Secret Server 12.0.000020 Release Notes

Release Date: On-premises: March 11, 2026

Component Versions

Distributed Engine and Advanced Session-Recording Agent: 8.4.83.0

Protocol Handler: 6.0.3.49

Known Issues

Important Technical Change for Secret Server 11.8 and Later

Overview

Prior to the 11.8 on-premises release, Secret Server On-Premises was delivered in a "dynamically-compiled" state. In this configuration, components of the website, particularly .aspx files, were compiled by IIS upon receiving the initial request.

Starting with the 11.8 release, the application is pre-compiled, which significantly enhances and accelerates application startup because it eliminates dynamic compilation.

As a result, some customers may experience startup issues. Please review the two items below prior to upgrading:

• Pre-compiled applications cannot run in IIS if there is an "App_Code" folder present. Therefore, the version 11.8 upgrade renames this folder automatically on start-up to avoid issues. Please note:

  • In some cases the application pool may not have the permissions to rename the "App_Code" folder, resulting in start-up issues, specifically, the Web page does not load.

  • If the application pool does not have the permissions, you must rename the "App_Code" folder or give the account running the application pool "modify" permissions to the application folder.

  • When finished, perform an iisreset to restart Secret Server.

• If you have manually modified any .aspx files, you will not be able to do so anymore, as those files are compiled already. Do not upgrade until you have verified you do not need the modifications going forward.

Support Articles

Please see the following technical articles for instructions:

• How to prepare for upgrade to Secret Server version 11.8 or higher

This maintenance release delivers significant platform modernization, dependency validation enhancements, performance improvements, and critical bug fixes.

Features

Platform Integration and Migration

• Added actor IDs to identity events for better auditing
• Added advanced session recording download functionality
• Added private API endpoint for seamless platform integration
• Enabled user-managed secret sharing with Platform Services
• Updated event subscription emails to be unified mode-aware

Platform Upgrade Center (PUC) Enhancements

• Added domain connection validation during data synchronization
• Added TOTP support for domain users
• Enhanced pre-checks optimized for large user and group environments
• Fixed Extended Assignment Error affecting approximately 120 users
• Improved exclusion management with paging and true select-all
• Streamlined workflow with auto-skip for unnecessary steps

RPC Pre-Run Validation Framework

• Added comprehensive logon validation for eight or more dependency types (Scheduled Tasks, Windows Services, App Pools, COM+, SQL/SSH Scripts, Remote Files)
• Added custom PowerShell script validation for Windows dependencies
• Added ping and port check validation across all relevant dependency types
• Enabled multi-site support with enhanced UI indicators and testing capabilities

Security Enhancements

• Enhanced role permission checks for PII operations
• Implemented Microsoft Information Protection (MIP) email classification integration
• Implemented SSRF mitigation (IconFetch) Phase 1
• Improved error disclosure by removing stack traces from API responses

UI Modernization and Performance

• Continued Angular migration for web install, notice pages, and reports
• Converted Chart.js to ECharts for better performance
• Integrated Vitest for improved testing
• Optimized critical UI CPU usage during secret checkout
• Reduced long-term memory pressure
• Updated framework dependencies: Angular 20.3.15/20.3.16, HtmlAgilityPack, and MailKit

Bug Fix and Product Enhancement Summary

API and Integration

• Converted AjaxServices.asmx to Web API
• Fixed Update Secret Template Field to no longer create duplicate fields
• Improved FolderUpdate API error responses
• Restored Copy External Secret to clipboard functionality

Data Integrity and Sync

• Fixed Automatic User Management settings to persist correctly
• Fixed invalid DR configuration blocking local user creation
• Fixed UAM options not appearing when enabled
• Preserved Ticketing System configuration during unrelated system deactivation
• Resolved Disaster Recovery sync errors after 11.9.25 upgrade

Discovery and Secrets

• Fixed IP Ranges for ESXi Discovery
• Fixed Shared with Me page to display secrets with owner permission
• Fixed SSC Entra Discovery to show role members correctly
• Removed 60-item limit on secret favorites
• Resolved local account discovery regression
• Restored Discovery Configuration to navigation

