Secret Server Cloud Release Notes for April 5, 2025
Cloud Release Date: All Regions: April 5, 2025
This release was previously dated March 29, 2025.
For changes pushed to cloud between major releases, see the Secret Server Change Log.
Component Versions
Distributed Engine and Advanced Session-Recording Agent: 8.4.43.0
Protocol Handler: 6.0.3.33
If your protocol handler version is 6.0.3.26 or lower, you must manually upgrade to a higher version. Automatic upgrades will not work for versions 6.0.3.26 or below. However, if your protocol handler version is 6.0.3.27 or higher, the automatic upgrade will function properly.
New Features
Azure Key Vault Integration
Azure Key Vault Integration (AKVI) simplifies management and governance of NHI's and secrets from the CSP's native vaults. With AKVI you can centrally manage and update secrets to one or more Azure Key Vaults and rotate passwords or values more frequently. With fine grained roles and permissions, audit and logging, AKVI provides increased governance, visibility, and awareness of secrets managed in Azure Key Vault without affecting development velocity or processes.
Additional Approval Workflow Type
A new approval workflow type is available, allowing owners to bypass approval while ensuring approvers still require it. The "Standard Including Editors and Approvers (Owners do not need approval)" option offers more flexibility in approval processes to meet organizational needs.
Bulk RPC on Secrets with Checkout Enabled
Bulk RPC actions are available to secrets with checkout enabled. This feature uses random passwords during bulk operations, ensuring that passwords remain secure and hidden, even during bulk updates, without compromising secret integrity.
Bulk Update Secret Fields
Bulk updates for secret fields are now available, enabling users to edit and update multiple fields across secrets in the folder view. This simplifies importing and formatting secrets, streamlining secret management for large datasets.
Global Manual Approver Workflow for Ticketing Systems
A manual approval workflow is now available for scenarios where the primary ticketing system, like ServiceNow, is unavailable. This fallback option ensures that users can still gain access to secrets through a manual approval process, maintaining workflow continuity even during system outages.
PowerShell 7 Support for Scripts
Secret Server now supports PowerShell 7 scripts, allowing users to run both legacy PowerShell scripts and PowerShell 7 scripts. This update ensures compatibility with the latest thycotic.secretserver module and helps avoid disruptions from version conflicts.
PowerShell Ticket Integration—User Information Passed as Arguments
PowerShell ticket integration has been enhanced to pass user information (userID, username, and email) as arguments in scripts. This update provides greater flexibility for ticket validation, enabling more customized and user-specific logic in ticket-related actions.
Pre-Compiled Version of Secret Server On-Premises
A pre-compiled version of Secret Server for on-premises deployments is now available. This version allows files to be signed through catalog signing, addressing code integrity violations and ensuring compliance by maintaining integrity and trust standards for all files.
Secret Icons
Secret Icons allows you to display icons for secrets in the secret list, and secret details page. Icons can be set at both the secret and secret template levels.
Fixed Issues
| 405016 | Fixed: The RPC by Day report is now formatted to user's time zone. |
| 530294 | Fixed: Key rotation failure. We now allow a particular password type to be set for account take-over when importing an account into Secret Server. |
| 537916 | Fixed: The folder-permission API now requires view or administer folder permissions to query by a folder ID. Previously, you could also do this with the personal folders role permission. |
| 539187 | Fixed: Secret access request viewing very slow. Bug fixed with loading large numbers of secret access requests. |
| 546108 | Fixed: Add a "Matches" tab on discovery account rules to show computer accounts that match the defined rule condition. This replaces the account rule filter on the network view that has been removed. |
| 556742 | Fixed: An issue that prevented empty dependency groups from being deleted. |
| 557774 | Fixed: Errant heartbeat every five minutes. When creating a new secret template with heartbeat enabled, if you do not change the interval value it will now correctly assign heartbeat interval of 60 minutes. |
| 559102 | Fixed: An issue where large-item-count folder searching was broken. |
| 560138 | Fixed: The secret template fields grid would not always load all records properly if there were more than 60 fields on a template. |
| 564689 | Fixed: User appearing locked out after the lockout period. On the User General page (admin page), added an Unlock User button and chips and messages to reflect lockout interval for user locked out by failed logins. |
| 566423 | Fixed: Resolved an issue where downloaded report names appeared garbled when the language was set to Japanese or Simplified Chinese. Fixed: An issue in the Platform where downloaded reports were incorrectly named "null." Reports now display the correct filenames based on the selected language. |
