Secret Server Cloud Release Notes for July 22, 2025
Cloud Release Date: All Regions: July 22, 2025
For changes pushed to cloud between major releases, see the Secret Server Change Log.
Component Versions
Distributed Engine and Advanced Session-Recording Agent: 8.4.59.0
Protocol Handler: 6.0.3.39
If your protocol handler version is 6.0.3.26 or lower, you must manually upgrade to a higher version. Automatic upgrades will not work for versions 6.0.3.26 or below. However, if your protocol handler version is 6.0.3.27 or higher, the automatic upgrade will function properly.
New Features
Azure Key Vault Integration
Azure Key Vault Integration (AKVI) simplifies management and governance of NHI's and secrets from the CSP's native vaults. With AKVI you can centrally manage and update secrets to one or more Azure Key Vaults and rotate passwords or values more frequently. With fine grained roles and permissions, audit and logging, AKVI provides increased governance, visibility, and awareness of secrets managed in Azure Key Vault without affecting development velocity or processes.
Additional Approval Workflow Type
A new approval workflow type is available, allowing owners to bypass approval while ensuring approvers still require it. The "Standard Including Editors and Approvers (Owners do not need approval)" option offers more flexibility in approval processes to meet organizational needs.
Bulk RPC on Secrets with Checkout Enabled
Bulk RPC actions are available to secrets with checkout enabled. This feature uses random passwords during bulk operations, ensuring that passwords remain secure and hidden, even during bulk updates, without compromising secret integrity.
Bulk Update Secret Fields
Bulk updates for secret fields are now available, enabling users to edit and update multiple fields across secrets in the folder view. This simplifies importing and formatting secrets, streamlining secret management for large datasets.
Global Manual Approver Workflow for Ticketing Systems
A manual approval workflow is now available for scenarios where the primary ticketing system, like ServiceNow, is unavailable. This fallback option ensures that users can still gain access to secrets through a manual approval process, maintaining workflow continuity even during system outages.
PowerShell 7 Support for Scripts
Secret Server now supports PowerShell 7 scripts, allowing users to run both legacy PowerShell scripts and PowerShell 7 scripts. This update ensures compatibility with the latest thycotic.secretserver module and helps avoid disruptions from version conflicts.
PowerShell Ticket Integration—User Information Passed as Arguments
PowerShell ticket integration has been enhanced to pass user information (userID, username, and email) as arguments in scripts. This update provides greater flexibility for ticket validation, enabling more customized and user-specific logic in ticket-related actions.
Pre-Compiled Version of Secret Server On-Premises
A pre-compiled version of Secret Server for on-premises deployments is now available. This version allows files to be signed through catalog signing, addressing code integrity violations and ensuring compliance by maintaining integrity and trust standards for all files.
Secret Icons
Secret Icons allows you to display icons for secrets in the secret list, and secret details page. Icons can be set at both the secret and secret template levels.
Multi-Cloud Security and Integration
- AWS Secrets Manager Integration extends our distributed vaulting initiative beyond Azure, providing seamless integration with Amazon's AWS Secrets Manager. Administrators can centrally vault, manage, update, and rotate credentials in AWS Secrets Manager, further addressing secret sprawl challenges across multi-cloud environments. It enables centralized, seamless management of all secrets without sacrificing latency or developer or business agility while managing Non-Human Identities (NHIs) and Artificial Identities (AIs) with maintained security and governance.
- External vault automatic lists for Azure Key Vault and AWS Secrets Manager simplifies the vault linking process by automatically presenting available vaults, reducing configuration complexity and potential errors during setup.
Platform Upgrade Center (PIC) Enhancements
Soon to be renamed Platform Upgrade Center.
- Automated, secure Platform access transforms the previously manual two-step process into an automated workflow when Platform environmental conditions allow, reducing upgrade complexity and potential errors.
- Enhanced Platform Upgrade Center (PIC) with Entra ID Support streamlines the upgrade process for organizations using Microsoft Entra ID. The PIC now features automated upgrade steps and application account integration capabilities, making it easier for customers to use the full power of the Delinea Platform. This unblocks a key capability, ensuring customers who federated with Entra ID in Secret Server can seamlessly upgrade to the Delinea Platform via the PIC.
- Enhanced pre-checks and validation provide better error messaging and validation throughout the upgrade process, including username validation against Platform regular expression rules and improved group membership handling.
- Application account support enables seamless integration of application accounts to the Delinea Platform through the PIC, expanding the scope of automated upgrade capabilities.
Performance and Scalability
- API performance optimization addresses excessive launcher session polling that was generating over 120 million monthly API calls, significantly reducing server load and infrastructure costs while maintaining functionality.