Performance and Scalability

• Fixed database CPU issue from missing index on tbFolder.FolderName
• Fixed memory leak in Distributed Engine SSH Proxy for versions after 8.4.32.0
• Optimized high-frequency file attachment retrieval
• Reduced excessive web calls in Resilient Secret Folder Selection
• Reduced SSC database deadlock rate

Platform and Authentication

• Corrected User Audit Role permission visibility
• Fixed Platform Group Member Retrieval 504 timeout
• Fixed SSH Terminal authentication with Prevent Direct API Authentication enabled
• Resolved duplicate emails when upgrading with SAML
• Restored RADIUS silent authentication functionality

Remote Password Changing

• Fixed SQL dynamic parameter #FOLDERPATH
• Resolved Dependency Changer disable issues
• Restored monthly auto RPC functionality
• Restored RPC compatibility with older engine versions

Session Recording and Launchers

• Corrected Open with Remote Access record icon display
• Fixed session recording with proxy credentials
• Fixed SSH Terminal to respect DE-level proxy and terminal settings
• Fixed Suggested Secrets to reflect recently used items

UI and UX Fixes

• Added scrollbar to Most Used Secrets widget
• Corrected access request time window rendering
• Corrected template settings dirty form detection
• Eliminated breadcrumb navigation 404 errors
• Fixed 400% zoom UI issues
• Fixed inactive secret menu loading issues
• Restored Event Pipelines sorting
• Restored SAML Audit column sorting

Additional Fixes

• Corrected database upgrader handling of two-digit minor versions
• Eliminated fresh install license check errors
• Fixed RDP file signing with untrusted root CA
• Fixed search functionality to no longer require exact element clicks
• Resolved LDAP group query operation errors
• Resolved Secret Server maintenance mode hang

