Secret Server 11.9.000025 Release Notes

Release Date: On-premises: October 9, 2025

11.9.000024 Patch

If you cannot upgrade from 11.9.000024 to 11.9.000025 or later, it is likely you are affected by the bug that caused the withdrawal of 11.9.000024. To apply the patch:

1. Stop Secret Server:

   1. Stop the distributed engine service or services.

   2. Stop Secret Server web node application pool or pools.

   3. If applicable, stop RabbitMQ through the rabbitmqctl stop_app command:

      1. Open Command Prompt as an admin.

         Change directories to C:\Program Files\RabbitMQ Server\rabbitmq_server*\sbin

      2. Run rabbitmqctl stop_app command in the command prompt window.

2. Download the patched DLL and replace the original in the bin subdirectory of the IIS application directory, for example:
   
   C:\inetpub\wwwroot\SecretServer\bin\Thycotic.ihawu.Business.dll.
   
   The download hashes are:
   

   • Calculated on 2025-10-10 17:30:43Z

   • SHA1(11.9.24_UpgradePatch.zip)= 29adba35fe30b6cd8439459e2b840685a209b6c7

   • SHA256(11.9.24_UpgradePatch.zip)= e1413474aac98e0108ddcf83f02316540a236b508adfb1c46c278c64b3d6979b

3. Restart Secret Server:

   1. If applicable, start RabbitMQ through the rabbitmqctl start_app command. This is the same process as above except the command would be rabbitmqctl start_app.

   2. Start the Secret Server web node application pool or pools.

   3. Start the distributed engine service or services.

4. Upgrade to 11.9.000025 or later.

Component Versions

Distributed Engine and Advanced Session-Recording Agent: 8.4.64.0

Protocol Handler: 6.0.3.42

Known Issues

When viewing Session Recordings in Secret Server 11.9.000025, there is a known UI issue that shows an overlay over the video until clicked. This will not occur on the first session viewed but will on subsequent session recordings viewed within the end user's application session. This looks like sessions are not loading, but clicking on the video player will remove the overlay and allow viewing as usual.

Important Technical Change for Secret Server 11.8 and Later

Overview

Prior to the 11.8 on-premises release, Secret Server On-Premises was delivered in a "dynamically-compiled" state. In this configuration, components of the website, particularly .aspx files, were compiled by IIS upon receiving the initial request.

Starting with the 11.8 release, the application is pre-compiled, which significantly enhances and accelerates application startup because it eliminates dynamic compilation.

As a result, some customers may experience startup issues. Please review the two items below prior to upgrading:

• Pre-compiled applications cannot run in IIS if there is an "App_Code" folder present. Therefore, the version 11.8 upgrade renames this folder automatically on start-up to avoid issues. Please note:

  • In some cases the application pool may not have the permissions to rename the "App_Code" folder, resulting in start-up issues, specifically, the Web page does not load.

  • If the application pool does not have the permissions, you must rename the "App_Code" folder or give the account running the application pool "modify" permissions to the application folder.

  • When finished, perform an iisreset to restart Secret Server.

• If you have manually modified any .aspx files, you will not be able to do so anymore, as those files are compiled already. Do not upgrade until you have verified you do not need the modifications going forward.

Support Articles

Please see the following technical articles for instructions:

• How to prepare for upgrade to Secret Server version 11.8 or higher

New Features

Role Permission for API Key Generation

We added a new role permission called "Generate API token from user interface." This role permission grants access to the interface for generating API tokens within the user's profile area. It has been granted to all roles as it was previously a feature available to all users.

Unlimited Administrator Renamed to Unlimited Vault Access

To better represent the functionality that Unlimited Administrator provides, it has been renamed to Unlimited Vault access. The Unlimited Administrator and Enable Unlimited Administrator role permissions, Unlimited Administrator Configuration page, and page header notification have all been updated to use the new terminology.

Proxy Bypass for Privileged Remote Access

Privileged Remote Access is a feature available in the Delinea Platform and provides much of the same functionality as the SSH and RDP proxies. In most scenarios, both are not required to be used concurrently. There is now a secret setting on the security tab which dictates whether or not a PRA launch (Open with Remote Access) uses SSH/RDP.

