Secret Server 11.9.000047 Release Notes
Release Date: On-premises: December 13, 2025
Step Upgrade Required (11.9.6). Versions prior to 11.9.6 need to first upgrade to 11.9.6. The automatic downloads in the product will get the right versions for the step upgrade and then allow upgrades to later versions. But if offline and using the file upload method, versions prior to 11.9.6 will get an error message saying, "Integrity Check failed - Security Catalog is signed by thumbprint that is not specifically trusted." The remedy is to first upgrade to 11.9.6 and then do the upgrade to 11.9.25 or above.
As of August 31, 2025, Microsoft will retire TLS 1.0 protocol support for Azure Application Gateways. Thus, updates.thycotic.net will require TLS 1.2 for all connections. Secret Server On-Premises instances released prior to 2018 may not support TLS 1.2 and will no longer receive update notifications after this change. All other product functionality will remain unaffected. Customers running older versions should upgrade to a supported version to continue receiving update notifications.
Component Versions
Distributed Engine and Advanced Session-Recording Agent: 8.4.73.0
Protocol Handler: 6.0.3.48
If your protocol handler version is 6.0.3.26 or lower, you must manually upgrade to a higher version. Automatic upgrades will not work for versions 6.0.3.26 or below. However, if your protocol handler version is 6.0.3.27 or higher, the automatic upgrade will function properly.
Known Issues
Important Technical Change for Secret Server 11.8 and Later
Please carefully review this section prior to upgrading.
Applies to Secret Server On-Premises only.
Overview
Prior to the 11.8 on-premises release, Secret Server On-Premises was delivered in a "dynamically-compiled" state. In this configuration, components of the website, particularly .aspx files, were compiled by IIS upon receiving the initial request.
Starting with the 11.8 release, the application is pre-compiled, which significantly enhances and accelerates application startup because it eliminates dynamic compilation.
As a result, some customers may experience startup issues. Please review the two items below prior to upgrading:
-
Pre-compiled applications cannot run in IIS if there is an "App_Code" folder present. Therefore, the version 11.8 upgrade renames this folder automatically on start-up to avoid issues. Please note:
-
In some cases the application pool may not have the permissions to rename the "App_Code" folder, resulting in start-up issues, specifically, the Web page does not load.
-
If the application pool does not have the permissions, you must rename the "App_Code" folder or give the account running the application pool "modify" permissions to the application folder.
-
When finished, perform an iisreset to restart Secret Server.
-
-
If you have manually modified any .aspx files, you will not be able to do so anymore, as those files are compiled already. Do not upgrade until you have verified you do not need the modifications going forward.
Support Articles
Please see the following technical articles for instructions:
New Features
New Remote Password Changers
-
Workday: A new password changer to manage credentials for Workday accounts. Workday is an enterprise AI platform.
-
Windows (PowerShell): A new, flexible password changer for Windows accounts using PowerShell.
Enhanced Auditing
-
Folder Move Auditing: When a Secret is moved, the audit log now records both the previous and new folder names for a clearer audit trail.
-
New Auditing Categories: Added auditing for custom dictionaries and new Report Categories.
Bulk Operation Improvements
-
Introduced a new Bulk Operations dashboard for better visibility and management.
-
Added auditing for bulk operations to track large-scale changes.
