Secret Server 12.1.000002 Release Notes

Release Date: On-premises: June 11, 2026

Component Versions

Distributed Engine and Advanced Session-Recording Agent: 8.4.97.0

Protocol Handler: 6.0.3.51

Features

Bug Fix and Product Enhancement Summary

Disaster Recovery

• Allowed ReadOnly mode to be disabled in Cloud from the Disaster Recovery Replica page
• Avoided SQL timeouts during DR replication of platform permission cache data
• Fixed a Disaster Recovery race condition that caused intermittent symmetric-key decryption failures
• Loaded the Overview tab correctly for replicated Secrets containing List Fields
• Restored ascending sort on the Created column in Disaster Recovery > Logs
• Restored Platform permissions on re-login in Disaster Recovery replica environments

Session Recording and Playback

• Added a CSV export for Session Recording activity (keystrokes, processes, files), honoring active filters
• Corrected video-duration display in the session-recording progress bar
• Persisted the "Record Keystrokes" setting when switching between General and Agents tabs
• Prevented session-recording results from bleeding across adjacent days when filtering by date
• Showed clearer messaging when a session recording cannot be processed due to missing video frames
• Showed session-recording indicator on PRA launcher icons regardless of "Secret Launch" permission
• Stopped Connection Manager sessions from skipping from Live to Done on tab close

RDP, SSH Proxy and Launchers

• Added an SSPI override toggle for RDP Proxy in the RDP Proxy Settings page
• Applied "Proxy new secrets by default" to RDP-via-SSH-Tunnel Active Directory secrets
• Closed SSH blocklist bypass when special characters were added to a blocked command
• Enforced explicit RDP clipboard, printer, and drive deny settings (Session Connector)
• Matched ASRA session GUIDs correctly when RDP targets specify a custom port
• Restored PRA launches when the Secret requires checkout with a comment (on-prem)
• Stopped SFTP connections from hanging when a passwordless Secret is used through the proxy

API, Integration and Discovery

• Corrected DPAPI endpoint paths in the API documentation
• Corrected Secret search false positives on IP addresses with repeated octets
• Corrected the TLS configuration used when discovering ESXi local accounts
• Fixed 500 errors when calling the Secret Server settings export API
• Fixed and tuned the code editor for Custom Password Changer commands
• Fixed Secret create/update API rejecting Auto-Change with template expiration
• Fixed Secret creation via API failing with a foreign-key violation when using a launcher Connect As Secret
• Hid the Dependency Group Validate button when the dependency group's site does not match the secret's site
• Improved error responses across 17 REST API endpoints, returning descriptive 400 Bad Request messages for invalid input
• Pointed the Discovery Rules breadcrumb to the correct page
• Removed unnecessary secret-active validation when editing non-Active Directory discovery sources
• Restored Discovery OU GET endpoint to return details without query parameters
• Returned a non-null SdkClientRuleId from SDK Client Management API responses
• Returned isRestricted=true on the secret-search endpoint whenever any restricting condition is met
• Returned success from the API when enabling Require Comment on a Secret
• Showed the correct ticket-number validation message for ServiceNow ticket systems

Security, Permissions and Auditing

• Added detailed exception messages for LDAP access-denied and password-policy errors
• Allowed access to checked-out Secrets when Unlimited Vault Access is enabled
• Closed a "Secret Launch" role permission bypass via the API and Connection Manager
• Enforced permission checks on the Bulk Operations status endpoint
• Enforced the Allow Access Challenge permission for PBA challenges
• Filtered the Directory Services Audit tab to show only Directory Services configuration changes
• Fixed Google IAM "Change Password Now" failing without view permission on the privileged Secret
• Masked password fields for non-owners when "Edit Requires Owner" and "Viewing Requires Edit" are enabled
• Obfuscated PII in user-migration error log messages
• Preserved disabled/locked-out status when a user logs in via Platform token
• Restored the Secret Audit tab in environments with more than ~2.1 billion historical audit records
• Suppressed stack traces from Windows privileged password changer errors

