Cayosoft Guardian now tracks nested, or transitive, group membership changes for Active Directory and Microsoft Entra ID groups. When a member is added to or removed from a group, Cayosoft Guardian generates Change History records for each parent group in the nesting chain.

To learn more, see How Cayosoft Guardian collects changes .

Cayosoft Guardian now supports deploying a standby forest recovery site into customer-provided Azure networking resources, including a virtual network, subnet, and network security group, instead of provisioning its own resources.

This allows organizations with strict network governance, hub-and-spoke topologies, or pre-approved subnet allocations to use Guardian standby forest recovery while meeting internal networking standards.

To learn more about the feature, see Manage cloud recovery sites and Forest Recovery: Create a cloud recovery site for Forest Recovery plan.

Cayosoft Guardian now supports registering an Azure subscription by using a customer-provided application account identified by Client ID and authenticated with a client secret or certificate.

The registration and downstream Forest Recovery, backup, and Cloud Service wizards complete end to end without requiring Global Administrator privileges in the customer's Microsoft Entra tenant.

To learn more about the feature, see Cloud Services.

Cayosoft Guardian now supports secure LDAP (LDAPS over port 636 and Global Catalog over SSL on port 3269) for Active Directory connections made by both the Cayosoft Guardian Service and the Forest Recovery agent.

This allows Cayosoft Guardian to operate in hardened environments that require TLS-encrypted LDAP traffic for security and compliance mandates such as HIPAA, NIST, and PCI-DSS.

To learn more about the feature, see Security guide.

The Forest Recovery agent now supports WinRM over HTTPS (port 5986) when connecting to Domain Controllers to collect Active Directory topology metadata during backup, in addition to the existing HTTP transport (port 5985).

This enables successful backups in hardened and mixed environments where some or all Domain Controllers allow only WinRM over SSL.

To learn about the feature, see Security guide.

Cayosoft Guardian now lets administrators restrict public network access to temporary recovery site storage accounts used during Azure standby forest recovery, reducing the attack surface during deployment.

New options under Service Settings > Forest Recovery settings allow administrators to scope public access to specific IP addresses or ranges and to allowed Azure virtual network subnets.

By default, public access is not restricted to preserve previous behavior.

To learn about the feature, see Forest Recovery Settings.

Cayosoft Guardian now optimizes DNS processing during Forest Recovery to reduce recovery time in environments with large DNS configurations.

New options allow administrators to skip reverse lookup zone cleanup, skip DNS SRV record cleanup, and perform AD-integrated zone and record removal directly through LDAP.

To learn more about the feature, see Forest Recovery settings.

Cayosoft Guardian now supports inclusion rules for AD Change Collection jobs, in addition to existing exclusion rules, allowing administrators to define a positive scope for monitored objects.

Inclusion and exclusion rules can be combined on the same job. The more specific, deeper rule takes precedence, and rules can apply to a single object or to an object and its children.

When no inclusion rules are configured, the job continues to monitor the full environment as before.

To learn more about the feature, see Define collection scope for an AD Change Collection job.

Cayosoft Guardian now restores links to re-created Microsoft Entra users and groups when a hard-deleted object is recovered through Rollback.

After recovery, Cayosoft Guardian updates references to the object's new ID in Conditional Access Policies, including Named Locations, App Role Assignments, and PIM role assignments, so restored objects remain correctly linked.

To learn more about the feature, see Objects supported by Cayosoft Guardian.

Cayosoft Guardian now supports undelete through the Recycle Bin for Microsoft Entra security groups.

Deleted security groups appear in the Deleted Objects container and can be undeleted from there or from a Change History deletion record, restoring the group with its original object ID.

To learn more about the feature, see Objects supported by Cayosoft Guardian.

Cayosoft Guardian now provides a consistent experience between the Add Azure Subscription wizard in Cloud Services and the Add Microsoft 365 Tenant wizard.

The update aligns wizard steps, descriptions, sign-in behavior, and the name of the created Entra application.

To learn more about the feature, see Cloud Services.

An issue where Forest Recovery could not create resources in Azure when a custom Azure Policy that blocks subnets without an assigned network security group was enforced.

An issue where job settings for Configure Primary DNS Zones and Configure DNS Records recovery workflow steps displayed DNS optimization checkboxes that did not correctly represent the actual configuration.

An issue where the connection to the built-in LocalDB history database could time out during service startup without being retried, which could cause Cayosoft Guardian to create a new, empty history database.

Connection timeouts to LocalDB are now retried, consistent with external database handling.

Related requests: 17338.