Customer-Managed Encryption Keys

With Customer-Managed Encryption Keys (CMEK), you can now own and manage your encryption keys, ensuring exclusive control and compliance with industry standards. CMEK enables cloud adoption for customers with strict compliance needs. CMEK uses the Azure Managed HSM service.

Key Benefits

• Exclusive Control: Maintain exclusive control over the encryption and decryption of your sensitive cloud data. Even in the unlikely event of a compromise or legal action against Delinea, your data remains secure and accessible only to you.

• Seamless Integration: Our solution integrates seamlessly with Azure Managed HSM, Amazon EKS, and Fortanix, allowing you to use your own managed key stores for all encryption operations.

• Compliance Assurance: Meet strict security and compliance requirements with ease. This feature is designed to support regulatory frameworks such as GDPR and HIPAA, making it ideal for security-conscious enterprises.

• Centralized Key Management: Security architects and cloud administrators can centralize and control key management, ensuring that all encryption/decryption operations use customer-owned keys. Audit logs provide transparency and traceability of key access and usage.

Improvements

ID	Release Notes
590845	Improved: Added a new option in data retention to only remove data directly related to secret sessions.
635436	Improved: Clarified error message around Service Now credential secrets so users will know they need a secret with a username and password or the appropriate extended mapping.
638054	Improved: The permissions report now filters inactive users.
642215	Improved: Added support for WebSphere Integration password changer.
643148	Improved: Video segments can now be appended to an already processed session recording when they arrive later because the session was resumed.
643365	Improved: Import Secrets page enhancements: Localized all error messages. Errors are summarized in the header with counts for each type of error, for instance "Duplicate secret name (42)". Added an Errors column that displays all the errors for each row. The grid is sortable by error or secret name.
644180	Improved: Increased performance of teams-related queries.
649041	Improved: All secret pickers have been updated to use the latest design.
650468	Improved: Updated grids to allow for full-screen mode while in modals and large panels.
652544	Improved: Added login auditing to authentication.
652955	Improved: Grid component now supports grouping and has updated header cells with options.
653785	Improved: Added new folder search tab for selecting folders in the "Move to Folder" bulk operation. This enables users to choose subfolders where they don't have access to the parent folder.
654386	Improved: Default discovery report name changed to clearly describe the report results.
655154	Improved: Simplified the on-premises database upgrade message and added a link to the Delinea docs "Upgrading Secret Server" section.
663529	Improved: Deep linking when Privilege Manager is installed now skips the application picker.
663690	Improved: Updated to angular 20.1.6.
663852	Improved: Application/service accounts no longer require email address to be migrated.
663988	Improved: Cloud maintenance pages styling updated.
664296	Improved: Updated AVBlocks library to support TLS/HTTPS.
664626	Improved: Updated NuGet packages and dependencies.
664727	Improved: User principal name added to the user detail page.
664835	Improved: Added new secret templates for Open API Key, IBM Watson API Key, and Hugging Face API Token.
664852	Improved: Added a new secret template for Google Vertex AI Service Account.
664860	Improved: Added the Azure AI Compute Credentials secret template.
664866	Improved: Added the AWS SageMaker Access template.
664872	Improved: Added the "AI Compute Node SSH Key" secret template.
664873	Improved: Added new AI Endpoint Certificates secret template.
665041	Improved: Unlimited Administrator feature renamed to Unlimited Vault Access.
665400	Improved: Dual control has been converted to use the new UI interface and the previous ASPX interface has been removed.
666012	Improved: Added ticket details including: Reason for ticket override approve or deny in secret audit Inbox ticket override approval with approve/deny reason Inbox ticket override approval with approver/denier details
666061	Improved: V1 for GroupMembership Patch has new filter to allow for updating inactive users. V1 return IDs are not processed as they will not be found. Partial patch will succeed but unfound IDs will be returned.
666244	Improved: Grid component header style updates.
666477	Improved: Domain was added to the group and user selection modals for the PIC.
666562	Improved: Added preview panel to discovery computer scan log.
666718	Improved: Add display name and descending sort.
666752	Improved: Updated Oracle MDAC version to 23.9 for Oracle dependency scripts, heartbeats and password changers.
666947	Improved: V1 Patch Group/Users now has options to add more debugging in response. V1 now also has options to take inactive/active users. Will do partial success, but indicate in body if there are failed users that have not processed in the PATCH.
667026	Improved: Added PRA bypass security option on Secrets. When checked, if proxy is enabled and a secret is launched via remote access, proxy is bypassed.
667054	Improved: If defined, Session Connector launchers are now displayed in secrets.
667498	Improved: Updates for smaller screens where search opens in a modal.
667628	Improved: Salesforce heartbeat and RPC now use v.64 API.
668328	Improved: Update Platform Integration Center to be named Platform Upgrade Center along with various other wording changes within the Platform Upgrade Center.
669355	Improved: Updated chips across Secret Server to use updated colors and move towards "success" for most cases where state is some form of success.
669471	Improved: Updated wizards to display their steps in tab-like styles, and updated wizards in dialogs to more closely match wizards in full pages.
669571	Improved: Removed link to secret legacy import and redirected old secret import pages to updated import pages.
671235	Improved: Thycotic.Video now uses TLS/HTTPS for the default license validation.
671843	Improved: Okta heartbeat now supports Global MFA under Global Security Policy.