Notifications, Email and Localization

• Added missing localizations for "Secret force checkout" notification templates
• Corrected localized email templates when Application Language is set to Japanese
• Corrected the Abbreviation localization in the admin character-set settings
• Honored the user's configured language for password load error messages
• Repaired Inbox template notifications for Request Workflow Approval emails
• Stopped false "Application Hardening Bypassed" alerts when hardening was off
• Stopped truncation of localized text in Inbox notification templates
• Used the configured time zone for Secret Access Approved emails (no longer fixed at UTC)

UI, UX and Accessibility

• Reflected Teams membership changes correctly in the UI
• Removed the 60-secret cap on the "Shared with Me" page
• Repositioned the password info tooltip so it remains visible at high zoom levels
• Restored filtering by member type on the Secret Sharing tab
• Restored keyboard navigation in the Secret Template edit modal opened from a Secret
• Restored the Dependency Changers page so administrators can add new changers
• Stopped the loading spinner from persisting on the Opt-In step
• Stopped the Office365Federator deprecation banner from breaking SAP-template Secret views on unlicensed instances
• Updated RAS Session modal naming to PRA Session

Workflow and Auditing

• Cleared zombie Secret Erase requests so new erase attempts succeed
• Eliminated duplicate "Secret Checked Out" audit entries on Pre-Checkout Event Pipeline triggers
• Prevented duplicate activity log entries on Event Pipeline check-in triggers in multi-node configurations
• Showed approved access requests in the Approved tab for mid-step approvers
• Stopped grandfathered workflows from continuing to execute after being disabled
• Subscribed All Vault Users to the Secret Access Request Revoke rule by default
• Surfaced an error when Force Check-In requires a comment and the Secret is checked out

Performance and Reliability

• Added exponential backoff to Distributed Engine heartbeat retries to prevent recycle storms
• Downgraded the "PasswordLoaderArgs Site not configured" log line from Warn to Debug
• Fixed a PostSharp binding-redirect typo that blocked startup after upgrading to 12.0.000021
• Fixed IWA refresh for Connection Manager and Delinea Credential Manager against Secret Server on-prem
• Honored the global CredSSP setting for PowerShell scripts on Distributed Engine sites with NULL EnableCredSSPForWinRM
• Improved performance on the Secret Access Requests page
• Prevented IIS Application Pool crashes on Server 2022 when IIS 6 Management Compatibility is missing
• Pruned intermediate sessions during SAML setup before persisting the final session
• Resolved timeouts on the Password Requirements page in environments with large numbers of secrets
• Restored generation of Resilient Secrets packages
• Restored Secret Server startup when HSM is configured using CNG
• Sped up loading of secrets that require approval access by avoiding scans of historical request data
• Stopped Duo logs from flagging Secret Server as using a deprecated API
• Tuned Secret Server frontend health probes to eliminate chronic startup-probe failures

Additional Fixes

• Restored the "Unlimited vault access user behavior" built-in report
• Updated IBM SWID tag from 11.7.16 to 11.9.24