Cayosoft Guardian is now enhanced with stronger in-transit security by ensuring encrypted WinRM transport and by applying LDAP sealing across previously uncovered communication paths between Cayosoft Guardian and domain controllers, eliminating identified cases of unencrypted traffic.

Cayosoft Guardian now supports updating existing Azure subscriptions from legacy user account credentials to Entra application account credentials. When an existing subscription is re-added, Cayosoft Guardian updates the subscription to use Entra application account authentication. Related backup locations, including temporary locations in recovery sites, are updated automatically.

To learn more about the feature, see How to switch Forest Recovery from a connection account to an Entra application account.

Cayosoft Guardian now supports using an Entra application account in the Add Cloud Service wizard when adding an Azure subscription for Forest Recovery. This allows administrators to create and manage Forest Recovery Azure resources under a dedicated Microsoft Entra application (instead of relying on a user account), with the required subscription permissions applied for resource deployment and ongoing credential management.

To learn more about the feature, see Cloud Services

Cayosoft Guardian now lets administrators automatically resolve remediated alerts for supported threat signatures from Threat Detection > Threat Alerts. When triggered, auto-resolve evaluates all eligible supported alerts and marks remediated ones as Auto-resolved, reducing manual alert cleanup.

For more information about changes, see Auto-resolve support for CTD-000001 and CTD-000033 threat signatures

Cayosoft Guardian now supports LocalDB 2025 (SQL Express) for the built-in database option. This increases the default maximum size of the built-in database to 50 GB, reducing database-size limitations for new installations and upgrades that previously used the 10 GB limit.

IMPORTANT: When using a local database, Cayosoft Guardian will upgrade the database to SQL Server Express 2025 during installation. Ensure the host runs Windows Server 2019 or later, as required by SQL Server Express 2025.

For the full list of system requirements, see Planning and preparation: Cayosoft Guardian system requirements

Cayosoft Guardian now monitors changes to Microsoft Entra Agent Identity entities, including Agent Identity Blueprints, Agent Identities, Agent Identity Blueprint Principals, and Agent Users. This expands Change Monitoring coverage for Microsoft Entra ID objects and helps administrators review Entra agent-related activity directly in Change History.

For the full list of objects supported by Cayosoft Guardian, see Objects supported by Cayosoft Guardian.

An issue where Cayosoft Guardian could generate a false Member Added alert when a time-bound Microsoft Entra PIM activation expired for a role assigned as Eligible via group.

Related requests: 17048

Cayosoft Guardian introduces fine-grained Role-Based Access Control (RBAC) with six predefined roles, enabling administrators to delegate precise permissions aligned with operational responsibilities. A user or group may be assigned one or more of the following roles:

• Global Administrator - Full access to all features and settings in Cayosoft Guardian.

• Global Reader - Read-only access to all areas in Cayosoft Guardian, including configuration and monitoring data.

• Threat Alerts Reader - Review all detected threats and alert details.

• Threat Detection Operator - Manage threat detection jobs, configure notifications, and mark threats as resolved.

• Change History Reader - Review the full history of configuration and object changes across connected systems.

• Change Monitoring Operator - Manage change monitoring, review changes, and manage alerts.

To learn more about the feature, see Role-based access control in Cayosoft Guardian.

Cayosoft Guardian introduces support for Write-Once-Read-Many (WORM) compliance mode for Azure and AWS S3 storages. Administrators can now enable Immutable and Retention Period options when adding Azure and AWS S3 storages. When configured, Cayosoft Guardian applies Time-Based Retention to the bucket and objects in Compliance mode, ensuring that stored backups cannot be modified or deleted during the retention period.

To learn more about the feature, see Forest Recovery: Add backup locations.

Cayosoft Guardian has added support for tracking QR code authentication method changes for Microsoft Entra ID users. Cayosoft Guardian now captures add, edit, and remove operations for the QR code (Preview) method, displaying correlated records in Change History and detailed property updates in the Event Log.

For the full list of objects supported by Cayosoft Guardian, see Objects supported by Cayosoft Guardian.

Cayosoft Guardian introduces a standardized ownership model across configuration and system objects bringing clarity, consistency, and control to how Cayosoft Guardian determines who can manage specific objects across the system.

Three new metadata properties are now available for applicable entity types:

• Created by – identifies the account that created the object

• Modified by – identifies the account that last modified the object (populated on update where feasible)

• Owners – a multi-valued property listing all authorized owners; by default, includes the creator
  

An issue where domain trust password reset operations skipped domains whose DNS names contained uppercase characters.

Related requests: 16347.