Fixed Issues

ID	Release Notes
466453	Fixed: DE prematurely closes proxied sessions which use session recording. For those using the Distributed Engine app.config to modify DataDeliveryToleranceSeconds for SSH Proxy sessions, that setting is now contained in the ConfigurationAdvanced.aspx page and can be set there. When set there, re-configuring the app.config every upgrade of the Distributed Engine will no longer be necessary. This is supported with Distributed Engine versions newer than 8.4.59.0
555124	Fixed: Platform displayed "DoubleLock" instead of "QuantumLock" on the "Delinea Command Relay" page secret selection area. In Platform > Sites and Engines > Any Site > Settings >Delinea Command Relay > Select secret with Quantum Lock enabled. String resource has been changed from DoubleLock to Quantumlock where appropriate.
562738	Fixed: Discovery manual host range limit. Changed to populate network discovery list with large batch sizes.
580687	Fixed: Site options "Enable CredSSP Authentication" and "WinRm Endpoint" now sync properly with database when auto filled.
581201	Fixed: Inapplicable, On-Prem-related links and text on the Session Recording page have been removed from Secret Server Cloud and Platform.
584688	Fixed: Teradata heartbeat and remote password changing now work.
596685	Fixed: Internet connectivity not on the new diagnostics page. On premises "Check connectivity" button added to diagnostics page.
622351	Fixed: The number of secrets for policy application appeared as a negative number.
630945	Fixed: Secret Server Cloud stats for session monitoring storage were not pulling from database tables.
632826	Fixed: Report subscribers did not display all the users and groups from user management.
633090	Fixed: An issue with audit message for changing the checkout time of a secret not displaying correctly.
633790	Fixed: Distributed engine would fail changing a local account password on the same server it is hosted on, but a different distributed engine would succeed.
633915	Fixed: The error "KeyNotFoundException" appeared on an API call for an individual secret summary when using the parameter autoCheckout as false had been resolved.
634054	Fixed: Password field validation logic prevented assignment of privileged accounts to policies when password fields aren't mapped.
637889	Fixed: The All Secrets Heartbeat column sometimes disappeared on initial load.
638065	Fixed: When switching between the general and matches tab, the template fields did not maintain their values properly.
640532	Fixed: SessionConnector/RDS Launchers (RDP child launcher) keystrokes were not reliably recorded when keystroke recording was enabled.
641379	Fixed: Email notification inbox template mapped incorrect URL for ItemName.Folder. Email templates now honor folder link interpolation.
642172	Fixed: SSC group search only searches the 1st page of results. When searching for members in a Secret Server group, the search now looks at both the username and the display name fields, where before it only was searching against the display name.
643365	Import Secrets page enhancements: Localized all error messages. Errors are summarized in the header with counts for each type of error, i.e. "Duplicate secret name (42)". Added an Errors column that displays all the errors for each row. The grid is sortable by error or secret name.
643500	Fixed: Secret policies were automatically applied to secrets within folders generated through the import process.
643683	Fixed: Secret name was not displayed in response sample in the secret dependencies endpoint.
643816	Fixed: When a script was run with "test script," the UI would not inform the user of completion.
644133	Fixed: Precompiled application exceptions were thrown on startup. Created startup task to rename App_Code directory if it exists.
645792	Fixed: Adding more than 35 users in "managed by specific users" provided no information.
648671	Fixed: Distributed Engine offline status was not adhering to the "Engine Callback Interval." The engine callback interval for an engine's site now takes precedence over the global callback interval when determining the engine's offline status.
651392	Fixed: In the discovery account import dialog wizard final step, clicking import would not show any API errors without closing the dialog. Now, to complete the wizard the errors either need to be resolved and resubmitted or the user can click cancel.