Fixed Issues

ID	Title	Release Notes
506734	Fixed: Duplicate Audit Entries on Pre-Checkout Event Pipeline Trigger	Fixed an issue where the audit log recorded multiple "Secret Checked Out" entries on Secrets with both Checkout and Require Comment enabled when a Pre-Checkout Event Pipeline was triggered. The audit log now records a single entry per checkout.
555396	Fixed: PBA Challenge Enforced Without Allow Access Challenge Permission	The "Allow Access Challenge" permission is now properly enforced for Privileged Behavior Analytics (PBA) challenges. Users without this permission no longer receive PBA challenges.
563026	Fixed: Secret Search Returns False Positives on Dot-Delimited Values	Fixed an issue where IP address searches returned false positives for addresses with repeated octets (for example, 10.100.10.73) because the hash-based search was incorrectly matching dot-delimited segments.
563735	Fixed: Session Connector Did Not Enforce RDP Drive, Clipboard, and Printer Deny Settings	Session Connector RDP launches now explicitly honor configured clipboard, printer, and drive redirection deny settings, addressing the local drive map issue observed with Toad.
567939	Fixed: Notification Emails Sent in English After Setting Application Language to Japanese	Fixed a bug where the wrong localized email template could be sent to a user when the Application Language was set to Japanese (and other non-English languages).
573805	Fixed: SSH Blocklist Could Be Bypassed With Added Characters in an SSH Proxy Session	Fixed an issue where commands on the SSH blocklist could still be executed in an SSH Proxy session if certain characters were appended to the command.
597248	Fixed: Cannot Edit a UNIX Discovery Source Because "Discovery Secret: Secret Not Active"	Removed the validation that blocked edits to non-Active Directory discovery sources when their associated discovery secret was inactive. UNIX and similar discovery sources can now be edited without reactivating the secret.
598098	Fixed: Session Recording Indicator Missing on Privileged Remote Access Launcher Icon	Session recording indicators now display on "Open with Remote Access" launcher icons even when users lack the "Secret Launch" role permission, ensuring users know their sessions will be recorded before launch.
602698	Fixed: Google IAM Service Account Key RPC Required View Permission on the Privileged Secret	Resolved an issue where Google IAM password changes failed if the user clicking "Change Password Now" did not have at least view permissions on the privileged Secret.
604687	Fixed: API Documentation for Secret Server Settings Export Not Working	Fixed an issue where calling the Secret Server settings export endpoint via API returned a 500 error. Error conditions are now handled and returned cleanly.
607876	Fixed: User Logon Settings (Max Concurrent Logins) Triggered Incorrectly During SAML Setup	Intermediate sessions created during SAML setup are now pruned before the final session is written to the database, preventing Max Concurrent Logins from blocking legitimate SAML logons.
630844	Fixed: API Documentation Error in DPAPI Endpoint Paths	Fixed incorrect endpoint paths shown in the API documentation for DPAPI operations.
633877	Fixed: Discovery OU GET Endpoint Did Not Fetch Details Without Query Parameters	Fixed an issue where api/v1/discovery/source/{discovery source ID}/ou required query parameters to return data; the endpoint now returns OU details correctly without them.
633940	Fixed: Accessibility Issue in Secret Template Edit Modal From Secret General Page	Keyboard navigation is now supported in the Secret Template edit modal when opened from the Secret General page.
637161	Fixed: Proxy by Default Not Applied to RDP Via SSH Tunnel Active Directory Secrets	Fixed an issue where enabling "Proxy new secrets by default" with SSH Proxy and Tunnel RDP connections did not automatically enable proxy on newly created Active Directory secrets.
640538	Fixed: Custom Password Requirement Usage Count Times Out for Large Secret Counts	Fixed a timeout when loading password requirement usage counts in environments with very large numbers of secrets; the Password Requirements page now loads without error.
649859	Fixed: False Alerts From SECURITY_APPLICATION_HARDENING_BYPASSED Subscriptions	Subscribers to the Application Hardening Bypassed event no longer receive false alerts when hardening is disabled. The event now only fires when hardening is enabled and the in-memory state re-syncs from the database.
