Windows Agent Version 11.x Release Notes

16 min. readlast update: 07.17.2026

11.0.5 | 11.0.6 | 11.0.7 | 11.0.8 | 11.0.9 | 11.0.10 | 11.0.11 | 11.0.12 | 11.0.14 | 11.0.15 | 11.0.16 | 11.0.17 | 11.0.18 | 11.0.19 | 11.0.21 | 11.0.26

11.0.26

Beta: 7/17/2026

New Features and Improvements

  • Unified Audit records now include the Application File ID and Parent Process Application File ID to provide clearer visibility into which specific rule or application file triggered a match
  • Improved the Windows Agent health check process by implementing multiple echo tests per server to more accurately determine the optimal connection based on average response times
  • Enhanced the Windows Agent to support custom override codes, providing improved flexibility and control for administrative overrides
  • The ThreatLocker tray has been updated to support Managed Override Codes (MORCs), allowing for the validation of available codes and the automatic termination of overrides if the local configuration is removed
  • Updated the icons in the Request Permission window to ensure consistent sizing and improved visual clarity
  • Improved the accuracy of the Unified Audit logs by ensuring that application executions denied while in Lockdown Mode are correctly displayed as denied actions

Bug Fixes

  • Improved the Windows Agent's ability to resolve Active Directory DNS service records and support brokered UDP requests, ensuring reliable connectivity to domain resources like file shares when working from external networks
  • Improved the stability of the Windows Agent by resolving communication timeouts and addressing unobserved task exceptions within the ZTNA service
  • Improved security by adding additional validation checks to the agent settings endpoint
  • Fixed an issue where TCP DNS resolutions could fail or hang due to incorrect redirection handling in the agent driver
  • Improved ZTNA connectivity for Windows Agents to ensure reliable connections when the source and destination machines are on the same local subnet
  • Updated the "Login as Administrator" link within the tray notification to ensure users are correctly redirected to the current portal for processing approval requests
  • Fixed an issue where blocked Web Control pages would display a blank screen instead of redirecting to the request page
  • Updated tray notifications to ensure that non-ASCII characters, such as Cyrillic, display correctly within the user interface
  • Resolved an issue where the Data condition in Detect policies would not correctly trigger alerts
  • Resolved an issue where inbound logs could expose an incorrect source IP address during certain ZTNA-enabled device-to-device connections
  • Fixed an issue where network ringfencing exclusions were not being automatically learned when the machine was in learning mode
  • The Windows Agent Tray has been updated to correctly display Company Influence research information alongside Development Influence
  • Resolved an issue in Elevation Control where Windows user accounts containing parentheses in their names were incorrectly removed from the local administrators group despite being excluded by policy
  • Resolved an issue where the Destination Domain condition in Detect policies was not correctly identifying network activity
  • Improved the Windows Agent to ensure all cached activity logs are successfully saved to the local database when the service is stopped or restarted
  • Updated the Patch Management notification behavior to prevent it from automatically capturing keyboard focus, ensuring that user input remains with the active application
  • Resolved an issue where an object reference error could occur when retrieving principal names within the Windows Agent
  • Improved the Windows Agent upgrade process to ensure that feature configurations are correctly maintained and synchronized when upgrading from older versions
  • Fixed an issue where the `DebugMatchedApplications` option failed to correctly display matched application IDs in the Windows Agent logs
  • Resolved an issue where domain names were not correctly logging for specific processes in the Unified Audit
  • Improved the Windows Agent's ability to update its feature list by implementing an automatic retry mechanism with exponential backoff and a startup check to ensure features remain current even if initial network calls fail
  • Fixed an issue where the `LastHeartbeatCheckInTime` registry value would incorrectly update during failed heartbeat attempts while a machine was offline
  • Improved the accuracy of network activity logging by ensuring that actions not matching a specific policy are correctly identified and displayed as monitor-mode events in the Unified Audit
  • Improved the Windows Agent to ensure the "DisableCore" option correctly updates and logs activity without requiring a service restart
  • Resolved an issue where button text in tray notifications would become invisible or incorrectly highlighted when using Windows High Contrast mode
  • Improved Web Control policy matching to ensure that policies created with manually entered domains correctly match based on both domain name and hostname
  • Improved the Windows Agent's handling of temporary files during installation processes to prevent unnecessary blocks and ensure smoother software deployments
  • Improved the Windows Agent's ability to resolve hostnames on the same subnet, ensuring Device-to-Device connections correctly honor subnet mapping and connect directly rather than tunneling through the Broker
  • Improved the Windows Agent update process to ensure the ThreatLocker driver remains on the correct version following a Windows operating system upgrade
  • Improved the stability of the baseline process by implementing error handling to prevent crashes when encountering corrupted files on the file system
  • Updated the Windows Agent to correctly resolve 8.3 short filenames during DAC checks, ensuring services located within Program Files or Windows folders are no longer incorrectly flagged
  • Resolved an issue where the "Override Read as Execute" advanced setting was not correctly processing or logging certain file extensions