- Secret search performance improvements deliver a 66% improvement in secret search speed compared to previous versions.
- Bulk operations performance enhancement significantly improves reliability and performance for large-scale secret operations. Enhanced secret imports and bulk operations now split large requests into smaller chunks, preventing failures due to message-size limits and boosting performance by up to 20% for operations involving tens of thousands of secrets.
Security and Compliance
- Security enhancements for auditing creates separate controls for password view, secret view, and comment-required auditing. This allows customers in higher security environments to audit password view events in real-time while managing business productivity by less aggressively requiring comments.
- Session management improvements include better RDP proxy session tracking, automatic session closure when checkout expires, and enhanced keystroke recording capabilities for SSH-tunneled connections. These improvements provide better visibility and control over privileged sessions.
User Experience and Management
- Personal folder duplicate secret management provides granular control over duplicate secret names by allowing duplicates in separate personal folders while maintaining restrictions elsewhere. This enhancement uses an improved enumeration-based configuration system that eliminates conflicting Boolean settings.
- Request forced checkout enhancement builds upon the 11.8 feature with improved UI display and better handling of secrets in pending status, providing administrators with more control over secret access during incident response scenarios.
- Increased Windows password changer flexibility offers increased configurability for authentication methods and their order, with enhanced server message block (SMB) fallback options that provide more granular control over heartbeat and password change operations.
Licensing and Availability
Extended resilient secrets availability to Secret Server Professional resolves licensing issues that previously blocked this feature. Customers with a Secret Server Professional license can now access the resilient secrets pages without encountering license-required error messages.
Improvements
| ID | Release Notes |
|---|---|
| 639164 | Improved: The legacy license .aspx pages have been removed. |
| 639773 | Improved: Added a new report for active users and all users for secrets. |
| 640087 | Improved: Added option to allow duplicate secret names in separate personal folders. |
| 640202 | Improved: Performance when there are a great number of folders for the following : modifying folders. modifying user display names, or changing the personal folder root name (if personal folders are enabled). |
| 640487 | Improved: Added more configurability to the Windows password changer for the method and method order. |
| 640554 | Improved: LimitedMode no longer limits AD sync, creating and editing secrets, importing secrets, and web service use. |
| 640556 | Improved: UI banner now notifies admins of systems exceeding license limits. |
| 640688 | Improved: Scan Template Detail page: an unused scan template can now be deleted. Required Fields now change according to scan type selection. |
| 640783 | Improved: $SECRETID and $[x]$SECRETID are now available for scripting |
| 641022 | Improved: Folder-detail performance. |
| 641879 | Improved: The DR replica now handles events where the DR feature deletes folder(s) assigned to "automatic export" by disabling automatic export. |
| 642042 | Improved: Added a PIC pre-check error when a username in Secret Server does not match the regular expression rules defined in Platform. |
| 642213 | Improved: Check out, check out extended, and check in Syslog events now contain the UTC times of check out and check in. |
| 642250 | Improved: Platform Integration can no longer be disabled when unified mode is enabled and all users are sourced from Platform. This prevents users from locking themselves out of their instance. In the event that Platform Integration can be disabled, a dialog warns the user of the consequences. |
| 643200 | Improved: Added a data link between the SDK client account and onboarding rule so when an SDK onboarding rule is deleted all SDK client accounts created from that rule get their access revoked. |
| 643381 | Improved: Added a configuration setting under user experience to set the duration for the password mask to begin hiding input again. |
| 643721 | Improved: Secret access requests can now be published to the Delinea Platform for other services such as the intelligent authorization agent. |
| 643739 | Improved: Users can now use the Platform Upgrade Center to migrate Entra ID domains to Platform. |
| 643793 | Improved: The groups precheck in the PIC only warns of group membership and role changes |
| 643866 | Improved: Added a tab on the User Management page titled OAuth Expiration that lets users delete previously issued OAuth tokens. |
| 644419 | Improved: Added Automatic listing when adding an external vault link to Azure Key Vault added. |
| 644548 | Improved: DR button order swapped and grid fixed to have more uniform styling on the status chips. |
| 644589 | Improved: Now, during provisioning, we retry validation of Secret Server credentials. If upon retry validation still fails, it notifies the orchestrator that provisioning has failed. |
| 644596 | Improved: Performance of session monitor search when HasKeystrokes is enabled. |
