12.0.4 Release Notes
Release Schedule
Privilege Manager Cloud Release Date: June 28, 2025
Privilege Manager On-Premise Release Date: July 11, 2025
Windows Agent Software
Do not install the agent on a workstation running Windows 11 build 26120.x or newer. The Privilege Manager team is working to have a hotfix agent build compatible with the changes Microsoft made within these new versions.
Supported Agents
Do not enroll any Windows workstations into insider preview update channels. The operating systems builds provided via the channel are not generally available or officially supported by Delinea. We recommend using the mainstream Windows update channel.
12.0.4237 Bundled Privilege Manager Agent Installer
12.0.4237 Core Thycotic Agent (x64)
12.0.4237 Core Thycotic Agent (x86)
12.0.4237 Application Control Agent (x64)
12.0.4237 Application Control Agent (x86)
12.0.4237 Local Security Solution Agent (x64)
12.0.4237 Local Security Solution Agent (x86)
12.0.4237 Bundled Privilege Manager Core and Directory Services Agent
12.0.4035 Directory Services Agent (x64)
macOS Agent
12.0.4.134 Privilege Manager macOS Agent (macOS Big Sur 11 and later)
Installation Notes
-
Starting with builds 11.4.3235 & 12.0.1016, and going forward with all newer builds, there is a dependency on a PowerShell script being executed by the MSI installer package for the application control agent. The script itself is signed with our code signing certificate so it will meet the execution policy requirements for signed scripts, but if all script execution has been disabled, then it will cause the installer to fail.
-
When upgrading Privilege Manager to a newer version, Delinea recommends upgrading the Directory Services agent such that both are running on the same release version.
-
Privilege Manager exclusively supports operating systems (OS) that have not reached their official End of Support. For optimal performance and compatibility, it is recommended to utilize Privilege Manager on a supported and actively maintained OS.
-
Delinea recommends as a best practice to create system restore points prior to doing system changes such as patches.
Delinea supports the use of software versions up to a year prior to the current version. You can find previous versions of the documentation here.
Supported Operating Systems
In addition to the existing support on Windows Server 2016, the Privilege Manager agent is now officially supported on Windows 2019, 2022, and 2025 operating systems, with the following caveats:
-
The Deny Read/Write Access to the Microsoft Office document files default action causes Excel to hang indefinitely on Windows Server 2025, however, the process can be ended in Task Manager. This action will be deprecated in a future release.
-
Windows Server 2022 and 2025 Datacenter editions are displayed under the Unix/Linux category of agents. This will corrected in a future release.
-
Within the Admin | Agents page, the Windows Server 2025 operating system is displayed as Windows Server 2025 Standard. This will be corrected in a future release.
Supported Agent Versions
V3 agent services were removed from this release. Version 10.4 and older agents will no longer be able to connect to 12.0.4 and newer Privilege Manager servers.
Certificate Validation for SSPM Agents
For both the Windows Agent and macOS Agent, by default, validate server certificate is turned off. However, if your server domain includes one of these, then validate server certificate will automatically be turned on and the server certificate will be validated:
-
.privilegemanagercloud.com
-
.privilegemanagercloud.eu
-
.privilegemanagercloud.com.au
-
.privilegemanagercloud.com.sg
-
.privilegemanagercloud.ca
To force this setting to be enabled for use with an on-premise Privilege Manager server via MDM deployment of the agent, refer to the documentation:
Installing Windows Agents
Installing macOS AgentsUnix/Linux Support: End of LIfe
Privilege Manager for Unix/Linux is marked as End of Life (EOL). This indicates that the product is entirely discontinued and not available for product support. Contact your Delinea Account Manager for any concerns or direction going forward.
macOS Monterey 12.x Support
Privilege Manager version 12.0.4 of the Mac agent no longer supports macOS Monterey (12.x), for which Apple has not released a security update since July 2024. Privilege Manager follows the common practice of supporting those OS versions that Apple itself supports with security updates, namely, the current and two previous versions of macOS. We encourage our users to upgrade to a supported version of macOS to continue receiving the latest features and security updates.
macOS Sequoia 15.x
macOS Sequoia 15.x includes a new privacy feature requiring user permission to allow applications to access devices on a local network.
