Company logoHelp Center
Visit www.threatlocker.com

Agent API Release Notes

13 min. readlast update: 06.18.2026

3.10.0: Beta 06/16/2026

New Features & Improvements

  • Updated the Patch Management API to include the Patch Policy Type ID in its responses
  • Improved the Agent API to include a new endpoint that captures and logs handshake data for Secure Network Server users within the check-in history
  • Introduced a new API endpoint to retrieve external device details, including IP addresses, accessibility information, and unique device identifiers
  • Updated the system to optimize application policy matching and retrieval performance
  • Enhanced the system to track and display running and installed kernel versions for Linux endpoints within the portal
  • Updated the Approval Center to ensure certificate 'digestmismatch' information is correctly displayed, providing consistency between Approval Center file requests and the Unified Audit
  • Improved validation logic for agent settings to ensure consistent performance across all active system endpoints
  • Implemented a new procedure within the AgentAPI to correctly map research application identifiers to built-in application identifiers, improving the accuracy of the learning process
  • Implemented backend updates to support the future introduction of Managed Override Codes, allowing for more granular control and tracking of administrative overrides across the organization (Will require Windows Agent 11.0.22 or greater)

Bug Fixes

  • Fixed an issue where changes to Global Agent Settings made in a parent organization did not propagate to devices in child organizations if the child organization had no local agent settings configured
  • Resolved an issue where Endpoint Detect alerts failed to populate in the portal for an organization when beta notification features were enabled
  • Resolved an issue where mobile devices were not receiving agent actions
  • Fixed an issue where applications discovered on AIX machines in learning mode were incorrectly being categorized under the Linux OS group instead of the AIX group
  • Resolved an issue where Windows XP and Server 2003 devices failed to register or check in to the portal automatically after installation
  • Updated the Approval Center to ensure certificate 'digestmismatch' information is correctly displayed, providing consistency between Approval Center file requests and the Unified Audit
  • Improved validation logic for agent settings to ensure consistent performance across all active system endpoints
  • Updated the Learning Mode process to ensure that applications matching Product Research unique match values correctly result in a Built-In application policy rather than a custom application policy

3.9.1: 06/17/2026

Bug Fixes

  • Improved the logging process for unified audit items by delegating log processing to the database layer and implementing a shutdown handler to ensure data integrity during application recycling


3.9.0: 06/03/2026

New Features & Improvements

  • Improved the Syslog policy delivery process to ensure security policies are accurately synchronized with Syslog agents
  • Added support for a new Notification Center in the Response Center
  • Added support for creating macOS policies based on users & groups (still waiting on mac agent to support this)
  • Added a new authenticatedendpoint to retrieve the organization name for a device
  • Updated the Agent API to enhance the processing and delivery of ThreatLocker Detect alerts through a new notification queuing system

Bug Fixes

  • Improved management of revived devices by automatically placing devices into maintenance and monitor modes

3.8.0: 5/21/2026

New Features & Improvements

  • Added a new endpoint to retrieve authorized broker servers
  • Improved processing and logging within the Agent API to resolve issues with missing or delayed Unified Audit logs

Bug Fixes

  • Resolved an issue where learning mode was not functioning correctly for macOS and Linux devices
  • Resolved an issue where missing TLVersion headers in the FullCheckIn endpoint could cause internal server errors
  • Resolved a memory usage issue in AgentAPI by adding configuration options for thresholds and batching, with improved default settings
  • Fixed an issue where the OS Type filter in the Unified Audit would not return results for macOS and Linux endpoints

3.7.0: 5/1/2026

New Features & Improvements

  • When a computer is restored in the portal, its group membership is now automatically updated
  • Added a new Agent API endpoint to retrieve DNS names and associated IP addresses for a specified computer
  • A new stored procedure was added to retrieve driver application IDs by make and model
  • Improved database performance by adding an index on computerGroupId and optimized storage policy procedures
  • A new API endpoint, API_StoragePoliciesGetV2, has been introduced to optimize storage policy retrieval

Bug Fixes

  • The Advanced Setting 'Feature Override' now applies to both Features and Modules, ensuring consistent behavior across all platforms
  • Full Self-Elevation events in AgentAPI now correctly log the ComputerID and Hostname in the System Audit, improving endpoint identification and audit accuracy
  • Updated the method for sending DNS logs to ensure Web Control DNS filtering logs are correctly displayed in Unified Audit

3.6.2: 04/21/2026

New Features & Improvements

  • Added an exclusion for ARM in ScheduledAgentActionProcessing_Computer_GetVersionInfo
  • Improved the Agent API to ensure ARM version agents upgrading from versions below 11 to above 11 are correctly identified and upgraded directly to the target version

3.6.1: 04/16/2026

Bug Fixes

  • An issue was resolved where devices moved to Orphaned Accounts were not automatically receiving maintenance modes; now, tamper protection is disabled and Monitor Only mode is enabled as expected