650567	Fixed: Session Monitoring Results Split Across Two Days After DST Change	Fixed an issue where filtering session recordings by a specific date could include records from the adjacent day, caused by a daylight-saving time boundary.
652033	Fixed: Disabled Workflow Continues to Execute on Secrets	Fixed an issue where workflows still executed on Secrets that had been grandfathered in even after the workflow was disabled. Toggling the workflow now takes effect immediately.
652495	Fixed: ASRA Generated Two Session GUIDs for the Same RDP Session With a Custom Port	RDP sessions that target a server with a custom port are now correctly matched to a single ASRA session, eliminating duplicate session GUIDs.
653698	Fixed: Zombie Secret Erase Requests Prevented New Secret Erase Attempts	Fixed an issue where a stale erase request could block new Secret erase attempts, causing them to fail with an "already has an active Erase Request" error.
654023	Fixed: User Loses Platform Permissions on Logout and Login During DR Replication	Fixed an issue in Disaster Recovery replica environments where users lost all Platform permissions immediately after logging out and back in. Permissions are now correctly restored on re-login without requiring a full DR replication sync.
654528	Fixed: Teams Membership Not Reflected in the UI	Fixed an issue where Teams membership changes were not reflected in the UI.
654953	Fixed: isRestricted Property on Secret Search Endpoint Did Not Reflect All Restrictions	The isRestricted property returned from the secret-search endpoint is now correctly set to true when any of the restricting conditions on a Secret are met.
669253	Fixed: ESXi Local Account Scanner Failed With "Object Must Implement IConvertible"	Fixed an issue where Discovery sometimes used the wrong TLS configuration when discovering ESXi local accounts, causing scans to fail with an IConvertible error.
673557	Fixed: Session Recording Sync Issues With PRA and Connection Manager	Addressed Privileged Remote Access (PRA) and session-recording sync issues. Connection Manager no longer skips from Live to Done when closing a session tab; sessions correctly transition state instead of remaining Live until timeout.
676032	Fixed: IWA Refresh Tokens Failed for Connection Manager and Credential Manager on 11.9.000006	Connection Manager 2.8.1 resolves IWA and Secret Server on-premise refresh-token issues when used with Delinea Credential Manager 1.3.3.
677153	Fixed: IBM SWID Tag Version Not Updated	Updated the IBM SWID tag in Secret Server packaging from 11.7.16 to the current 11.9.24.
678275	Fixed: Secrets Failed to Launch via PRA With Checkout and Comment on On-Prem Secret Server	Fixed an issue where Privileged Remote Access sessions failed when the target Secret required a comment on checkout against an on-premise Secret Server instance.
678521	Fixed: Replica Secrets With List Fields Did Not Display the Overview Tab	Fixed an issue where Secrets containing List Fields displayed a blank Overview tab on Disaster Recovery replica instances. Both the Overview and Lists tabs now load correctly on replicas.
679779	Fixed: Disaster Recovery Logs "Created" Column Would Not Sort Ascending	Fixed an issue where the Created column header in the Disaster Recovery Logs tab did not toggle to ascending sort; it now sorts both ascending and descending.
682565	Fixed: Cannot Save or Order Commands in the New Custom Password Changer Page	Addressed multiple bugs and performance issues in the code editor used to author and reorder Custom Password Changer scripts.
684580	Fixed: Shared With Me Page Limited Users to 60 Secrets	Fixed an issue where users could only view a maximum of 60 Secrets on the Shared with Me page. All shared Secrets are now displayed and the total count reflects them.
685002	Fixed: "Unlimited Vault Access User Behavior" Built-In Report Not Working	Updated the "Unlimited vault access user behavior" report query to use the feature's current name when gathering data so the report returns results again.
686026	Fixed: Force Checkout Notification Templates Available Only in English	Added missing localizations for the "Secret force checkout approved" and "Secret force checkout request" notification templates.
686368	Fixed: Secret Sharing Tab Filter "Member Type" Did Not Filter by Type	Fixed the Secret Sharing tab filter so that the Member Type column now correctly filters by group or user.
686674	Fixed: Stale Product Name in PRA Recording Modal Inside Secret Server	Updated the RAS Session modal heading and menu reference to use the current PRA Session naming.