| 571212 | Fixed: Test Script page not working. SQL parameters now work in the new UI. |
| 571231 | Fixed: Role audit log error. The Action field of role audit logs now display correctly when the log is created in a language that uses Unicode characters |
| 575503 | Fixed: A dependent library used in SAML in Secret Serverhas been updated to close potential security vulnerabilities. It uses a different version of a saml.config when using the legacy SAML configuration, and a conversion process to update saml.config has been added to the upgrade system. Please see Secret Serverdocumentation "Troubleshooting SAML Configuration Errors After Upgrading" if using a saml.config file and having issues. |
| 578291 | Fixed: Session recording search times out. |
| 578890 | Fixed: Removing a launcher having multiple secrets linked will no longer fail. |
| 580299 | Fixed: An issue with /api/v1/launchers/secret endpoint throwing errors with complex URLs. |
| 581180 | Fixed: An error when checkout had expired, switching to the settings tab on a secret would throw a red banner error instead of redirecting the user to the checkout page. |
| 582171 | Fixed: Double email notifications for access approval request. Access request emails will now indicate a status of the workflow. Viewing a workflow online will also render a visualization of the workflow status. |
| 582538 | Fixed: An issue where session messages sent from Secret Serverwould not show during RDP Proxy sessions. |
| 582728 | Fixed: An issue where users who had permission to edit secrets could not toggle auto-change using the bulk action on secrets that should have allowed it, based on the permission set in the secret's template. |
| 583939 | Fixed: Incorrect active session display. Secret active launcher sessions now updates list when a session is launched from the page. |
| 585609 | Fixed: error when removing scanners from a discovery source. Added a custom exception for "scanner X already added" and UI refresh to stay in synch with back end. |
| 591272 | Fixed: An issue with the Launcher template when modifying the field "Use SSH Tunneling with SSH Proxy." |
| 593801 | Fixed: An issue with SSH key integration expiration configuration. |
| 595169 | Fixed: An issue where there was no option to add a step in a workflow. It is no longer possible to delete the last step from a workflow. Existing workflows with no steps will now display a default starting step when opened to edit. |
| 595565 | Fixed: An issue where dependency changers in SSC were not passing arguments to scripts, resulting in empty output files. Dependency changers now correctly pass arguments, and the status no longer incorrectly shows as disabled. |
| 599173 | Fixed: In active sessions inside a launched secret, when the username that launched the secret contains Unicode characters, they displayed incorrectly. |
| 601706 | Fixed: Intermittent Azure message loss. Implemented retry logic for publishing to Azure service bus queues. |
| 603681 | Fixed: Resolved a password display Issue (with "comment required" enabled) where, after waiting on the Overview tab for 5+ minutes, the password was displayed as [object Object] instead of prompting for a comment again. Users are now correctly required to re-enter a comment when accessing the password. |
| 603779 | Fixed: An issue with category and report permissions showing 0 items when permissions are assigned to users. |
| 605053 | Fixed: Heartbeat and password reset failures. Added more support for expired AD account password changers. Secrets that use an AD privileged password changer to rotate the password for an expired AD account will successfully complete the rotation process. Previous behavior involved rotating successfully and then failing the verify step, resulting in the new password not being saved on the Secret Serverside. Subsequent heartbeats may fail for the secret since the account is expired. Password Changes using a secrets own credentials may fail as well. |
| 607434 | Fixed: Discovery analysis SQL timeouts. The query that populates the discovered account metrics has been made more efficient. It should no longer have timeout issues. |
| 608395 | Fixed: Columns that should have been hidden were selectable in the column selector. If selected, they would (incorrectly) display until page reload. The conditionally available columns are now correctly set visible or hidden in the column selector. |
| 614002 | Fixed: Turkish not displaying correctly in email. Turkish characters should publish correctly in email HTMLs. |
| 614465 | Fixed: Tooltip location on the Launcher Configuration page. |
| 616185 | Fixed: Resolved an issue where users could add members to a migrated group in SSC via individual user modifications. Now, all membership changes must be managed in the Platform, ensuring proper access control. |
| 616221 | Fixed: In SSC the from email address field in email configuration settings is restricted to the secretservercloud domain and the TLD excludes .co.uk as a valid option. On premises instances will only validate that it is a valid email address format but will allow any domain to be input. |
| 617344 | Fixed: An issue with password that contains username and added a new item to the local-user password configuration area that optionally prevents the password containing the username. |