3.6.0: 04/15/2026

New Features & Improvements

  • Added support for multiple secure network servers in the get network policy endpoint to enhance device-to-device ZTNA policies
  • Devices previously marked as removed will now automatically reappear in the Access Device table upon heartbeat
  • Added support for future feature to reorder storage policies

Bug Fixes

  • Resolved an issue where Ringfence policies in flat policy structures were not automatically learning IP address exclusions at the organization level
  • Resolved an issue where high memory usage could occur due to excessive event logging

3.5.2: 4/3/2026

Bug Fixes

  • Features and products are now automatically disabled on endpoints when specific advanced override settings are enabled
  • Authentication has been removed from the api/GetFileListSha256 endpoint to support StubInstaller functionality

3.5.1: 3/30/2026

Bug Fixes

  • Resolved an issue in which device memberships were not correctly downloaded due to the OrganizationID not being accepted as a parameter
  • Resolved an issue in which deviceIDs were not being converted to uppercase before applying the SHA

3.5.0: 3/26/2026

New Features & Improvements

  • Added response validation to the UpdateAgentSettings api 

Bug Fixes

  • Resolved an issue in which packages were not correctly being cleared when switching between packages
  • Resolved an issue in which the Linux agent version was not being correctly displayed in the Unified Audit
  • Resolved an issue in which Global patch policies were not being honored on child organizations

3.4.0: 3/25/2026

Bug Fixes

  • Resolved an issue in which FQDN changes were not updating as expected
  • Updated the AgentAPI to check both organization products and features

3.3.0: 3/19/2026

Bug Fixes

  • Resolved an issue where the Windows XP Agent was not learning applications or policies during baseline or installation
  • Resolved an issue where system audit logs for Maintenance Mode and Self Approval actions were not displaying the correct user information

3.2.0: 3/16/2026

New Features & Improvements

  • Added DNS logging from mobile devices to the Unified Audit
  • Added a new Agent API endpoint to track and retrieve all domain name changes for devices within an organization
  • Added a new endpoint in AgentAPI to support future fetching Detect policies for Syslog integration
  • Enhanced the Agent API to ensure device approval status is correctly updated in the PendingDevice table during registration

3.1.0: 3/10/2026

Bug Fixes

  • Resolved an issue in which local IP addresses were not being updated in the portal due to an incorrect endpoint name change

3.0.0: 3/10/2026

New Features & Improvements

  • Added a new Agent API endpoint to support .NET 8 compatibility checks and agent update requests
  • Added a new advanced setting to enable or disable device registration approval
  • Added new device registration and approval/rejection functionality for Secure Network
  • Added support for the upcoming 'Device Discovery' feature
  • Added support for alert states to improve ThreatLocker Detect alert processing

Bug Fixes

  • Resolved an issue where Mac and Linux devices incorrectly displayed an 'Unknown' check-in status
  • Resolved an issue in AgentAPI where Access Device Heartbeat was logging duplicate check-ins
  • Resolved an issue where self-approvals could create policies with negative order values in flat policy structures

Released 2/25/2026

New Features & Improvements

  •  Informational alerts will no longer trigger threat status in Detect

Released 2/19/2026

New Features & Improvements

  • A new endpoint has been added to AgentAPI to display the current state of assets and capture policy enable/disable actions within a case in the Detect product
  • Improved queue processing and reduced CPU usage
  • AgentAPI now sends items to LocalSQL for processing, introducing a new AppSetting and updated logic
  • The Agent API now includes Distinguished Name (DN) and Fully Qualified Domain Name (FQDN) information in the full check-in process, enhancing endpoint identification and reporting
  • Added a new Agent API endpoint to retrieve SHA-hashed private IP addresses for all devices in an organization

Bug Fixes

  • Fixed an issue where monitored paths set at the global level were not being relayed to agents
  • An issue was resolved where devices moved to Orphaned Accounts were not automatically receiving maintenance modes; now, tamper protection is disabled and Monitor Only mode is enabled as expected

Released 2/11/2026

New Features & Improvements

  • Added support for the Self Approval Configuration Advanced Setting

Bug Fixes

  • Resolved an issue in which the VDI Risk Center was failing to insert hash values in custom applications

Released 1/22/2026

New Features

  • Made enhancements to sending and processing action logs and DAC results

Released 1/09/2026

New Features & Improvements

  • Added a LastModifiedDate property to AgentSetting in AgentAPI to improve tracking of agent setting changes in the Detect product
  • Added a new endpoint to improve reporting of failed patch installations, automatically creating help desk tickets after three consecutive failures in Patch Management

Bug Fixes

  • Resolved a security vulnerability in AgentAPI where .bat scripts could be executed after ending installation mode; devices now perform a full security check when exiting maintenance mode to ensure proper enforcement
  • The API_OpsPolicyGet procedure in AgentAPI was updated to improve how policy IDs are retrieved, enhancing performance and maintainability
  • Resolved an issue where Register Restrictions set to "Entire Organization" now correctly apply to MAC and Linux devices, ensuring consistent registration restrictions across all operating systems
  • Resolved an issue in AgentAPI where install actions on Windows Agent did not include the correct process attribute, ensuring proper handling of process information when ProcessPath is missing