688135	Fixed: Invalid Entries Displayed in Directory Services Audit	The Directory Services audit tab now shows only Directory Services configuration audits rather than all system configuration changes.
688456	Fixed: Inbox Notification Rule Templates Truncated Localized Languages	Fixed an issue where Inbox notification rule template emails were truncated when sent in non-English languages.
690137	Fixed: Unlimited Vault Access Could Not View a Checked-Out Secret	Fixed an issue where checked-out Secrets could not be accessed by users with Unlimited Vault Access enabled.
690451	Fixed: API Failed to Enable Auto-Change for a Secret Without Template Expiration	Fixed Secret create and update validation so that Enable Auto-Change can be set to true even when expiration is enabled on the template and "Only change password if secret is expired" is set to false.
691739	Fixed: Password Field Visible to Non-Owners With "Edit Requires Owner"	The password field is now correctly masked for non-owner users when both "Edit Requires Owner" and "Viewing Requires Edit" are enabled on a Secret.
693824	Fixed: Unresponsive Password Info Pop-Up at Higher Zoom	Accessibility fix: the password-success-criteria tooltip now appears inline on zoomed-in or smaller screens instead of being clipped off-screen.
694460	Fixed: "Secret Launch" Role Permission Could Be Bypassed Via the API	Resolved an issue where Secrets could be launched through the API by users who did not have the "Secret Launch" role permission.
694461	Fixed: Workflow Emails Used UTC Instead of the Configured Time Zone	Updated the Secret Access Approved email template to use the configured time zone rather than UTC.
695043	Fixed: Duo Unsupported Clients Log Showed Secret Server as Using a Deprecated API	Updated the internal Duo configuration so Duo no longer logs Secret Server as a deprecated client. User-agent labeling is now neutral and accurate.
696232	Fixed: Bulk Operations Status Endpoint Did Not Check Permissions	The Bulk Operations status endpoint now correctly limits access to users querying their own tasks and to bulk administrators.
696476	Fixed: Application Pool Dependency Fails With 0x80070005 on Server 2022	Fixed an issue where the IIS Application Pool could crash on Windows Server 2022 because IIS 6 Management Compatibility was not installed; the dependency is now handled cleanly.
697126	Fixed: Record Keystrokes Setting Lost State When Switching Tabs	Fixed an issue on Secret Server on-prem where the Record Keystrokes setting lost its saved state when the user switched between the General and Agents tabs.
697563	Fixed: Password Load Errors Not Localized to User Language	Password load error messages now use the user's configured language by passing it as an Accepts-Language header that supersedes the browser preferred language.
699270	Fixed: Session Recording Progress Bar Showed Incorrect Duration	Updated the @delinea/video-player component so the progress bar shows the correct duration for session-recording videos.
700168	Fixed: Dependency Group Could Not Be Validated When Site Did Not Match	The Validate button for dependencies is now hidden when the dependency group's site differs from the Secret's site, preventing a misleading validation failure.
700403	Fixed: Opt-In Step Spinner Did Not Clear After API Call	Fixed an issue where the loading spinner on the Opt-In step continued to display regardless of the API call result. The spinner now clears once the call completes.
701452	Fixed: Cannot View Secrets Created With an SAP Template	Fixed an issue where some Secret templates attempted to render the Office365Federator deprecation banner and threw an error when the feature was not licensed, preventing the Secret from displaying.
702085	Fixed: Event Pipeline Wrote Duplicate Activities on Check-In With Custom Audit Task	Fixed an issue where Event Pipelines with a check-in trigger and a Custom Audit task wrote multiple activity log entries in multi-node configurations. A flag now prevents duplicate writes.
702938	Fixed: Wrong Ticket Number Validation Message Shown for ServiceNow	Fixed an issue where an incorrect validation message was shown for ServiceNow ticket-number validation in the Ticketing System Integration.
703022	Fixed: DR Source Could Not Decrypt Inbound Package From the Replica	Fixed a race condition in Disaster Recovery replication that could cause symmetric-key decryption failures when processing inbound packages from a replica, resulting in intermittent DR sync errors.