11.0.21

Beta: 6/24/2026

New Features and Improvements

  • Improved performance and stability on Active Directory Domain Controllers by optimizing how DNS traffic is processed
  • Added tooltips to specific agent setting parameters to clarify the minimum Windows Agent version required for functionality
  • Updated the Windows Agent notification system to allow users to close OS-related reboot notifications for updates not initiated by a mandatory policy
  • Enhanced the Windows Agent to allow users to dismiss OS update reboot notifications when updates are initiated by Windows or manual agent actions
  • Updated Web Control branding settings to allow customization of the background and text colors for buttons on blocked screens

Bug Fixes

  • Resolved issues related to the Network control Default policy present DAC check, agent is now evaluating secure network policies and features 
  • Improved the Windows Agent's ability to automatically recover corrupted security asset files by ensuring device public keys are redownloaded if local data is invalid
  • Resolved an issue where the indicator starts at the end of the placeholder, and the new hide/unhide icon remains visible after the text field is gone
  • Added tooltips to specific agent setting parameters to clarify the minimum Windows Agent version required for functionality
  • Updated the "Remote Monitoring and Management Tools Installed Files" health check to more accurately identify and report insecure application control rules associated with installed RMM tools
  • Resolved an issue in the Windows Agent where the Remote Desktop Client was incorrectly identifying parent processes, ensuring more accurate application matching and policy enforcement
  • Updated the Device Discovery feature to accurately scan the full range of the local subnet mask, including support for /16 subnets
  • Updated the Secure Network Firewall policy processing to correctly recognize and validate policies utilizing both TCP and UDP protocols when performing DAC checks
  • Resolved an issue where Windows Agent users were receiving Patch Management reboot prompts despite not having the Patch Management module enabled
  • Resolved an issue where machines in Isolation or Lockdown mode would stop checking into the ThreatLocker portal due to blocked DNS traffic
  • Resolved an issue in the Windows Agent where UNC monitored paths were not being correctly applied unless specific product features were enabled
  • Resolved an issue where Application Ringfencing monitor-only status was incorrectly applied to Endpoint Firewall policies, ensuring network traffic is accurately processed based on policy actions
  • Updated the Windows Agent to ensure DNS resolution is no longer incorrectly interrupted when receiving a valid null heartbeat response from the API
  • Updated the Windows Agent ZTNA communication protocol to improve connection negotiation and ensure parity across platforms
  • Improved stability of the Windows Agent by resolving an issue where specific registry configurations caused internal processing errors during data parsing
  • Resolved an issue where Elevation Mode maintenance incorrectly applied to all users on a device instead of only the selected users
  • Optimized the Windows Agent shutdown process to prevent delays when processing large data queues, ensuring a faster and more reliable service termination

11.0.19

Beta: 6/8/2026

New Features and Improvements

  • Enhanced the Windows Agent to automatically identify and connect to the most efficient server for ZTCA policies by utilizing periodic echo tests and establishing a fail-over queue based on server response speed
  • Improved the logic for how the Windows Agent reconnects to broker servers to ensure it correctly transitions to updated server lists after a connection is terminated
  • Enhanced the Patch Management tray notification to include a "Cancel" button within the scheduling pop-up, allowing users to return to the previous menu
  • Improved the Windows Agent to ensure Secure Network features are correctly identified and initialized following an agent version upgrade

Bug Fixes

  • Improved the Windows Agent's ability to recover from corrupted local asset files by implementing a mechanism to automatically re-download data if local files are unreadable
  • Updated the Windows Agent tray notification to remove unnecessary quotation marks from the "View Available Applications" link
  • Updated the Windows Agent to ensure the Service Control Manager can successfully manage the ThreatLocker Health Service
  • Resolved an issue where text within the Maintenance Mode popup window would incorrectly appear highlighted or focused
  • Updated the Cyber Hero Health Check to ignore log-off failure auditing, ensuring the 'Audit Logon/Logoff Enabled' check passes correctly when standard logging is configured
  • Improved the Maintenance Mode notification window to prevent accidental termination of maintenance sessions caused by keyboard inputs
  • Resolved an issue where hyperlinks in Application Control and Browser Extension tray request windows were unresponsive when clicked
  • Improved the Windows Agent to resolve an issue where certain configuration files interfered with the ThreatLocker elevation process
  • Resolved an issue in the Windows Agent where the "View Available Applications" link in the tray request window was not hyperlinked, restoring access to the Application Store
  • Resolved an issue in Patch Management where scheduled system reboots were not consistently triggering after a patch installation was completed