As a result, endpoints with an installed macOS agent that connects to an on-premise Privilege Manager server on the same network may present an "Allow access to find devices on a local network" message to end users when submitting actions such as an approval request for the first time.
Once allowed, the message will not be displayed again and the agent will function as expected.
This message will not be seen for customers who register their agent against Privilege Manager cloud.
The permission can also be granted by going to System Settings > Privacy & Security > Local Network and enabling Privilege Manager.
Currently, Apple does not provide any method to pre-approve these requests using Mobile Device Management (MDM).
Enhancements
-
A new Syslog task has been created to Send Approval Events to Syslog. This sends details of all approvals specified in the task to the Syslog. Care should be exercised with the volume of approval requests that are generated in your application before deciding on the schedule for this task.
-
A new protocol, called HEC (HTTP Event Collector), has been added to the Syslog configuration page to support customers using this method with their cloud-based Syslog providers.
-
The JIT approval notification for the macOS agent is improved. Previously, when a macOS JIT session was approved, the notification displayed rounded the approval time down. For example, 4 hours would be displayed as 3. Now when the approval time is less than one day, the notification of remaining approval time is more precise, for example 4 hours is displayed as 03:59:59.
-
Within Group Management, the ability to set the operation for individual groups and accounts to Ignore if found is now available when the All Other Users and Groups catch-all is set to Remove if found. This allows administrators to more granularly define what groups and accounts are present on workstations in a given computer group
This configuration enhancement requires a 12.0.4 agent.
-
The privilege-manager ServiceNow integration now sends a removal notification to ServiceNow if the timeout value is met in the Approval Process configuration. In the event the approval request timeout is met, the user will receive a denial on the end point and the associated request will be removed from the Self Service - My Requests in ServiceNow.
-
The file name of the existing default filter has been updated to correlate with the new version of Sysinternals PSExec. The filename in the filter has changed from
psexe.exe
topsexec.c
. -
Similar to the Group Management page, a Show all inventorized toggle option has been added to the User Management page to show all inventoried users. By default, this toggle is disabled to just show built-in users, as well as managed local users.
-
Two new reports have been added to identify where duplicate AD Distinguished Names (Resources with Duplicate AD Distinguished Names) and duplicate AD Native IDs (Resources with Duplicate AD Native IDs) are identified in the Privilege Manager server.
When duplicates have been identified, they can be cleared using new Merge Duplicate Resources parameters, that can be found under the Auto-Merge Resources section in the Advanced Configuration page.
-
Added a new report Resource Discovery Computers Assigned that shows all machines that have been assigned to discover a file.
-
The Audit Changes to Managed Groups report, now also includes the audit data for built-in macOS managed groups.
-
A new Orphaned Local Users and Groups report is available in the Diagnostics section. The report details any duplicated local user or user group accounts.
These duplications can occur when a local user or group of the same name has been removed and re-added before the Local User Inventory task has been executed. When these duplications occur, running the Purge Maintenance - Orphaned Local Users and Groups task will remove the orphaned accounts.
-
The Approvals page displays more in-depth information in both the Active and History panels.
-
To ensure that the Application Control Service continues to work, a registry entry can now be made manually that will bypass kernel checks on unsupported OS builds. (Although not recommended, this has become necessary, for example, when a computer is enrolled in the Windows Insider program.)
-
Several default filters have been updated to target the specific trusted path where the application should exist. These include:
-
Privilege Manager Agent Utility
-
Privilege Manager Remove Programs Utility
-
COM Elevation Host Utility
-
MSI Elevation Host Utility
If any of these applications exist outside of the specific trusted path and are used in your policies, the filter should be duplicated and adjusted to suit your requirements.
-
-
System Settings panes are now elevated using the necessary AuthorizationDB Right Actions. The Energy Saver/Battery, Lock Screen, Date & Time, and Network built-in policies have been updated accordingly. The Workstation and Onboarding policies have also been updated.