Fixed Issues

ID	Title	Release Notes
585762	Fixed: User Audit Role Permission Allows Full Visibility	Users with the "Browse Reports" permission no longer see audit logs for all users. Non-admin users are now restricted to viewing only their own User Audit report.
593334	Fixed: Secret with Owner Permission Not Displayed in Shared With Me Page	Fixed an issue where the Shared with Me page did not display secrets with owner permission.
596554	Fixed: SSH Terminal Details Do Not Adhere to Proxy/Terminal Settings at DE Level	Engines without SSH Terminal enabled will no longer show SSH Terminal details on a secret.
604618	Fixed: Security MFA Authentication Button Shows Up in Secret Server On-Prem	The Security MFA authentication link is now hidden for on-premises installations, as it is only available in Platform.
613781	Fixed: Non-Loading Menu for Inactive Secrets	The dropdown action menu ellipsis in the secret grid now shows an option to activate an inactive secret instead of displaying nothing.
624074	Fixed: Cannot Edit a Secret's Privileged Account If the Policy Has an RPC Schedule	Fixed an issue where a secret's privileged account could not be edited when the assigning policy had an RPC schedule.
639503	Fixed: Local Accounts Cannot Be Discovered Due to Compiler Regression	Refactored local account discovery to address a timeout issue.
646716	Fixed: Monthly Auto Remote Password Change Not Working as Expected	Corrected the scheduled time zone for secret change schedule comparison.
647315	Fixed: Prevent Direct API Authentication Option Blocks Authentication in SSH Terminal	Fixed an issue where users were unable to authenticate through SSH Terminal when Prevent Direct API Authentication was enabled.
648664	Fixed: Incorrect Thumbprint Field Check on Site Connector Edit (MemoryMQ)	Updated form validation on the Site Connector page.
659650	Fixed: EngineLog Identity Column Approaching Int Limit	Resolved an issue with the EngineLogId column reaching the integer limit.
660936	Fixed: Missing Required Fields in Update Secret Template Field API Call Creates a New Field	Added required fields to the Secret Template Field API.
661921	Fixed: Site Field Shows as Restricted in the Overview Page of Secret	Vendor users can now select sites.
662022	Fixed: Heartbeat Status Filter Displays Secrets with Disabled Status	Secrets are now correctly displayed according to the selected Heartbeat Status filter.
662915	Fixed: Personal Folders Not Created When Disabled upon Creation	Personal folders are now correctly created for users who have been created, disabled, and re-enabled.
663643	Fixed: Secret Permission and Inheritance Synchronization	In the secret sharing tab, when Inherit Permission is enabled and a permission is changed from View to None in the root folder, users with None permission are now correctly displayed.
663930	Fixed: RADIUS Attempt Silent Authentication Not Working	RADIUS silent authentication now works when the user is already logged in through SAML.
665321	Fixed: Database Deadlock Rate Is Too High	Discovery maintenance no longer causes deadlocks.
668597	Fixed: RDP File Signing Fails When Root CA Not Trusted, Even When PFX Contains the Complete Chain	RDP files with chained certificates now work correctly.
669843	Fixed: Sorting the Columns of SAML Audit Does Not Work	The SAML Audits page now supports sorting.
670173	Fixed: Memory Leak in Distributed Engine Service for SSH Proxy	The Distributed Engine no longer leaks memory when SSH proxy is enabled and many non-Secret Server basic SSH connections are made. This fix is included in versions 8.4.80.0 and later.
671287	Fixed: PUC Does Not Support TOTP for Domain Users	The Platform Upgrade Center now supports TOTP for domain users.
671334	Fixed: Secret Checked Out When Given Invalid ITSM Ticket Through API	Under some conditions, /v1/secrets/:id/restricted would fail but mark a secret as Checked Out. This no longer occurs.
671774	Fixed: SSC Entra Discovery Not Showing Members of a Role	Resolved an issue where some Entra ID role assignments were not reflected in the database. Added logic to handle cases where incoming members were not assigned to any role in Entra ID. These cases are now skipped so as not to block further processing of role assignments.
676284	Fixed: Suggested Secrets Not Reflecting Recently Used After Relaunch	Launch as Secret now correctly displays previously used secrets.
