups associated with the Privilege ManagerServer, that have identical Account SIDs.
- Duplicate Active Directory Domain Merge Candidates This report identifies any existing Active Directory Domains that have been duplicated. Refer to the new Merge Duplicate Active Directory Domains task to address these duplicates.
- There are two Server Tasks that are available to run the merge actions if registration has already been completed. Note: These tasks are specifically used for merging duplicate IDs; they can not be used to merge domains.
-
The App Registrations in Azure no longer require the Azure Active Directory permissions and can use the Microsoft Graph. Setting Up Azure Active Directory Integration in Privilege Manager now reflects an update for the change from using Azure Graph API to Microsoft Graph API.
The Azure AD Graph APIs are scheduled to be deprecated by Microsoft by mid-2022, and replaced with the Microsoft Graph APIs. While support for the Microsoft Graph APIs has been added, any existing configurations that use the older Azure AD Graph APIs will not be affected, and will remain functional. However, it is highly recommended that new installs be configured to use only the Microsoft Graph APIs, so they will not be affected when the Azure AD Graph APIs are deprecated in 2022. If both APIs are currently configured to work in your Privilege Managerinstance, no change should be necessary, as the Microsoft Graph APIs will continue with full functionality when the Azure AD Graph APIs are deprecated.
-
Email notifications for approvals now have an updated link for the VirusTotal page.
-
A new field, InitiatorUserName, is added to the Approval Request data in the ServiceNow integration. This field is always in the format DOMAIN\USERNAME. Conversely, the UserName field is intended to be a display name and can change depending on how it was created or updated. The behavior of UserName will not change. So, if you require a consistent value, use InitiatorUserName instead.
-
Screen reader support in Windows Advanced HTML Message actions is improved.
-
The client item database performance on the agent is improved.
macOS Specific
- Monterey support is added.
- Universal binaries in the agent inventory are fully inventoried.
Windows Specific
-
Windows 11 is supported.
Privilege Managerdoes not currently support Windows Store Apps.
Bug Fixes
- Merging domains now properly handles resources that already have an association to both source and target domains.
- We now check to see if a reference update will create a duplicate Active Directory domain, and if so, we simply remove it.
- Fixed a bug where File Scan commands would not properly inventory a file targeted by a File Specification filter.
- Computers with only the core and Directory Services agent installed no longer consume a product license.
- Warning messages in the agent log about the database being in the wrong location are fixed.
- Client items are scanned and carefully inspected so that only a small subset of required updates are modified during installs. (In prior versions, all client items were resaved, forcing large updates on agents.)
- Group management policies no longer send a full local user and group inventory after each run. Instead, inventory is only sent if a change in the group membership is detected and inventory has not already been sent in the last hour.
- A space in the secondary file path filter, that prevented the filter from being applied correctly, is no longer an issue.
- Errors are not displayed when saving managed local administrator passwords.
- Error handling is improved when saving passwords for Admins in the User Interface.
- The export of files with long names no longer gets truncated and loses the file extension.
- Computers with only the core Directory Services agent installed no longer consume a product license.
- When setting up and running the Email Scheduled task, emails are now triggered to be sent.
- An error no longer occurs when viewing the Task Scheduler history for a user that includes a single quote (') in the user name.
- Local user passwords are no longer set back to the initial password after they are previously randomized.
macOS Specific
- The Privilege Managersudo plugin no longer outputs the "Evaluating command ..." message on the terminal when the sudo command is run.
Agent Specific
- Unix/Linux agent crashes during registration when FIPs is enabled on the agent.
- Agents now stream messages from/to the server, so if the list of policies and filters for an endpoint is very large, the "MaxReceivedMessageSize" error message is no longer encountered.
Agent Specific
- Unix/Linux agent crashes during registration when FIPs is enabled on the agent.
- Agents now stream messages from/to the server, so if the list of policies and filters for an endpoint is very large, the "MaxReceivedMessageSize" error message is no longer encountered.
- The Application Control agent is unable to remove expired hashes.
- Ensure Windows agents start enforcing policies following post installation reboot.
- Address slowness when users attempt to launch applications.
- Address memory leak in Application Control Agent.
- HTML based approval actions cause an error on the Agent.
- Agent reloads Application Control policies and filters after update check.
- Major performance impact on certain PCs after updating Altiris.
Known Issues
-
If an agent requests a hash filter before collections are updated, the following occurs:
- The hash filter is cached without a hash date.
- The filter is not properly applied to any policy the filter is associated with.
-
When creating an Azure AD in Privilege Manager, use the company DNS name instead of the *.onmicrosoft.com name. If *.onmicrosoft.com is used, a duplicate Azure AD system is created when a local user and group inventory is performed where Azure AD Users are present.
To fix the issue, follow these steps:
- If AAD is used to authenticate to Privilege Manager, ensure that an alternate administrator login is enabled.
- Disable AAD as an authentication mechanism.
- Delete the duplicate AAD system from Privilege Manager.
- Edit the AAD system in Privilege Managerto use the DNS name and save.
- Reenable AAD for authentication.
- Save and test.
-
We do not support elevation for Windows Store applications.
-
Upgrades may fail when spanning multiple versions. Refer to Troubleshooting Failing Upgrades.
Deprecations
- The UNC Allow Policy Template configuration feed has been removed from the Config Feeds space.