Fixed Issues
| ID | Release Notes |
|---|---|
| 427434 | Fixed: Incorrect keystroke capture on Italian keyboards. Input capture has been adjusted in protocol handler to account for input language when the host and destination are set to the same input language |
| 608798 | Fixed: Front-end and back-end data mismatch. Corrected a varchar type mismatch. |
| 621796 | Fixed: Session-connector-recorded sessions using an RDP launcher did not have keystroke data in the file download. |
| 626093 | Fixed: Log-level mismatch between Server Nodes page and SS.log file. Changed "All" log level to be "Verbose". Root log level can now be changed in Server Nodes. |
| 629449 | Fixed: IBM iSeries RPC character error. Mainframe RCP now supports command <ConditionalTabX> (where X is the command tab size), for example <ConditionalTab10>. This allows for better handling of tabs in scripts. |
| 630794 | Fixed: Secret policy error. When global session recording is disabled, validation now prevents updating the secret policy field, which caused an invalid data error. |
| 633276 | Fixed: UI error on Secret Access Requests page. |
| 637089 | Fixed: Missing audit event. Custom dictionary administration audit added for create and delete. |
| 637092 | Fixed: "Report category creation" audit missing. |
| 652076 | Fixed: While navigating between the views on the All Secret page, the search box filter would not clear. |
| 654871 | Fixed: Ticket system override notifications disappear and reappear. |
| 659707 | Fixed: In Platform, the heartbeat status widget would not show heartbeat status. Viewing no longer requires reporting permissions to show the chart. |
| 659765 | Fixed: Secret policy launcher setting not appearing on secrets. |
| 660075 | Fixed: Secret permissions not showing when exporting the Sharing tab. |
| 660919 | Fixed: The saved configuration for a proxied SSH launcher (User Input) appeared empty after save or refresh. "Proxied SSH process" launchers on secret templates with "add mapping" can now save user input to the host field. |
| 662032 | Fixed: In the "All Secrets" page, the machine name, and machines columns were not sortable when no records were present. |
| 662056 | Fixed: On the security hardening report page, the "force password masking" setting showed even though it no longer exists. |
| 663273 | Fixed: When "enable RPC" was disabled on a secret template, secrets based on that template could not be selected for discovery rules. |
| 663978 | Fixed: SSH proxy site selection setting was not working for Active Directory secrets. |
| 667266 | Fixed: Some fields in HSM configuration were showing up blank. |
| 667821 | Fixed: Number of saved reports incorrect on the Reports > Schedule page. |
| 671018 | Fixed: Viewing blank passwords incorrectly added an audit entry. |
| 671550 | Fixed: Oracle RPC error for SYS account. Added flag indicating that the AS SYS bit on the secret template is in use and passing that into the Oracle credential object. |
| 671705 | Fixed: Long keys (SHA512) did not wrap properly in the SSH proxy host fingerprint field. |
| 671707 | Fixed: Proxying endpoints UI download dialog is misshaped. Padding added to correct it. |
| 672045 | Fixed: The secret and discovery grid did not retain filter state between pages. Fix allows you to filter the grid, go to a secret, click the back button, and retain the applied filters. |
| 673430 | Fixed: Unlimited admin mode missing a level-one header. Secret Server configuration title adjusted for accessibility and column added. |
| 673568 | Fixed: An issue where the DR replication process would nullify the SecretPolicyId for secrets on a replica if the policy was configured locally on that replica. The replication logic has been corrected to preserve these local policy assignments. |
| 674141 | Fixed: Bulk errors returned by the API were not displaying in the active processes dialog. |
| 674212 | Fixed: Secret folder permissions issue. The problem occurred when you added users to a folder and set their secret permissions to "None." Before the fix, these users would still appear in the count on the secret's sharing tab. Now, the count only includes users who actually have access to the secrets. |
| 674495 | Fixed: Audit results were not displayed when creating a list option in admin categorized List. |
| 674552 | Fixed: Session connector launchers could not be viewed/edited by users that did not create the launcher. |
| 675482 | Fixed: One time passwords from the home page panel in Platform could throw an error under certain configuration options. |
| 675516 | Fixed: Unpinning pinned secrets now did not show in the UI without requiring a refresh. |
| 675833 | Fixed: An issue with special characters in search filters. When you typed special characters (like &, %, or #) in a search box, they were not properly encoded in the URL. This applied both when you enter a new search and when you use a saved filter from a URL. Before this fix, special characters could break the filter or cause errors. |