676913	Fixed: No Scrollbar on the Most Used Secrets Widget on the Dashboard	The Most Used Secrets widget on the dashboard page now displays only 30 records and includes a new See All link that navigates to /secrets/view/most-used.
677661	Fixed: Secret Server Giving Unintended Results in Checkout Page	Fixed an issue with the Secret Server checkout page giving unintended results.
680802	Fixed: Access Denied When Clicking Privileged Account in Workday or Entra ID Template Secret	Clicking the Privileged Account link under Remote Password Changing no longer causes access denied errors.
682864	Fixed: SAML Upgrade to Platform Causes Duplicate Emails	Updated the workflow to send email to only one user when duplicate accounts exist.
684296	Fixed: Configuration Tab Missing from Left Panel in Discovery Section	Fixed an issue where the Configuration tab was visible in both the left panel and the main content area under Discovery.
684364	Fixed: Invalid Disaster Recovery Configuration Prevents Creation of Local Users	Removed possible race conditions and added a simple load option to ensure the DR configuration does not unnecessarily decrypt information when not needed.
684573	Fixed: Platform Group Member Retrieval Fails with 504 Gateway Timeout	Fixed Platform Group Member Retrieval 504 Gateway Timeout errors that prevented synced AD groups from appearing in UI assignment dropdowns and caused member lists to fail loading during group sync operations.
685084	Fixed: Secret Name Displaying Instead of Secret ID in Ticket Override Modal	The Ticket Override Status Update Message modal no longer displays the wrong secret ID.
685145	Fixed: Intermittent Failure Calling REST Endpoint /oauth2/token	Fixed a race condition with stronger error handling and extended logging.
685354	Fixed: Ticketing System Configuration Data Deleted upon Deactivation for Unrelated Ticketing Systems	Fixed an issue where creating or editing some ticket system configurations would delete the configuration of another ticket system.
685793	Fixed: Open with Remote Access Missing Recorded Text and Record Icon	The recorded icon for RAS launchers that use Session Connector now displays correctly.
685981	Fixed: PUC Unify Administration Fails with Extended Assignment Error	Native and Hybrid users are now re-mapped when Reset User Mappings was run before migrating users via the PUC.
686154	Fixed: Unable to Disable Dependency Changer After Removing Dependency Template Group	It is now possible to remove the dependency changer after removing the dependency template group in the secret.
686595	Fixed: Internal Site Connector Audit Popup Misalignment	Fixed an issue where the Internal Site Connector Audit popup was not aligned to center.
686827	Fixed: SQL Dynamic Parameter #FOLDERPATH Not Working	Folder path and folder ID filters now apply correctly to reports.
687431	Fixed: XML Validation Error on Secret Import Returns Zero Disclosure	XML validation errors when importing secrets now return an appropriate error message instead of no information.
687715	Fixed: Duplicate Secret Name Error Count Mismatch in Import Secrets Page	Fixed an issue where the duplicate secret name error count in the header did not match the error count listed in the table for duplicate secret name entries.
687854	Fixed: Double Folders Highlighted in Navigation	The left navigation no longer highlights both a folder and All Secrets when the folder is not the active page.
688542	Fixed: SQL Error When User Without UnrestrictedByTeams Permission Clicks Sharing Tab	An error no longer occurs when Teams is enabled but the user does not possess the UnrestrictedByTeams permission.
688944	Fixed: Advanced Session Recording Download in Platform	The advanced session download button now works directly in Platform.
689379	Fixed: PlatformMigrationMessage Failing	Platform migration now works with more than one million users and groups.
689637	Fixed: License Check Error on Fresh Install	After a fresh install with no licenses, users can now view the search configuration page.
689804	Fixed: Secret Favorites Not Showing More Than 60	Secret favorites now show more than 60 favorites.
690074	Fixed: Sync Error After On-Prem DR Upgraded to 11.9.25	Added a delta to repair an erroneous LastModifiedDate inserted on template creation for two templates created in previous releases.