| 644755 | Improved: Converted the update status endpoint to use a PATCH to prevent unnecessary value changes. |
| 644783 | Improved: Consistency of the PIC UI steps. |
| 644847 | Improved: A banner now reminds admins when their usage license is exceeded. |
| 644887 | Improved: Added QuantumLock actions to the user profile. |
| 645147 | Improved: When a user lacks access to a session recording, they see a more informative error page. |
| 646302 | Improved: The legacy bookmark pages are now disabled by default. They can be re-enabled from settings > user experience > Disable legacy bookmark pages. These pages will be completely removed in an upcoming release. |
| 646932 | Improved: Updated design for adding widgets to the desktop. |
| 647178 | Improved: Attempting to create an Active Directory discovery source when discovery is disabled now informs you that discovery is disabled and needs to be enabled. |
| 647190 | Improved: Admins now receive a reminder in the UI when license usage has exceeded licensing limits. |
| 647689 | Improved: HSM process: When enabling and disabling the HSM or rotating the HSM key a backup of the encryption.config is created. To prevent a bad state where the database has updated and the encryption.config was not, the database changes are rolled back to the prior state. Also, when rotating the HSM key with PKCS11, if selecting the current DLL, the system will prevent changing the token label and user pin. Since the PKCS11 library already has an open session and cannot close, this prevents potentially saving the wrong information. |
| 647936 | Improved: Added capability to select from multiple settings with distinct behaviors to set how duplicate secret names are handled in the Permission Options section. |
| 648752 | Improved: Performance of resilient secrets excluding all data related to QuantumLocked secrets. |
| 649210 | Improved: Protocol handler parameter checking when using install options was extended to address CVE-2024-12908. |
| 649708 | Improved: Resilient Secrets now falls under "Professional" licensing without need of an add on. |
| 649863 | Improved: Updated workflow and secret approvals to use the template arguments for the ticket system. |
| 649955 | Improved: Reduced the likelihood of an incorrect query returning too many results. |
| 650476 | Improved: Increased flexibility for the Windows Password Heartbeat. The Enable SMB Fallback option, previously on the remote heartbeat configuration options, has been replaced with options directly under the advanced settings under Windows Password Changer. This allows you to toggle RPC and SMB heartbeat attempts and determine the order. Previous Enable SMB Heartbeat configuration has been translated to the new settings. The new options for flexibility do require DE version 8.4.56.0. |
| 650658 | Improved: Legacy bookmarklet pages were removed. |
| 650720 | Improved: The legacy session recording search and viewing pages were removed. |
| 650755 | Improved: Several legacy message pages, such as a read only mode description, have been removed and replaced with newer versions. |
| 650853 | Improved: Reduced CPU use within the website and background worker. |
| 651149 | Improved: Added text to the Unified step of the Platform Upgrade Center. |
| 651315 | Improved: Removed the HSM legacy .aspx pages. |
| 651333 | Improved: Password type audit grid updated to angular. |
| 652518 | Improved: Added more prechecks in the PIC for a user with a domain whose AD Guid or UPN is NULL in Secret Server. |
| 653208 | Improved: Drop down options added for email configuration. |
| 653299 | Improved: The secret view that opens in the right panel has been cleaned up to make the copy icons more visible and keyboard access has been enhanced. |
| 653422 | Improved: Added a throttle: "Max Number of Passwords That Can be Changed at One Time setting for Entra ID password changer." |
| 653719 | Improved: Adjusted MDI partner API URLs to match the new URL. |
| 655545 | Improved: Platform is now running on angular 20. |
| 659980 | Improved: Legacy discovery .aspx pages were removed. |
| 661443 | Improved: Manage Directory Groups button was removed from the Groups page. It just linked to directory services, which is easily accessed in the left navigation panel. |
| 661831 | Improved: The legacy discovery .aspx pages have been removed. |
Fixed Issues
| ID | Release Notes |
|---|---|
| 638256 | Fixed: An inaccurate error message for session recordings when launch is not detected. |
| 638964 | Fixed: RDP proxy session tracking. Resolved an issue where RDP proxy sessions that were opened using proxy credentials (not protocol handler) were not being marked as launched, causing them to be missing from session search results. |
| 639151 | Fixed: Resolved issue with PostgreSQL password-change functionality. |
| 640392 | Fixed: DR replication data loss when the replica encounters save errors. Resolved issue where running "new data since last replication" could result in permanent data loss if the replica encountered errors during save, causing subsequent replications to skip the failed data entirely. Fixed replication state tracking to ensure failed items are retried in future partial replications. |
| 640808 | Fixed: Request Force Checkout button is now displayed while the secret is in a pending status and the "request force checkout" feature is enabled |
| 640978 | Fixed: The bulk secret field update now works when MFA is enabled on any secret that is selected. |