703955	Fixed: Force Check-In Failed Silently When a Comment Was Required	Fixed an issue where Force Check-In of a Secret failed silently when a check-in comment was required and the Secret was actively checked out by another user. The action now reports the failure clearly.
704862	Fixed: Windows Account Privileged Password Changer Returned a Stack Trace	Fixed the Windows privileged-account password changer so that it returns a user-friendly error instead of exposing a stack trace.
706221	Fixed: Distributed Engine Site Did Not Use CredSSP When Site Setting Was NULL	Fixed an issue where PowerShell scripts on a Distributed Engine site did not use CredSSP authentication even when the global CredSSP setting was enabled.
706834	Fixed: ReadOnly Mode Error in DR Secret Server Cloud Instance	Addressed an issue where ReadOnly mode could not be correctly disabled in Cloud from the Disaster Recovery Replica page.
707181	Fixed: SFTP Connection Hangs With Passwordless Secret Via Proxy	Fixed an SFTP connection hang that occurred when using a passwordless Secret through the SSH Proxy.
708495	Fixed: SDK Client Management API Returned Null SdkClientRuleId	Fixed an issue where the SDK Client Management API returned a null value for SdkClientRuleId. The correct value is now returned.
709049	Fixed: Incorrect Translation for admin.abbreviation	Fixed a character-set localization issue where the Abbreviation label was incorrect; the translation now displays correctly.
709770	Fixed: Disabled or Locked-Out Users Could Lose Status on Platform Login	Addressed a situation where users disabled by Automatic User Management or locked out would retain their statuses correctly when a Platform login occurs, preventing accidental reactivation.
712348	Fixed: Autofac Exception on 12.0.000020 Startup With HSM (CNG) Configured	Fixed an issue where Secret Server failed to start with an Autofac resolution error when a Hardware Security Module (HSM) was configured using CNG.
713114	Fixed: Mid-Step Approvers Could Not See Approved Access Requests	Fixed an issue where approved requests appeared in the Inbox only for the final-step approver. Previous-step approvers now see their approved requests in the Approved tab.
714135	Fixed: Issues in Request Workflow Approval Inbox Templates	Fixed multiple issues with Inbox template notifications for Request Workflow Approval emails.
715999	Fixed: PostSharp Binding Redirect Typo Caused Startup Failure on 12.0.000021	Fixed an assembly-binding-redirect typo for PostSharp in web.config that caused Secret Server to fail to start after upgrading to version 12.0.000021.
716057	Fixed: Platform Permission Cache Query Could Time Out During DR Replication	Fixed a potential SQL timeout during Disaster Recovery replication in environments with very large numbers of platform permission cache entries.
716641	Fixed: Resilient Secrets Package Generation Failed Due to Autofac Registration	Addressed an incorrect Autofac registration mapping that prevented Resilient Secrets packages from being generated.
717016	Fixed: 500 Error When Enabling Require Comment Via the API	Fixed endpoint logic so that enabling Require Comment in a Secret's security settings via the API returns success instead of a 500 error.
717190	Fixed: Audit Tab Returned 500 in Environments With Over 2.1 Billion Audit Records	Fixed an issue where the Secret Audit tab returned a 500 error in long-running environments after the system had recorded more than approximately 2.1 billion historical audit and heartbeat events.
720244	Fixed: Discovery Rules Breadcrumb Link Was Incorrect	The Discovery Rules breadcrumb now correctly returns users to the Discovery Rules page.
721484	Fixed: Secret Creation API Failed With Foreign-Key Violation	Fixed an issue when creating a Secret via the API that uses a launcher Connect As Secret, which previously failed with a foreign-key constraint violation on the Secret Launcher Connect As Map.
724614	Fixed: Error Log Message Contained PII	Obfuscated PII data in the user-migration error log message emitted by the PlatformDataMigrationUserCreateError path.
726203	Fixed: Error on Dependency Changers Page Prevented Adding New Changers	Fixed a class-field initialization-order bug that caused a TypeError ("this.showRegexInput is not a function") when opening the Dependency Changers detail page, blocking the addition of new dependency changers.
731749	Fixed: AKV secret name validation should only happen per vault, and if it exists externally link it instead of denying.	When creating an external secret the application will now let you link to already existing secrets in the external vault instead of denying.