690363	Fixed: Unrestricted by Teams Error	Applied a fix to handle an empty list of teams in the provider.
691004	Fixed: Audit Log Update with No Actual Change	Changing the checkout interval for a secret to the same value no longer causes an audit event.
691865	Fixed: Sorting Numbers Not Displaying in Custom Command Page Script Tab	Sorting numbers and UI display now function properly in the custom command page script tab. Column names are all visible and unobscured, and placeholder lines for the commands are numbered correctly.
691957	Fixed: Login Typo on SSH Keys	Updated a typo in the SSH keys description to clarify the use of login versus log in.
692030	Fixed: DR Log with Many Selected Folders/Subfolders Truncates Incorrectly	Fixed a bug where having too many selected folders in the Allow or Block list caused DR logs to never show as complete.
692151	Fixed: HTML Showing in Enable Unified Mode Dialog	HTML tags that were showing in the Enable Unified Mode dialog are no longer displayed.
692170	Fixed: Event Pipelines Policy Activity Grid Does Not Sort	The Event Pipelines Policy Activity and Pipelines Activity grids now sort correctly.
692415	Fixed: Automatic User Management Reverting to Disabled After 3 Months	Removed an incorrect revert time period for the Automatic User Management sync interval.
692483	Fixed: UAM Options Do Not Appear When UAM Enabled	Secret options now appear correctly when Unlimited Administrator Mode is enabled.
692650	Fixed: Secret Policy Redirect for Command Restriction Fails	Blocked command lists that link to secret policies now correctly link to the Secret Policy summary page.
693021	Fixed: Fix 404 Link for Tenant Customization in Platform	Added a link from the user interface to the correct Tenant Profile page in Platform.
693126	Fixed: Distributed Engine Consumer Rename	The Distributed Engine no longer looks at an incorrect queue when processing password changes.
693300	Fixed: Template Settings Dirty Form Without Changes	Editing template settings and clicking Cancel without making changes no longer prompts to discard unsaved changes.
693809	Fixed: Search Requires Users to Click on the Exact Element in Preview Window	Global search in Secret Server now filters the grid on the current page when Enter is pressed.
693952	Fixed: Approvals with Expired Durations Are Not Blocking Approvals	If the selected approval duration has expired, a new duration value is now required to approve.
694197	Fixed: DCM Business Users Can See Templates Assigned to IT Users	Fixed an issue where DCM business users had template options displayed that were not available to them when creating a credential.
694214	Fixed: Upgrade Center Fails Due to Directory Users Group Self-Membership Recursion	If the Secret Server Directory Users group is selected to be synced to Platform in the PUC, it is no longer added as a member of itself.
694895	Fixed: Test Email Problem for O365 and SMTP Methods	Users attempting to send a test email now receive a clear error message if their user account does not have an email address configured.
694997	Fixed: Timespan for Certain Hour Operations Has Incorrect Time Span on Approval Page	The timespan for approvals now displays correctly and allows you to proceed.
695977	Fixed: Access Request Window Not Rendering Correctly for Custom Durations	Custom durations for approvals now display correctly.
696019	Fixed: Platform Audits Missing PII Encoding	Removed platform sync logging that was not surrounding PII fields with brackets. Additional logging for PII is not necessary because this is audited in the user.save method; the platform sync code was duplicating PII in notes unnecessarily.
696240	Fixed: PUC Username Precheck for Spaces Should Not Check Domain Users	When a space exists in a username that is part of a domain, the PUC no longer shows a precheck error.
697116	Fixed: Breadcrumb Routes to 404 on Discovery Rules	Certain discovery breadcrumbs now link to the Discovery home page.
699334	Fixed: Discovery Configuration Missing from Left Nav and Site Map	Added the Discovery Configuration link to the Discovery left navigation drawer.
709089	Fixed: Manual host range scanner no longer accepts hostnames	Addressed an issue in Discovery where hostnames in the Host Ranges area would be stripped.

