What's New in Imprivata Enterprise Access Management 25.4

Password complexity rules can now be displayed when users are prompted to change an expired password. As users type a new password, the password complexity requirements are validated automatically to show which requirements have been met. This helps reduce failed password reset attempts caused by unknown or unmet complexity rules. Consider the following:

• By default, this functionality is enabled for new enterprise deployments and disabled for upgraded environments.

• Password complexity rules are retrieved from Active Directory only.

• Rules are displayed only on Windows single-user computers and shared-kiosk workstations.

• Rules appear only when users are prompted to change an expired password; they do not appear during user-initiated password resets.

The Computer Peripherals Usage report now includes rf IDEAS® proximity card readers. Similar to other devices, the report includes the model of the reader and the version of the firmware on which it is running.

New Desktop Authentication combinations are now available:

• Proximity Card + Face recognition or Password

• Face + Device-bound passkey or Password

• Proximity Card + Face or PIN

• Security Key + Face or Password

• Security Key + Face or PIN

Imprivata Enterprise Access Management supports Windows access with Imprivata ID when the Imprivata agent is offline. When an endpoint computer is not connected to the Internet and the Imprivata agent is offline, the Imprivata agent cannot complete the user's login workflow that requires Imprivata ID authentication. When this feature is enabled, specially-provisioned offline tokens are generated by the user's Imprivata ID app, for use only when the user needs to log into Windows but the Imprivata agent is offline.

As part of Imprivata's continuing effort to increase our security posture, this release includes the ability to set the public key length to 4096 bits for the following certificates:

• Appliance

  • Appliance SSL Cert

• Imprivata Admin Console

  • Web SSO IDP Cert - App vouchers

  • Confirm ID Self-signed Cert - App vouchers

  • ProveID Web Serer Cert

  • SSH Enterprise Key Cert

  • Epic certs

    • Self signed subspace prd

    • Self signed subspace non-prd

    • Self signed epic same

The Imprivata Appliance Console and Imprivata Admin Console settings have been updated to allow you to update certificates to 4096 bits.

This release includes the ability to configure the reply-to address for appliance email notifications from the Imprivata Appliance Console.

Imprivata recommends that each appliance should have its own unique reply-to address, so that administrators can more easily identify the correct appliance when it sends error or warning notifications.

Imprivata ProveID Embedded now supports secure MIFARE DESFire proximity card authentication, including the French national CPS smart card, meeting eIDAS Substantial requirements.

This update enables clinicians in France to use their existing CPS cards for secure Enterprise Access Management tap-and-go workflows, avoiding the need to purchase replacement cards.

Enterprise Access Management collects and reports user IP addresses for remote access authentications performed through Citrix Application Delivery Controller (ADC) (formerly NetScaler) VPN gateways using RADIUS.

The Login Activity report in the Imprivata Admin Console displays this information.

When an administrator logs out of the Imprivata Access Management portal, the admin is also logged out of all consoles managed through the portal.

Users are locked out after excessive failed login attempts with Face recognition.

For more information on new 25.4 qualifications and certifications, see Imprivata Enterprise Access Management with SSO Supported Components.

This is a reminder that Internet Explorer is not supported. Any functionality related to Internet Explorer or IE mode will be deprecated as of December 2026.

The Classic Windows login is deprecated and will no longer be supported after Q1 2026.

Imprivata is committed to innovation and is focusing efforts on the Imprivata login. It is recommended that you begin planning a migration to the Imprivata login. For more information about the Imprivata login and next steps, see the FAQ.

While Microsoft has not announced a release date for their planned update to LDAP channel binding and LDAP signing requirements, it is recommended that Imprivata administrators verify that their Imprivata directory (domain) connections are configured for SSL. When the update is applied, any directory connection that is not configured for SSL may fail.

To verify the connection settings, go to the Directories page (Users menu > Directories) and open the required domain. Verify that Use TLS for secure communication is selected.

As part of Imprivata's continuing effort to increase our security posture, beginning with the 7.4 release, Imprivata disables the use of older TLS versions 1.0 and 1.1 for all appliance communications.

For more information on TLS usage, see the "About TLS Communication" topic in the Imprivata Online Help.

As part of Imprivata's continuing effort to increase our security posture, this release includes two modes of API access through the Confirm ID and ProveID API:

• Full

  Full access enables the ability to use the Confirm ID COM interface. Full access is required in the following areas because of the reliance on the COM interfaces:

  • Clinical Workflows

  • EPCS

  • Imprivata Connector for Epic Hyperdrive

  • When Imprivata Confirm ID needs a password.

• Restricted

  In restricted mode, access to Password and UserAppCreds resources are disabled. A ResourceRequest that includes an attribute id of Password or UserAppCreds returns a response with a message stating that access is restricted and status code 403.

By default, Confirm ID access is disabled and ProveID API access is set to restricted. The settings to manage API access are on the API access page in the Imprivata Admin Console.

The Imprivata agent continues to install the Chrome extension for SSO, but no longer enables it.

If you plan on installing Imprivata agents on new endpoints or upgrading existing Imprivata agents, you must enable/allow the extension using a Microsoft Active Directory GPO. Per the Chrome Safe Browsing Policy, a GPO is the only supported way to enable extensions silently.

Microsoft has announced the deprecation of VBScript, but has not announced a release date on which VBScript will be retired.

Per Microsoft, VBScript will be available as a feature on demand before being retired in a future Windows release. While Imprivata procedure code extension objects continue to support VBScript, it is recommenced that Imprivata administrators create new event triggers using another supported scripting language, such as PowerShell, while planning for the retirement of VBScript.

Enterprises who have clinicians' faces enrolled for authentication in Mobile EPCS must migrate those enrollments to the new Imprivata Cloud Platform (ICP) Face Recognition support. This is accomplished with a custom migration tool. For more information, see the Imprivata Upgrade portal.

Does not apply to customers whose end-users have faces enrolled only for Desktop Authentication.

Face authentication is a new modality and is supported on Windows.

• If your enterprise uses mixed endpoints (thin clients, medical devices, etc.), test to verify that they continue to work after enabling Face recognition.

• If you encounter issues on non-Windows platforms, disable multiple second factors using computer policy overrides and reach out to your vendor and Imprivata representative.

Imprivata has identified limited cases where Imprivata agents running on non-Windows platforms are unable to authenticate depending on user policy configuration. Limiting the second factor options in your environment is recommended to resolve this.

Beginning with 25.2, you can no longer directly run the Imprivata agent installer. This includes:

• Double-clicking the MSI.

• Right-clicking the MSI and running as an administrator.

Launching the installer directly requires you to execute the MSI from an elevated command prompt. Directly running the MSI results in an error message stating that you do not have the required permissions. This behavior occurs even if you are logged into the Windows endpoint with administrator credentials.

Imprivata's Secure Walk Away added support for a Nordic Bluetooth Low Energy (BLE) receiver in Imprivata OneSign and Imprivata Confirm ID 7.11. The Bluetooth receiver sensitivity may vary for different mobile devices. If your users report that their workstations lock because Secure Walk Away does not detect their mobile devices, adjust the Secure Walk Away – Imprivata ID Sensitivity slider control in the computer policy assigned to those workstations.

For more information, see Configuring Imprivata Secure Walk Away