11.0.18

Beta: 5/20/2026

Improvements

  • Improved system performance by optimizing how browser extension permissions are cached and managed
  • Improved the reliability of secure asset updates by ensuring data is only written to the disk following a successful server response
  • Improved the performance and reliability of web tag matching by implementing a more efficient caching mechanism that ensures consistent policy enforcement even during intermittent connectivity
  • Updated the application execution request popups to ensure URLs within custom tray notifications are now interactive and clickable for end users
  • Improved the accuracy of file certificate information in the Approval Center to ensure consistency with the Unified Audit

Bug Fixes

  • Fixed an issue where web control policies would fail to block or redirect certain websites utilizing the QUIC protocol

11.0.17

Beta: 5/15/2026

Bug Fixes

  • Adjustments to DNS handling - DNS Response Cache key now includes Protocol in Cache Key.
  • Properly routing UDP DNS requests to UDPClient resolver and TCP DNS requests to TCPClient resolver.
  • Fixed an error when setting the packet size in TCP DNS requests.
  • Adjusted logging to accurately reflect DNS handling.
  • Removed test code for Active Directory DNS resolutions.

11.0.16

Beta: 5/12/2026

Bug Fixes

  • Fix to Legacy Web Control for policies with custom domains.
  • Changes to DNSHelper to counter arithmetic overflow exception for DNS responses with length of 0.
  • Consolidated logging of DNSHelper byte arrays and other general refactoring.
  • Partial implementation of Active Directory DNS Server Response handling.

11.0.15

Beta: 5/5/2026

New Features and Improvements

  • Added Option DisableDnsRedirectCheck that if set will skip the check that decides if redirection is available based on the DNS/Last HeartBeat Check-In result.
  • Restored logic that forces download of Device Membership and Device Name Infos on Service start.

Bug Fixes

  • Positive Cache is now cleared once DNS requests are able to resolve after having previously failed due to loss of connectivity to the API (this is tied to the HeartBeat Check-In result).
  • Change to stop attempting a Tag Lookup to API if Website Filtering Endpoint Feature is not enabled.

11.0.14

Beta: 04/30/2026

Bug Fixes

  • Resolved an issue in which Secure Network policies could be missing a property; the agent now checks for that property, and if it is missing, policies are redownloaded.
  • Resolved an issue on startup where the agent would call an api for device membership and device name information instead of loading from disk

Version 11.0.12

Beta: 04/20/2026 

New Features and Improvements

  • Updating of Secure Network Assets allowed if Secure Network Policies feature is enabled (no longer also requires Secure Network Access ZTNA).
  • Change to continue processing Secure Policies if a network action has been Ringfenced with the device or policy set to Monitor Only Mode.
  • The agent clears the HostToTempIp Cache on network adapter change as well as ipconfig /flushdns commands.

Bug Fixes

  • Fixes to Custom Firewall policy processing to correctly handle inbound and outbound network traffic as well as scoping policies to the correct device.

Version 11.0.11

Beta: 04/14/2026 

New Features and Improvements

  • Unified Audit logging added for target machines of Device to Device connections.
  • Heartbeat and timeouts added to connection between Broker and Service where Service is the target of a Device to Device connection. Allows for recovery of brokered data sessions after network outages and broken tunneled data connections.
  • DNSResponse Cache is cleared anytime an ipconfig /flushdns command is issued.