Improvements

ID	Title	Release Notes
552299	Improved: Performance: Missing Index on tbFolder.FolderName	Improved performance of folder searches.
613878	Improved: Proxy Credentials with Session Recording Enabled Does Not Record the Session	Added a new View Secret Proxy Credentials permission to Secret Server and Platform, included by default. When removed from a user, it prevents the ability to use Show Proxy Credentials to obtain credentials for the proxy session. With those credentials, a user could launch a session without recording video if recording is enabled. Keyboard logging (RDP) and server/client logging (SSH) through the proxy are still captured.
618423	Improved: IP Ranges Does Not Work for ESXi Discovery	The built-in ESXi Discovery source now supports scanning multiple VMware/ESXi hypervisors in parallel using an input IP range. A new built-in ESXi Machine Scanner takes input from the Manual Host Range (IP range) and scans for ESXi machines. Users can switch to this new scanner from the Manual Machine List scanner, which only supported single IP addresses.
634303	Improved: WPF Query Consuming Excessive Database Resources	Improved performance of Web Password Filler.
639802	Improved: Resilient Secret Folder Selection Page Creates Excessive, Redundant Web Calls	Removed redundant calls to the folder endpoint that occurred when opening the DR manage view.
663315	Improved: Implement Logon Pre-Run Validation for Scheduled Task Dependencies	Added logon pre-validation for scheduled task dependencies.
663345	Improved: Implement Logon Pre-Run Validation for SSH Script Dependencies	Added logon pre-validation for SSH script dependencies.
663351	Improved: Implement Custom PowerShell Script Pre-Run Validation for Windows Custom Script Dependencies	Added custom PowerShell script pre-run validation for Windows Custom Script dependencies. Users can now select a PowerShell script to validate dependency state before Remote Password Change operations execute.
665009	Improved: Hide SSC Subscriptions from SSC Navigation	The Secret Server Cloud subscriptions link is now hidden from the site map and content search in Platform-enabled instances.
665858	Improved: Implement RPC Pre-Run Validation for Dependencies Across Multiple Sites	RPC pre-run validation of dependencies now supports validating dependencies on other sites.
668319	Improved: Add Platform Upgrade Center Message for Thycotic One Users	Improved messages and modal confirmation informing the user of password and sync status.
676188	Improved: Upgrade HtmlAgilityPack, JetBrains.Annotations, MailKit	Updated MailKit and JetBrains.Annotations to the latest versions.
677678	Improved: Empty Password Validation Compliant or Non-Compliant	Password compliance is now checked when changing the password requirement in a given secret template.
677809	Improved: Integration with Microsoft Information Protection (MIP) for Email Classification — Global Configuration	Completed research and specification design for Phase 1 implementation.
678010	Improved: Performance Issue with High-Frequency Retrieval of File Attachments	Performance improvements have been made to the GET /api/v1,2/secrets/{id} endpoint, reducing latency by approximately 25%.
678073	Improved: URL Lists Have a 500 Character Limit	Increased the Categorized List Item Options character limit from 500 to 4,000 to support longer values.
678884	Improved: Run Validation When Saving Dependency	Users may now run configured validation when saving a secret's dependency. If validation fails, the user may continue or attempt to resolve the issue before saving.
681782	Improved: Update Platform Upgrade Center to Support AD Service User Migration	An application user in Secret Server that is associated with a domain can now be synced in the PUC to a Platform Service User.
682047	Improved: Convert Chart.js to ECharts	Upgraded the charting library for an improved experience.
686266	Improved: LDAP Query for Groups Failed with DirectoryOperationException	The directory services group searcher can now batch in custom sizes, with a default of 500.
686504	Improved: Remove Password Changers ASPX and Legacy JS Libraries	Removed legacy ASPX password changer pages and legacy ASRA configuration pages.
687717	Improved: Always Show Ticket System Override Section in Left Navigation	The Ticket System Override section now always shows in the left navigation, even when there are no ticket systems or none with override enabled.
688012	Improved: Handle When Opt-In Has Occurred Outside of PUC and Tenant No Longer Exists	In the Secret Server PUC, the Opt-In step now automatically detects when the configured Platform tenant no longer exists and resets the step status to Ready to Start.
689401	Improved: Convert Notice Pages	Several legacy notice messages have been upgraded to the latest design.
689792	Improved: Report Permissions Panel	Specific report permissions now use a dialog instead of the side panel.
689868	Improved: Tenant-Level UI and Applying of Date/Time Format	Added tenant-level date and time format configuration with user-selectable format options. Users can choose the tenant default or customize their date and time display format throughout the Platform UI.
690366	Improved: QA of Secure Access and Customized Branding	The Secure Access step in the PUC now skips when there are no domains and the Opt-In step was not previously completed.
691025	Improved: Remove ASPX Links from Angular That No Longer Exist	Removed links to legacy pages that no longer existed.
691276	Improved: Web Install Setup/Home Conversion to Angular	The initial page shown when not installed has been converted to the latest design patterns.
691298	Improved: Update Background Color Variable (Dark Mode)	Adjusted the dark mode body background color slightly.
692132	Improved: High CPU Usage in Secret Server UI During Secret Checkout	Improved grid performance on systems with very low resource availability.
692154	Improved: Add Paging to PUC Exclusions	The Platform Upgrade Center's Add Exclusions feature for groups and users is now paged.
692642	Improved: Convert Report Category Add Panel	Report category permissions no longer use the obsolete side panel to add permissions.
693303	Improved: Change Secret Policy to Secret Policies	Updated "Secret policy" to "Secret policies" to match the other items in the site map.
693308	Improved: Make Associated Secrets a Link	The secret name in the Associated Secrets grid on the RPC tab is now a clickable link.
694049	Improved: Event Pipelines UI Improvements	The Event Pipelines User Policy Targets tab now includes a grid for Target Groups.
694745	Improved: Pig Latin on SSC Forgot Password Page	Updated the design of the Forgot Password, TOTP Setup, and Password Expired pages.
695846	Improved: Add True Select All to PUC Exclusions	The Platform Upgrade Center now supports selecting all items in exclusions.
696090	Improved: Block Groups from Unconnected Domains in Data Synchronization Step	In the PUC, when a domain is not connected to Platform, the groups of that domain are no longer selectable in the Select Data modal.
696264	Improved: Enable User-Managed Secret Sharing with Platform Services	Sharing Platform Secrets is behind a feature flag. This allows a user to share a secret with Platform services.
696299	Improved: Add Private API Endpoint to Return Secret for Platform Integration	The private API now returns a secret if its SharedWithDelineaPlatform flag is set.
696472	Improved: Make Emails Unified Mode Aware for Event Subscriptions	Emails from Secret Server instances in Unified Mode now include links to the Platform Identity Management page.
696615	Improved: Disaster Recovery UX Update	Disaster recovery user experience updates include an Add Replica wizard, directional flow callout, and clarification of how the source and replica are visualized. This feature is behind a feature flag and may not be available.
697382	Improved: 400% Zoom Causes UI Issues (Accessibility)	400% zoom now adapts scroll behavior for better page usability, improved flow for header icons, and the folder list.