Bug Fixes
-
When using the ServiceNow standard (non-webhook) integration, certificate validation is now enforced.
-
To address error conditions, the option to duplicate Security Descriptors has been removed from Security Descriptor resources.
-
Privilege Manager manual installations carried out via a web browser will now create a database collation of SQL_Latin1_General_CP1_CI_AS.
-
An issue with filter operations for a computer group has been fixed. Now, changing the first operation type will not affect the second operation.
-
Previously, the ServiceNow webhook integration was using the SOAP integration method where the Create ServiceNow Approval Request Items task was required to get webhooks to function. The ServiceNow webhook integration is now working as per the integration documentation.
Further improvements were made to ensure the timeout values are being respected on both the Privilege Manager and ServiceNow side
This bug fix adjusts the behavior of the ServiceNow webhook integration to stop sending request item (RITM) numbers to ensure duplicate items are not created within ServiceNow as a result of the integration. For more information on how to update your configuration to continue generating request item (RITM) numbers, please see the support article here..
-
The computer's serial number is now displayed on the Agent Summary by OS drill-down report.
-
Previously, in scenarios where a managed group included multiple users/groups with the same name (i.e., where multiple domains had been synced and the managed group targeted the Domain Admins group on each one), the correct operation was not shown if both were set to Add if Missing. (However, this was reflected correctly in the provisioning task.) This has been corrected.
-
Fixed a bug with resource discovery where agents were getting assigned to discover a file but they never received the corresponding job.
-
Fixed a bug with resource discovery on applications from policy events and improved logging on the agent.
Agent Specific
Windows
-
The query behind the Unmanaged Local Administrators by Computers warning has been fixed. After the Unmanaged Local Administrators by Computer Server Gauge task is run, the correct status is displayed.
-
The way that implemented filters are loaded during the agent start up has been changed to prevent performance issues in larger environments.
-
Due to variations in runtime environments, sometimes the
SetupAgent.ps1
script would occasionally display a prompt for a smart card while performing certificate management operations. A minor change was made to how the script usescertutil.exe
to eliminate the smart card prompt in certain situations. -
Instances where Windows administrator users were unable to create a Windows filter which included a digital certificate filter has been resolved.
-
An issue where file discovery tasks were not successfully getting sent to agents, resulting in some files being stuck in a Newly Loaded Resource state, has been resolved.
-
Previously, when the agent was performing local user provisioning, the agent generated an initial password with a length of 14 characters. This caused issues for group policies requiring a minimum of 15 or more characters, resulting in user creation failing on the agent.
The initial password generated by the agent is now 127 characters in length during provisioning of a local user account.
macOS
-
If the user also attempted to install OS patches when elevating a PKG through Privilege Manager, they would be prompted for administrator credentials. This has been resolved with a macOS Agent fix to PKG elevation.
-
When applications were elevated using the Auth DB rights actions on macOS agents, the active window would occasionally lose focus because the elevation process occurred in the background. This issue is resolved, and the focus should remain on the appropriate window during elevation.
-
Previously, the following error would sometimes be displayed for the macOS agent when executing some sudo commands or command execution from JAMF Self Service: LLVM Profile error: Failed to write file "default.profraw": Read-only file system.
Although the error didn't restrict the execution it was an inconvenient and misleading message. This has been resolved.
-
Fixed an issue that when a policy was disabled, the Policies Last Updated time stamp in the Agent Utility would continue to update each time Update Client Items was clicked. This would persist until another policy was enabled. The time stamp now only updates when the agent receives an actual policy change (e.g., enabling/disabling a policy or receiving updated policy details).
-
Previously, if a macOS endpoint did not have internet access, the installation package’s notarization would fail silently. While the installation itself appeared to complete successfully, the system extension for Privilege Manager would not be set up by the OS, rendering the agent inoperable.
This issue has now been resolved by stapling the PKG within the installation DMG. This allows the package to be verified offline, ensuring the system extension is correctly installed and the agent functions as expected, even without internet access.
-