| 641375 | Fixed: Adding and removing fields did not work correctly if none of the new or existing fields were edited. |
| 641376 | Fixed: Export CSV on reports and the auto export storage download now work in Platform. |
| 641566 | Fixed: The dates of tbPlatformIntegrationStep were either not being set or being reset in certain scenarios. This has been fixed for all of the steps except the Unification step that will be fixed in a separate card. |
| 641630 | Fixed: Secret audits did not correctly link to the new session recording UI. |
| 642223 | Fixed: A total count issue when searching subfolders and secrets and then checking and unchecking items. |
| 643226 | Fixed: Password changes now trigger an external key-vault push for the linked secret. |
| 643304 | Fixed: The status of the Customize branding step in the PIC no longer resets from "skipped" to "ready to start" when the page is refreshed. |
| 643492 | Fixed: Discovery but where EntraID users or roles would not display properly in "Network TreeView" under the root EntraID tenant node. |
| 643677 | Fixed: AFT token validation errors now return an error code instead of a 500 status code with no body. |
| 643715 | Fixed: An issue with the "maximum login failures" shortcut leading to the wrong configuration area. |
| 643815 | Fixed: TOTP codes from the favorite dashboard in Platform now work. |
| 643841 | Fixed: An error with the opt-in step of the PIC if the user refreshed the page once the opt-in process had begun. |
| 643869 | Fixed: Save button was enabled when modifying file attachments before any change was made. |
| 644593 | Fixed: Corrected workflow email links for Platform to point to Platform URLs not SSC URLs. |
| 644921 | Fixed: Discovery source ID was not being read correctly for Entra ID Members, which led to problems viewing and importing accounts. |
| 645106 | Fixed: Issue that could sometimes prevent validation of the Platform URL from the Secret Server configuration page. |
| 645923 | Fixed: The "ThycoticSystem" internal user now has the display name "Delinea System." |
| 646732 | Fixed: Issue where Entra ID discovery would cause errors when field names in the Privileged Secret template were changed. |
| 646957 | Fixed: Periodic error when retrieving favicons. |
| 647271 | Fixed: Active Directory invites did not get created in Secret Server |
| 647291 | Fixed: A new version install could cache old en.json localization files. Language files now include cache-busting tags. |
| 647351 | Fixed: Locked users in Platform were not disabled in Secret Server. |
| 647639 | Fixed: An issue that could block OIDC authentication. |
| 647691 | Fixed: Account scan template was not display after saving on the Scan Template Detail page. |
| 647852 | Fixed: A localization issue on the Discovery Rules List page. |
| 648239 | Fixed: Template selection issue on discovery rules. |
| 648534 | Fixed: Long secret names did not wrap properly when shown as credentials for a discovery scanner. |
| 648665 | Fixed: The Validate Connectivity button was not visible when configured to use processing location as the website. |
| 648769 | Fixed: 404 error when loading the application load. To prevent this, custom language resources are only loaded if the files exist. |
| 648844 | Fixed: The CSV report download button did not work in Platform. |
| 648998 | Fixed: The Preview panel, once closed, would not reappear until opened again. |
| 649098 | Fixed: Anti-forgery token logic caused pages to refresh in some circumstances. |
| 649167 | Fixed: Secrets did not show inherit permissions properly when searching in the grid. Folders now show the inherits permissions column when shown in the grid. |
| 649273 | Fixed. The date range filter could be removed from the discovery computer scan results tab. |
| 651907 | Fixed: Resolved an upgrade failure to 11.7.25-11.8.1 for on-premises Windows customers using a non-en-us locale. |
| 651955 | Fixed: A fresh on-prem install got stuck at the Create Initial User page. |
| 652482 | Fixed: Scan template names were not populated in a dropdown on the PasswordChangerEditScanItemTemplateEdit.aspx page. |
| 652648 | Fixed: The Edit button is now visible but disabled on non-editable scan templates. |
| 652697 | Fixed: in the PIC for the Secure Access step where polling was not occurring in certain situations after the button was pressed leaving the step stuck in the In Progress state. |
| 652855 | Fix: Tunneled RDP proxy data could be stored in the database erroneously under certain conditions. This data is encrypted by the RDP protocol and therefore is not useable as keystroke data and should not be stored. |
| 653644 | Fixed: Secret policy launcher tab clipped the far right side of the form selects. |
| 654670 | Fixed: Secret share no longer adds groups to the Platform Allowed group list when adding from external groups. |
| 655397 | Fixed: On-premises edge case where if the web role had a cached valid license the disaster recovery process was allowed to begin but the background worker could not see a valid license and would do nothing. Now a log is generated. |
| 655439 | Fixed: Bug where the SAML Metadata Download XML button did not work. |
| 659912 | Fixed: The script editor (report, scripts) would sometimes show an error with the text "canceled." |
| 660018 | Fixed: A WRONGTYPE issue caused by calling redis.GetList on a "List<string>" type object. Caching once again applies for this value. |