Improvements

ID	Title	Release Notes
634013	Improved: Improved Error Handling for 17 REST API Endpoints	Improved error handling across 17 REST API endpoints so that invalid or missing fields now return 400 Bad Request with descriptive messages instead of foreign-key or generic 500 errors. Includes a fix for the Secret Dependency PUT FK violation.
648859	Improved: LDAP Exception Handling Now Distinguishes Access Denied From Password Policy Errors	Added more detailed exception messages when insufficient rights or password-policy constraints prevent an LDAP password change. Administrators can now distinguish access-denied from policy-violation failures.
660518	Improved: Added CSV Export for Session Recording Activity	Added a CSV export button to the Session Recording activity panel for keystroke, process activity, and file access events. The export respects all active filters.
661771	Improved: SSPI Negotiate Authentication Override for RDP Proxy	Added a setting on the RDP Proxy Settings page that lets administrators override SSPI Negotiate authentication for RDP Proxy targets that require explicit credentials.
666027	Improved: Approval Request Refresh Performance for Long-Running Environments	Improved performance when loading Secrets that require approval access by eliminating delays caused by large volumes of historical access requests.
700407	Improved: Constant Warn-Level Log Noise from PasswordLoaderArgs Site Not Configured	Downgraded the "PasswordLoaderArgs Site not configured, unable to check FIPS setting" log line from Warn to Debug, since it is expected during background processing on Local sites.
703602	Improved: 500 Error and Slow Load on Secret Access Requests Page	Improved performance of the Secret Access Requests page; the load no longer times out or returns a 500 in environments with large request histories.
713124	Improved: Distributed Engine Heartbeat Recycle Storm Caused Regional Outages	Distributed Engines now use exponential backoff when heartbeat callbacks fail, preventing a rapid retry/recycle loop that could amplify server load during transient errors.
713761	Improved: Web Recordings Delayed With "Incorrect Number of Bytes Consumed" Error	Introduced clearer messaging when a session-recording video cannot be processed due to a lack of video frames, replacing the previous "Incorrect Number of Bytes Consumed" error.
717977	Improved: Secret Access Revoke Request Rule Had No Subscribers	Added an All Vault Users subscription to the Secret Access Request Revoke rule so revoke notifications now reach users by default.
718309	Improved: Event Pipeline Activity Log	Each log entry now shows absolute timestamp, policy name, pipeline name, trigger name, associated objects, and action details. Log is searchable and filterable.
724580	Improved: Frontend Probe Tuning for Server Startup	Tuned Kubernetes liveness, readiness, and startup probes for the Secret Server frontend so cold starts no longer trip the startup probe and dependency failures pull pods from rotation rather than restarting them.

Known Issues

Important Technical Change for Secret Server 11.8 and Later

Overview

Prior to the 11.8 on-premises release, Secret Server On-Premesis was delivered in a "dynamically-compiled" state. In this configuration, components of the website, particularly .aspx files, were compiled by IIS upon receiving the initial request.

Starting with the 11.8 release, the application is pre-compiled, which significantly enhances and accelerates application startup because it eliminates dynamic compilation.

As a result, some customers may experience startup issues. Please review the two items below prior to upgrading:

• Pre-compiled applications cannot run in IIS if there is an "App_Code" folder present. Therefore, the version 11.8 upgrade renames this folder automatically on start-up to avoid issues. Please note:

  • In some cases the application pool may not have the permissions to rename the "App_Code" folder, resulting in start-up issues, specifically, the Web page does not load.

  • If the application pool does not have the permissions, you must rename the "App_Code" folder or give the account running the application pool "modify" permissions to the application folder.

  • When finished, perform an iisreset to restart Secret Server.

• If you have manually modified any .aspx files, you will not be able to do so anymore, as those files are compiled already. Do not upgrade until you have verified you do not need the modifications going forward.

Support Articles

Please see the following technical articles for instructions:

• How to prepare for upgrade to Secret Server version 11.8 or higher

This maintenance release delivers significant platform modernization, dependency validation enhancements, performance improvements, and critical bug fixes.