654232	Fixed: Secret list views did not sort in the correct order when navigating to the view.
654867	Fixed: Inbox notifications created column is now a date and not a date time since format.
654872	Fixed: Ticket override requests are no longer sent to the requestor when they are an approver in multiple groups.
655760	Fixed: Override requestor received approval and denial reason on email.
659868	Fixed: Target will no longer appear on Platform audits if the audit does not have a secret ID.
660026	Fixed: When a ticket override request that had been approved was later denied, the secret comment needed to be entered again, if required, upon the next secret request from the user.
660064	Fixed: An issue on the password changers list, where the Active Secret Count column was not populated.
660127	Fixed: The favorite button in the secret grid no longer has a true/false tooltip.
660328	Fixed issue where Reset Password button was showing twice.
660439	Fixed: ProductName variable would show up instead of actual name.
660724	Fixed: Broken Entrust HTTP POST SAML. Adjusted referrer policy to strict-origin-when-cross-origin for better compatibility and standards consistency.
663706	Fixed: No global search results or direct menu option for session connector settings in DP, SSC settings, or configuration search. Added navigation links to session connector settings page.
663979	Fixed: Security fixes for manual rolling upgrade process.
664523	Fixed: Ticket override section hidden on new ticket creation. To update these settings, edit the ticket system after it is created.
664540	Fixed: Ticket override option not displaying for secret access request. Ticket override flow is now triggered in secret access requests as well as request comments.
665388	Fixed: Removed legacy AdminDiagnostics.aspx and AdminClustering.aspx pages.
665454	Fixed: Editing template permissions with search filters applied no longer removes users that did not match the previously applied search results.
665997	Fixed: Day logs were not displayed if you selected the last 5 days option.
666228	Fixed an issue where grid item totals could get stuck infinitely loading.
666577	Fixed: Ticket override disable-ticket system did not deny pending. If a ticket system with pending ticket overrides is disabled or the override option removed, all pending ticket override requests will be denied.
666829	Fixed: Redirected from Secret Server PIC when already opted in. When you have previously opted-in to Platform without going through the PIC and visit the PIC in Secret Server, a new Launch platform button has been added to the Opt-in step card.
667282	Fixed: HSM Audit log popup was misaligned,
667601	Fixed: Breadcrumb was missing on some item-details pages.
668379	Fixed: The import export settings in the configuration search now show up when launchers are disabled.
668731	Fixed: Updated tooltips for user membership types to accurately reflect license usage.
668853	Fixed: Federation step in the PIC got into an incorrect state when the Federation step is In Progress but has no SS providers.
669165	Fixed: Discovery import account dialog is now localized.
669194	Fixed: Passwords containing semicolon (;) broke regular expression logic.
669220	Fixed: Loading favorites threw an error in some scenarios.
670350	Fixed: Wrong chip background color when progressing through PIC steps.
670351	Fixed: Test button was showing instead of delete button on dependencies that do not have test buttons.
670694	Fixed: Manually changing root personal folder permissions via Unlimited Admin could throw error.
670898	Fixed: In secret import an incorrect button would appear while trying to import from XML.
671312	Fixed: Some downloaded records were inconsistent.
671357	Fixed: Removed unused legacy UI components.
679118	Fixed: A critical issue where upgrading from Secret Server 11.9.24 to subsequent versions would fail when session recording video processing files (AVBlocks DLL) were locked. The upgrade mechanism now properly handles locked DLL files, ensuring successful upgrades even when session recording is active with on-demand video processing disabled.
679458	Fixed: An invalid ticket number could be ignored on a secret that requires view comment on some ticket-system configurations.