Version 11.0.10

Beta: 04/13/2026 

New Features and Improvements

  • Further improvements to DNS
  • Change in ordering of Secure Network assets updating
  • Changes to how service registers with Broker as a target in order to stop listeners that are removed from policies
  • Added a check to only register with Broker as a target if Network property of policy is "Brokered"

Version 11.0.9

Beta: 04/10/2026 

New Features and Improvements

  • Improvements to the DNS resolver
  • On error, restart the local loopback listener for Device-to-Device connections over ZTNA
  • Graceful cancellation of tunneled broker connections when data is no longer being set or received (Unobserved Task Exception)
  • Change to download device public keys hourly
  • Change to only register with the broker as a server agent if the policy has a brokered route
  • Change to clear positive cache on Secure Network Policy deploy
  • Deploying Secure Network Policies triggers a full update of all  'Secure' assets (policies, memberships, name infos, public keys, subnet mappings)

Version 11.0.8

Beta: 04/07/2026

Bug Fixes

  • Resolved issues with DNS over TCP

Version 11.0.7

Beta: 04/06/2026 

New Features and Improvements

  • Added support for a new "Effective Action" condition in Endpoint Detect policy creation
  • Added new DAC checks in the Windows Agent to verify RMM tools are set to 'Delayed Start' and to detect files installed by RMM tools
  • Added a new DAC check in Windows Agent to identify and report over-permissive file access exceptions
  • Added the ability for the agent to identify and store whether a device's IP address is static or dynamic during heartbeat/check-in
  • Added support for Ringfencing RDP Client connections to only trusted hosts
  • Implemented improved network connection handling in the Tray to automatically select the fastest available IP protocol (IPv4 or IPv6)
  • Improved CPU efficiency in Windows Agent by optimizing certificate processing to reduce unnecessary background activity
  • Updated the Windows Agent to ensure event log messages are now considered when generating alerts

Bug Fixes

  • Resolved an issue where FileInstall.db and FileInformation.db were not updating as expected
  • Resolved an issue  where the Domain Name Parsing option was not functioning as expected
  • Improved cleanup logic for the matched application table in Detect.db to remove outdated entries
  • Improved performance by reducing file database input/output operations through enhanced caching
  • Resolved an issue causing excessive RAM usage by optimizing thread management and error handling
  • Resolved an issue where tray pop-ups were incorrectly delivered to only the most recently logged-in user during remote sessions
  • Resolved an issue where AD group restrictions could fail after offline logins
  • Resolved an issue where the Tray notification incorrectly hyperlinked entire messages
  • Resolved an issue in which Detect policies monitoring registry key changes did not trigger alerts as expected

Version 11.0.6

Beta: 04/02/2026

New Features and Improvements

  • Added display of the Vendor name along with the Serial Number in the Serial Number field for Storage Devices
  • Unified Audit will show the Broker Server used by any SASE or Device-to-Device connections
  • Unified Audit will show Parent Process Name/Path for any Network operations
  • DNS resolutions will be made for DNS requests made over TCP in addition to UDP
  • Additional refinements made to DNS request resolutions made over Https (DoH)
  • Changed DAC test 169 RDP Client Ringfenced to use new Secure Network processor to evaluate test conditions
  • Changed resolver for DNS over UDP to only cache successful IPv4 results

Bug Fixes

  • Resolved issue with Secure Network assets (Policies, Memberships, Keys, Device Infos), they should be downloaded without needing an additional service restart after upgrading service to a version that uses Features instead of Products
  • Resolved issue with USB vendor name match in Storage Control

Version 11.0.5

Beta: 04/01/2026

New Features and Improvements

  • Added a new Agent Action to update the feature list
  • Added support for detecting and uploading memory dump files from C:\Windows\Minidump 
  • Added support for a new registration process with pending, approved, and rejected states to enhance device onboarding
  • Added support for an upcoming feature that will identify devices on the network that do not have ThreatLocker installed
  • Tamper Protection has been extended to include .config and .runTimeConfig.json files for Broker and Updater components
  • Updated the Windows Agent to ensure event log messages are now considered when generating alerts
  • The Windows Agent now supports a feature-based billing model
  • Added a check in the Windows Agent to identify and store whether a device's IP address is static or dynamic during heartbeat/check-in

Bug Fixes

  • Improved CPU efficiency by optimizing certificate processing to reduce unnecessary background activity
  • Resolved an issue causing excessive RAM usage by optimizing thread management and error handling
  • Resolved an issue in the Tray component where notification hyperlinks were not displaying correctly
  • Resolved an issue where scheduled patch alerts were not triggering at the scheduled time
  • Fixed an issue where the VDI Agent was not receiving Restart Agent actions during Full Check-in
  • Reduced unnecessary DotNET Tamper Protection logging by excluding registry locations not used by .NET Framework 4.5.1 and above
  • Resolved an issue in which Detect policies monitoring registry key changes did not trigger alerts as expected
  • Resolved an issue in which the Configuration Manager policy for Schedule Secure Free Space Delete was not correctly creating the task in Task Scheduler
Was this article helpful?