| 676491 | Fixed: Business Users could not share secrets when teams were disabled. |
| 677744 | Fixed: A playback display issue. A refresh icon was blocking the video during session recording playback. The icon now disappears when you start playing the video, so you can see the full screen without any obstruction. |
| 677808 | Fixed: Moving secrets from folders did not indicate target and source folders. |
| 677992 | Fixed: Long-running tasks tab was not hidden in cloud. The API only works for on-premises installs. |
| 678002 | Fixed: You would see an "Access Denied" error when viewing configuration settings, even if you only lacked access to the certificate secret used in Session Connector settings. Now you can view the configuration without needing access to that specific secret. |
| 678256 | Fixed: The system made duplicate network requests when loading the All Secrets view, which slowed down performance. Now it only makes one request, so the page loads faster. |
| 679030 | Fixed: Viewing a secret folder did not appear in the Platform recent items list. |
| 679367 | Fixed: You received unclear error messages when trying to activate a duplicate secret from the secret home page while duplicates were disabled. Now you will see a clear error message explaining that duplicates are not allowed. |
| 679458 | Fixed: You could view a secret that requires a ticket number even when entering an invalid ticket number. This happened with certain ticket system configurations. Now the system properly validates your ticket number before allowing access to the secret. |
| 679624 | Fixed: issue in DE 8.4.56.0 that caused Windows SMB heartbeats to fail in certain circumstances. |
| 679646 | Fixed: The active tasks panel had several usability issues. You could not toggle between viewing active and completed tasks. The overlay closed too quickly when you moved your mouse away. And error messages weren't easy to spot. Now you can switch between active and completed tasks, the panel stays open longer for easier interaction, and errors are clearly highlighted. |
| 681122 | Fixed: You could apply formatting (like bold or italics) to the name when copying a secret. This caused display issues and inconsistencies. Now the system removes any formatting from the secret name during the copy process. The copied secret will have a plain text name only. |
| 682303 | Fixed: The Discovery import account dialog displayed text in the wrong language when adding multiple takeover secrets. The "add secret" button and related text were not translated properly. Now all text in the dialog appears in your selected language when you add multiple takeover secrets. |
| 682989 | Fixed: A secret with "change password on check in" enabled would automatically check in even when the password change failed after reaching its retry limit. This left the secret in an inconsistent state with the wrong password. Now the secret remains checked out when the password change fails. You can fix the issue and try again without losing track of which secrets need attention. |
| 683754 | Fixed: Certain launcher configurations failed to launch when you accessed them from the favorites section on the platform home page. The same launchers worked correctly when accessed from other locations. |
| 683904 | Fixed: The PUC failed to match user records correctly for users who had an entry in the tbExternalUserMapping table with IsPlatform set to 0. This caused the system to not recognize their group memberships from the tbUserGroup table. Users affected by this issue may have experienced incorrect permissions or missing access to resources. Now the PUC correctly matches these user records to their group assignments regardless of the IsPlatform setting. |
| 685948 | Fixed: Issue with ASRA recordings failing processing when keyboard recording is enabled |
| 686031 | Fixed: Performing a bulk "Request Access" operation for multiple secrets that require an approval workflow would fail. The "Duration" field was not loading correctly, preventing users from completing the request. This has been resolved, and bulk requests for secrets with workflows now function as expected. |
| 687294 | Fixed: Resolved an issue introduced in a recent update where approvers in a workflow could not view or manage a secret access request unless they also had "View" permission on the secret itself. This prevented users in roles like auditing from completing their approval tasks. This change restores the intended behavior, allowing approvers to process requests without requiring direct permissions on the secret. |
| 687453 | Fixed: Localization errors. Localization strings added for extended mappings: WebSphere Privileged Account, Windows Account (PowerShell) takeover, Workday Service Account (11.9.6), and Certificate with Private Key (added in 11.8.9). |