Released 12/15/2025

New Features

  • AgentAPI has been updated to store DAC results in Elastic instead of SQL

Released 12/08/2025

New Features & Improvements

  • A new AgentAPI endpoint has been added to Detect, allowing users to fetch PowerShell scripts created via the Incident Center
  • Added a Monitor Only option to Detect policies in AgentAPI, allowing alerts to be handled in monitor mode for improved policy management

Bug Fixes

  • Resolved an issue where Unified Audit logs were delayed or missing
  • Resolved an issue where self-approvals matching built-in applications did not permit execution as expected
  • Corrected parameter naming in the AgentAPI to prevent potential errors

Released 12/03/2025

New Features & Improvements

  • Backend improvements aimed at optimizing throughput, reducing server overhead, and ensuring stability during high-load traffic scenarios

Bug Fixes

  • Resolved an issue in which Linux Agents were receiving Windows policies applied to the Entire Organization

Released 11/20/2025

New Features & Improvements

  • Added the ability to run PowerShell scripts created via the Incident Center
  • Added API support for Detect Monitor Only modes for policies

Bug Fixes

  • Resolved an issue where self-approval for built-in applications did not permit execution as expected when using the "Run Now"
  • Corrected parameter naming in the AgentAPI to prevent potential errors

Released: 11/17/2025

Bug Fixes

  • Resolved an issue where Agent Settings for Automatic Learning were not correctly applied 

Released: 11/04/2025

New Features & Improvements

  • Added validation to ensure successful database insertion when creating OpsAlert records
  • Added a new AgentAPI endpoint to validate ThreatLockerService_exe.bin update files by SHA256 hash and return version information
  • When a machine is moved to the Orphaned organization, tamper protection is now disabled and Monitor Only mode is enabled automatically and indefinitely 
  • Added system audit logging to track when a device is reactivated in the computer table
  • Added support for relaying source application restrictions in Mac application policies
  • Added agent version information to Detect alerts
  • Added a new stored procedure to support Cyber Hero Approval Processing

Bug Fixes

  • AgentAPI for macOS now properly accepts devices without local admins
  • Resolved an issue where Linux baselining incorrectly created both custom and built-in policies simultaneously
  • The GetByAppId endpoint in AgentAPI now returns a 400 error if the request body or ApplicationId is empty
  • Resolved an issue where system audit logs were not generated during policy creation in Automatic Learning

 

Released: 10/29/2025

New Features & Improvements

  • Added validation to ensure successful database insertion when creating Detect Alerts

  • Updated the AgentAPI to reference the latest ThreatLocker.Common package for improved compatibility

  • Performance improvements with validating update files

  • AgentAPI for macOS now properly accepts devices without local admins

  • Made improvements to handling approval requests

  • Added support for relaying source application restrictions in Mac policies 

  • Made improvements to the Orphaned Computer workflow

  • Added system audit logging to track when a device is reactivated 

  • Added agent version information to Detect alerts, enabling visibility of the agent version in alert details

Bug Fixes

  • Resolved an issue where Linux baselining incorrectly created both custom and built-in policies simultaneously 

  • Improved consistency in API responses 

  • Resolved an issue where system audit logs were not generated during policy creation in Automatic Learning

Released: 10/20/2025

Bug Fixes

  • Resolved an issue in which some macOS computers being installed using older ThreatLocker versions were unable to complete registration in the ThreatLocker portal

Released: 10/13/2025

Bug Fixes

  • Resolved an issue in which improper caching of instances sometimes resulted in failed computer registrations

Released: 10/2/2025

New Features & Improvements

  • Added a “Baseline Configuration” setting to control whether new Windows agents run an initial baseline scan (requires agent 10.5.3+)
  • Added a “Register Restrictions” agent setting to allowlist IPs/ranges (IPv4/IPv6, CIDR) for agent registration
  • Enhanced application control, policies can now restrict launches to approved parent applications
  • Storage Control policies now support Global groups in “Applies to,” ensuring policies deploy to all endpoints within those groups

Bug Fixes

  • Patch Management now automatically removes policies that targeted a device when that device is uninstalled
  • Resolved 401 errors by making the environment check case-insensitive in configuration

Released: 9/16/2025

New Features & Improvements

  • Added additional logging in System Audit and Maintenance History when Self-Approved maintenance modes are enabled
  • Made improvements to the Monitored Path function for IP addresses

Bug Fixes

  • Resolved an issue where self-approval in maintenance mode displayed incorrect scheduling data in the system audit.
  • Resolved an issue in which Detect alerts were being incorrectly truncated when they exceeded the 1000 character limit
  • Resolved an issue in which Agent was sending up Null Channel IDs for Applications without a Channel
  •  Resolved an issue in which the Run in Testing Environment was not being displayed from the Unified Audit
Was this article helpful?