Company logoHelp Center
Visit www.threatlocker.com

Windows Agent Version 11.x Release Notes

5 min. readlast update: 04.20.2026

11.0.5 | 11.0.6 | 11.0.7 | 11.0.8 | 11.0.9 | 11.0.10 | 11.0.11 | 11.0.12

Version 11.0.12

Beta: 04/20/2026 

New Features and Improvements

  • Updating of Secure Network Assets allowed if Secure Network Policies feature is enabled (no longer also requires Secure Network Access ZTNA).
  • Change to continue processing Secure Policies if a network action has been Ringfenced with the device or policy set to Monitor Only Mode.
  • The agent clears the HostToTempIp Cache on network adapter change as well as ipconfig /flushdns commands.

Bug Fixes

  • Fixes to Custom Firewall policy processing to correctly handle inbound and outbound network traffic as well as scoping policies to the correct device.

Version 11.0.11

Beta: 04/14/2026 

New Features and Improvements

  • Unified Audit logging added for target machines of Device to Device connections.
  • Heartbeat and timeouts added to connection between Broker and Service where Service is the target of a Device to Device connection. Allows for recovery of brokered data sessions after network outages and broken tunneled data connections.
  • DNSResponse Cache is cleared anytime an ipconfig /flushdns command is issued.

Version 11.0.10

Beta: 04/13/2026 

New Features and Improvements

  • Further improvements to DNS
  • Change in ordering of Secure Network assets updating
  • Changes to how service registers with Broker as a target in order to stop listeners that are removed from policies
  • Added a check to only register with Broker as a target if Network property of policy is "Brokered"

Version 11.0.9

Beta: 04/10/2026 

New Features and Improvements

  • Improvements to the DNS resolver
  • On error, restart the local loopback listener for Device-to-Device connections over ZTNA
  • Graceful cancellation of tunneled broker connections when data is no longer being set or received (Unobserved Task Exception)
  • Change to download device public keys hourly
  • Change to only register with the broker as a server agent if the policy has a brokered route
  • Change to clear positive cache on Secure Network Policy deploy
  • Deploying Secure Network Policies triggers a full update of all  'Secure' assets (policies, memberships, name infos, public keys, subnet mappings)

Version 11.0.8

Beta: 04/07/2026

Bug Fixes

  • Resolved issues with DNS over TCP

Version 11.0.7

Beta: 04/06/2026 

New Features and Improvements

  • Added support for a new "Effective Action" condition in Endpoint Detect policy creation
  • Added new DAC checks in the Windows Agent to verify RMM tools are set to 'Delayed Start' and to detect files installed by RMM tools
  • Added a new DAC check in Windows Agent to identify and report over-permissive file access exceptions
  • Added the ability for the agent to identify and store whether a device's IP address is static or dynamic during heartbeat/check-in
  • Added support for Ringfencing RDP Client connections to only trusted hosts
  • Implemented improved network connection handling in the Tray to automatically select the fastest available IP protocol (IPv4 or IPv6)
  • Improved CPU efficiency in Windows Agent by optimizing certificate processing to reduce unnecessary background activity
  • Updated the Windows Agent to ensure event log messages are now considered when generating alerts

Bug Fixes

  • Resolved an issue where FileInstall.db and FileInformation.db were not updating as expected
  • Resolved an issue  where the Domain Name Parsing option was not functioning as expected
  • Improved cleanup logic for the matched application table in Detect.db to remove outdated entries
  • Improved performance by reducing file database input/output operations through enhanced caching
  • Resolved an issue causing excessive RAM usage by optimizing thread management and error handling
  • Resolved an issue where tray pop-ups were incorrectly delivered to only the most recently logged-in user during remote sessions
  • Resolved an issue where AD group restrictions could fail after offline logins
  • Resolved an issue where the Tray notification incorrectly hyperlinked entire messages
  • Resolved an issue in which Detect policies monitoring registry key changes did not trigger alerts as expected

Version 11.0.6

Beta: 04/02/2026

New Features and Improvements

  • Added display of the Vendor name along with the Serial Number in the Serial Number field for Storage Devices
  • Unified Audit will show the Broker Server used by any SASE or Device-to-Device connections
  • Unified Audit will show Parent Process Name/Path for any Network operations
  • DNS resolutions will be made for DNS requests made over TCP in addition to UDP
  • Additional refinements made to DNS request resolutions made over Https (DoH)
  • Changed DAC test 169 RDP Client Ringfenced to use new Secure Network processor to evaluate test conditions
  • Changed resolver for DNS over UDP to only cache successful IPv4 results

Bug Fixes

  • Resolved issue with Secure Network assets (Policies, Memberships, Keys, Device Infos), they should be downloaded without needing an additional service restart after upgrading service to a version that uses Features instead of Products
  • Resolved issue with USB vendor name match in Storage Control

Version 11.0.5

Beta: 04/01/2026

New Features and Improvements

  • Added a new Agent Action to update the feature list
  • Added support for detecting and uploading memory dump files from C:\Windows\Minidump 
  • Added support for a new registration process with pending, approved, and rejected states to enhance device onboarding
  • Added support for an upcoming feature that will identify devices on the network that do not have ThreatLocker installed
  • Tamper Protection has been extended to include .config and .runTimeConfig.json files for Broker and Updater components
  • Updated the Windows Agent to ensure event log messages are now considered when generating alerts
  • The Windows Agent now supports a feature-based billing model
  • Added a check in the Windows Agent to identify and store whether a device's IP address is static or dynamic during heartbeat/check-in

Bug Fixes

  • Improved CPU efficiency by optimizing certificate processing to reduce unnecessary background activity
  • Resolved an issue causing excessive RAM usage by optimizing thread management and error handling
  • Resolved an issue in the Tray component where notification hyperlinks were not displaying correctly
  • Resolved an issue where scheduled patch alerts were not triggering at the scheduled time
  • Fixed an issue where the VDI Agent was not receiving Restart Agent actions during Full Check-in
  • Reduced unnecessary DotNET Tamper Protection logging by excluding registry locations not used by .NET Framework 4.5.1 and above
  • Resolved an issue in which Detect policies monitoring registry key changes did not trigger alerts as expected
  • Resolved an issue in which the Configuration Manager policy for Schedule Secure Free Space Delete was not correctly creating the task in Task Scheduler
Was this article helpful?