Improvements
| ID | Release Notes |
|---|---|
| 590528 | Improved: Added warning when disabling an ASRA collection. |
| 597072 | Improved: Workday RPC integration added. |
| 637212 | Improved: Now able to save client-override IP address ranges with the allow list client type after editing. |
| 642214 | Improved: New "Windows Account (PowerShell)" secret template. |
| 664028 | Improved: In Platform, Secret Server configuration now includes setting descriptions, two column layout as appropriate, and some settings are now hidden (they are controlled by other Platform settings). These include UI inactivity timeout and custom logos. |
| 665213 | Improved: Efficiency of database calls for RPC selection. |
| 665401 | Improved: Converted AdminChallengeView.aspx to an Angular page. The new page can be accessed as a tab on the PBA configuration page. |
| 665567 | Improved: Added the ability to stop any in-progress bulk operation. Added Bulk Operations Dashboard page to view current and past bulk operations. Replaced the modal bulk progress dialog with non-modal toast-like bulk ops component. |
| 666003 | Improved: Added Bulk Operations dashboard page. See features. |
| 668309 | Improved: When a data sync occurs in the Platform Upgrade Center (PUC), a message appears in the data sync section of the PUC showing the count of the successes and errors of the last sync along with a link to View the Log. |
| 668334 | Improved: When a user is going through an upgrade in the Platform Upgrade Center, if SS has logos and logos do not exist in Platform, the logos are automatically copied to Platform, and the step is completed. |
| 668335 | Improved: Automated the secure access step in the Platform Upgrade Center. |
| 670297 | Improved: Added a throttle: "Max Number of Passwords That Can be Changed at One Time" setting for Entra ID RPC. |
| 674228 | Improved: Added Delinea desktop widget for folders, showing a context-aware secret grid. |
| 675940 | Improved: Updated precheck messages for Active Directory groups. When you set up AD Groups in the PUC, you now see clearer messages about the group type. The system was showing these warnings too often before. Now the messages only appear when they're actually needed based on your environment's settings. |
| 675983 | Improved: AjaxControlToolkit dependencies were removed. |
| 678116 | Improved: Added a slider in the bulk operations, which allows selection of how many records you wish to download. |
| 678532 | Improved: Added safeguards for external vaults to require linked secret transforms in order to push the values. |
| 679328 | Improved: Folder pinning does not evaluate folder access. Changed to improve security when using pinned folders. |
| 679363 | Improved: Removed the legacy secret import pages (import.aspx, advancedimport.aspx). |
| 679524 | Improved: Added the ability to map individual Secret Server |
| 679677 | Improved: The "Send legacy emails" setting has been removed. All secret access request emails and event subscription emails now go through your inbox. The system no longer supports the old email format. |
| 680903 | Improved: The customized branding step in the PUC now runs automatically in the background before the secure access step begins. When you start the secure access step, you will see a single progress bar that tracks both processes. This streamlines the setup process so you do not need to manually run the branding step separately. |
| 680904 | Improved: Removed unhelpful prechecks, and added completion indicator messaging. |
| 681158 | Improved: Several API endpoints and one internal advanced configuration audit page were missing proper permission checks. Users could potentially access data they should not see. Now the system verifies your permissions before allowing access to these endpoints and the audit page. |
| 682292 | Improved: Platform users can now apply "Administer Bulk Operations" when in unified mode. |
| 682425 | Improved: Modified logic in DataProviderEncryptionHandler.Transform so that key is not generated and saved when decrypting a default configuration with no prior system key. |
| 682948 | Improved: Moving folder note is now very specific for audit notes |
| 682952 | Improved: The IBM i-series heartbeat and password changer now support the feature. This gives you more flexibility when configuring how the system interacts with IBM i-series screens during automated password changes and connection tests. |
| 683576 | Improved: You can now enable a decal pattern for charts in your user profile. This feature adds visual patterns to chart elements This is a preview feature, so not all charts support decal patterns yet. |
| 684304 | Improved: Secret RPC no longer happens every 10 minutes in some configurations, restoring the original behavior. |