| 617429 | Fixed: An issue where an invalid version number could cause Secret Server to become unresponsive. |
| 617445 | Fixed: Updated command sets to no longer add extra spacing between lines, and added validation around comments in command sets, instead of auto-removing extra comments, to reduce confusion on save. |
| 617607 | Fixed: Discovery services grid did not sort. Added computer Services API endpoint so the computer services component now has paging and sorting. |
| 618528 | Fixed: Resolved an issue where secret policy settings were not properly inherited by secrets, causing discrepancies in the Approval page. Additionally, the "Language Resource Not Found: OnlyOptionViaPolicy" message has been fixed. Secret policy settings now correctly apply as expected. |
| 618869 | Fixed: An error with "Default Only" on RPC schedule on a active secret policy. |
| 619554 | Fixed: On-Premises Secret Server instances with PRA will now get emails to the Secret Server instead of the Platform instance. |
| 620165 | Fixed: Display to show <tenantname>.delinea.app when opting into a prod instance. |
| 620338 | Fixed: An issue with "minimum required character count" rules options containing an invalid choice. |
| 621226 | Fixed: Resolved an issue where repeated execution of Entra ID secret heartbeats would cause a "Headers too long" error. |
| 621935 | Fixed: Resolved an issue where viewing a secret with MFA enabled incorrectly logged "Password Displayed" in audit entries. Now, the audit log correctly records the action as "View" when no other interactions occur. |
| 622254 | Fixed: Resolved a bug where when Platform is integrated with Secret ServerCloud and Open ID Connect Platform login is used—in some situations the redirected Platform login page would be incorrect. |
| 622479 | Fixed: Error during opt-in in PIC for Europe region. |
| 626465 | Fixed: Audit with no notes. Secret policies should no longer create an empty audit log when modifying launcher settings but reverting changes before saving. |
| 626702 | Fixed: An issue with users not being re-enabled when logging in through Platform after being disabled by automatic user management. |
| 627109 | Fixed: Launchers filter was incorrectly labeled was "Template." |
| 627246 | Fixed: The field header example on secret import now wraps correctly. |
| 627291 | Fixed: The "All launchers" option of the launcher filter now returns all results as expected. |
| 627619 | Fixed: Changed database cleanup logic which was causing some heartbeat/RPC audit records for inactive secrets to be removed before the "Max Secret Log Length" was reached. |
| 627731 | Fixed: If an Entra discovery source is created in Secret Server and Platform integration is configured with Inventory Forward enabled, there was a bug when deleting roles from the Discovery Network View in Secret Server. It would cause Entra roles to show up in Platform inventory. |
| 628439 | Fixed: Corrected a typo on Launcher Mapping page. |
| 629517 | Fixed: Resolved an issue from the previous update where toggling an Active Directory account's expiration status could prevent verification after a password change. |
| 629584 | Fixed: An issue with the password compliance check notification on a secret. |
| 630728 | Fixed: A bug where saving an approval method for a secret does not persist correctly. |
| 631133 | FIxed: An issue with AD privilege password changing partially failing for accounts that had null values for "accountExpires." |
| 634286 | Fixed: Issues with dropdown options causing enum values to be displayed for the Secret Security Approval Type so that correct localized strings are displayed. |
| 634484 | Fixed: Excessive CPU usage by correcting the SessionKey parameter to varchar, eliminating implicit conversion. |
| 635135 | Fixed: The "Ignore permission errors" checkbox is now available without a page refresh. |
| 637136 | Fixed: Do not include azure domains or inactive AD domains in group-type precheck. |
| 637139 | Fixed: Users missing their ExtendedUserMapping will register as a warning in the precheck instead of an error. |
| 637373 | Fixed: Corrected regression where secrets were counted twice in some scenarios. Secrets grid count functionality restored. Count ("# Items") is the sum of the number of first-child subfolders and the number of secrets in the current folder. |
| 637690 | Fixed: Incorrect GUI label. Updated Log Level filter label from "Site" to "Log Level." |
| 638073 | Fixed: A bug that prevented the secure-platform-access step in the PIC from auto-skipping. |
Improvements
| 546156 | Improved: Logging in when MFA setup is required now immediately redirects the user to configure MFA. |
| 566484 | Improved: Reports page size minimum has been increased to 60. |
| 575905 | Improved: Updated scanner template creation UI to combine both OU Input templates and non-OU Input templates into the same dropdown in categories. |
| 580253 | Improved: No dynamic update for active sessions. Active launchers section on secrets now updates every 30 seconds to show an updated list of active launchers. |
| 582378 | Improved: Updated grids using timestamps to use datetime in order to properly respect user preferences. |
| 586608 | Improved: Password validation failures for common number substitutions. Dictionary now indicates "Dictionary words including common number substitutions." |
| 593543 | Improved: Removed time zone tooltips from reports to reduce confusion when time zones are set by the report. |
| 594323 | Improved: Empty pinned folders now inform users of the empty sections. |
| 603721 | Improved: Resilient secrets log text information and added operation progress percentage estimation.Fixed: An issue where resilient secrets operation was not interrupting on operation timeout. |
| 605210 | Improved: Performance of discovery scanner delete: increased timeout to 24 hours, lowered isolation level where possible, and added logging for each delete operation. |
| 609101 |
Improved: Added a non-configurable 30-second secret password timeout to improve security and reduce stale password issues. The timeout applies to:
|
| 610739 | Improved: Performance improvements were made to the "Shared with me" Secret, and "Browse All Folders" views for customers with a large amount of folders in a highly nested structure. |
| 611190 | Improved: In the secret template list field, list and URL list now have their "dispose for display" boxes checked by default to denote the data's plaintext status. The expose for display control is also disabled so that it can not be unchecked by accident. |
| 611573 | Improved: Updates to Discovery Scan Status Report Query. |
| 612177 | Improved: Error handling for Platform credentials that become invalid. |
| 612739 | Improved: A new setting, "Disable Legacy Bookmark Pages," has been added the admin/user experience section. This setting is false by default. When true, the legacy bookmark pages used by legacy WPF will be disabled. This allows administrators to disable the setting and ensure they do not have any of these legacy clients that require it. This setting will default to disabled in a future release. |
| 614508 | Improved: Added the ability to view the Active Directory group type. This is displayed under the General tab of a group. If a group does not have a type, it will display as a hyphen. Otherwise, it will show one of the following: Global, Universal, or DomainLocal. |
| 616620 | Improved: Secret export now audits the current "Export" action and a new "Export retrieved" action to indicate that the user actually retrieved the file. Previously, you could close the browser window before retrieving the export file. |
| 618004 | Improved: Through the user experience settings, a user can use a new "COMMENT" audit action to separate the VIEW action of a checkout (or ITMS) protected secret from the required comment. |
| 619512 | Improved: Event pipeline set-custom-value tasks can now increment or decrement pipeline variables by custom values. |
| 619515 | Improved: Added additional group type validation (empty group types and DomainLocal group types) for the Data Sync step in the PIC. If empty group types are detected, users are prompted that there are empty group types and are instructed to run the directory services sync. For any DomainLocal groups found, an error message appears in the pre-check table within the Data Sync step stating that DomainLocal groups are not supported. |
| 626041 | Improved: Modifications to build pipeline to precompile, copy and overwrite Secret Serverprecompiled assets to webroot folder. Packaging and installer remain as they were prior to PR. |
| 626668 | Improved: With Platform Integration, support for the setting "Create Groups during synchronization" is completely deprecated. Now, all Platform native groups will be created automatically and any directory groups through Platform need manual linking. |
| 626881 | Improved: Updated discovery import rules to prevent duplicate account creation and unintended unlinking of service and Active Directory accounts. Added broader test coverage, including integration tests, to ensure correct matching, unmatching, and unchanged behavior when re-running imports. |
| 627169 | Improved: Updated discovery analysis layout to emulate dashboard styles and to better accommodate large datasets. |
| 627297 | Improved: Added a new date and time range filter to Session Monitoring. |
| 627303 | Improved: Added a new state flag to indicate whether the Delinea enablement code has been entered. |
| 627304 | Improved: Added a new state flag to indicate the customer has completed the Platform integration. |
| 627344 | Improved: The inbox template editor now includes options to select message properties by selecting which message. This helps clarify that only message properties on the targeted message are available to merge into the template. |
| 631776 | Improved: The application picker that appears when both Secret Serverand Privilege Manager are installed has an updated design. This slightly increases the speed of the login process. |
| 633054 | Improved: Optimized memory management to reduce latency buildup in the US BGW, preventing performance degradation over time. Restored ASP.NET metrics for better visibility into garbage collection and CPU usage. |
| 635732 | Improved: Add PasswordTypeIds as a filter on the api/v1/secret-templates-list endpoint. |
| 635803 | Improved: Only the users that are migrated are validated. |
| 636130 | Improved: When enabled, "Show secret icons" in User Experience will display icons for secrets in grid, card, and detail view. |
| 638928 | Improved: Removed legacy secret access request aspx pages. |
