Changelog

See the new features, improvements and bug fixes of UserLock.

October 29, 2025

New features

  • Custom credential provider for Windows Hello PIN, improving the MFA experience and security.

  • Custom credential provider for Pre-Logon Access Provider (PLAP), improving the MFA experience and security.

  • Windows Server 2025 RemoteApp connections now use the custom credential provider, improving the MFA experience and security.

  • Reporting management for logon denied events with User Account Control (UAC) session type.

  • Remote agent communication with UserLock over the Internet, without VPN or IIS server.

  • Certificate authentication for UserLock Anywhere.

  • Client certificate verification for UserLock SSO.

  • New interface with reorganized sections: Dashboard, Environment, Access Policies, Activity, Reporting, and Server settings.

  • Pages displaying all Active Directory entities (machines, users, groups, OUs) with AD attributes, navigation links, and statistics.

  • Dedicated dashboards for each entity (user, machine, group, OU) showing activity, applied policies, and filtered reports.

  • Dedicated pages and step-by-step wizard for each access policy type (MFA, time, machine restrictions, etc.).

  • Custom views system available on all pages (filters, columns, sorting) with save and share options.

  • Admin actions panel tracking ongoing and completed administrative operations in real time.

  • Reports for admin actions and configuration changes ensuring complete audit traceability.

  • Spanish and Japanese language interfaces added.

Improvements

  • Updated .NET from version 8.0.6 to version 8.0.22.

    (in version 13.0.0.119)

  • The custom credential provider now wraps around the Windows credential provider.

  • The mechanism of the "Close previous session" feature of the credential provider has been improved.

  • The mechanism of the "Logons without UserLock connection" feature of the credential provider has been improved.

  • Improved recovery codes and rate-limiting mechanisms.

  • Terminology and labels revised for better alignment with Active Directory and administrator workflows.

  • Clearer, task-oriented navigation structure.

  • Simplified access policy editor with inline explanations and easier policy management.

  • Redesigned reporting with new charts, instant display, and improved performance.

  • Enhanced report scheduler with direct-link delivery by email.

  • Server settings reorganized for faster access and clearer layout.

  • Unified interface and behavior across web and desktop consoles.

Changes

  • NIST servers are no longer used for time verification (only Google servers are now used).

    (in version 13.0.0.119)

  • The ADMX and ADM files have been modified to allow empty content for the "Public URL to the UserLock Anywhere HTTP Proxy" field.

    (in version 13.0.0.119)

  • MFA is no longer prompted before password changes.

Bugfixes

  • Fixed in version 13.0.0.129

  • A connection via RDP causes the "Warn end user in real time" feature popup to appear in the current session.

  • Time zone management is incorrect in the start date of tasks scheduled in a time zone subject to summer time.

  • In the details of an access policy entity (user, group, OU), vertical scrolling is blocked even if there is only one item (which does not require horizontal scrolling).

  • Opening the actions of a machine generates an error.

  • The "Radius wired" and "Radius generic" session types are displayed in GUI in "Machine restrictions", "Hour restrictions" and "Time quota".

  • In the web console, when an IIS session is administratively closed, the page does not update once the action is performed.

  • In "Environment", "Machines", the "Installed agents" indicator is not updated after deploying the desktop agent on a machine.

  • When you reset a session from the "Activity" view, the selected session disappears but the "1 item selected" indicator remains displayed.

  • In "Machine Restrictions", it is not possible to define multiple rules per IP address ranges or there is latency.

  • When LDAP search is used in a dialog box, scrolling via the mouse wheel does not work in the drop-down list of results.

  • On a UserLock server of the Standalone terminal server type, in the "Popup" section of "Alerts and notifications", it is not possible to configure a machine name.

  • It is not possible to configure a backup SSO service.

  • In "Environment", "Machines", "All machines" tab, the column names "Operating system" and "Operating system version" are not translated (always displayed in English).

  • With an Access database, for the "Session history" report, no results are listed when the "Group by" function is used.

  • In primary and backup UserLock 12.1 (or lower) installations, after upgrading the primary server to 12.2 (or higher) and before upgrading the backup server, MFA is automatically reset upon a login event.

  • The Token2 enrolment dialog box appears if the user selects "USB Token" and no USB key is inserted.

  • Problems with quick search in Active Directory pages.

  • Changing the password will not work if the "CheckUserLockFirst" feature is not enabled (bug introduced in UserLock 13.0.0.119).

  • Filter search is not working.

  • The configuration GUID changes every 2 hours.

  • When entering a recipient in the "To:" field for sending a scheduled report by email, this same entry is automatically transferred to the "Cc:", "Bcc:" and "Email subject" fields.

  • A scheduled report sends an email with an incorrect URL and data period.

  • Disabling a scheduled report in the web application does not disable it in the UserLock console.

  • The display of effective access policies does not correctly reflect the policy applied in the mode chosen for "Access policy conflicts resolution".

  • Resetting the MFA key via UserLockPowerShell, UserLockAPI or ULTERM with an invalid username generates an entry in "Administrators actions".

  • Some administrative actions remain in a pending state.

  • After upgrading from version V11 or V12 to version V13, when viewing the "Database" section of the settings, an exception may occur and prevent the modification of the settings.

  • When the primary service is stopped, the IIS Push MFA notification is never received.

  • Error 87 on the SNI list can occur on the UserLock console's SSO page in certain environments.

  • After creating a temporary access policy (without a pre-existing permanent policy) and defining restrictions of type "Multi-factor authentication", "Machine restrictions", "Hour restrictions" or "Time quota", modifying the period of the temporary access policy generates an error.

  • In the configuration wizard, SSO configuration form, clicking "Learn more" validates the SSO configuration.

  • Protected user accounts in the remote forest are deleted if no domain controller is available when the service starts.

  • If you install single sign-on (SSO) on a server whose display language is French, the setup wizard will not be able to detect or validate the SSL certificate selected for single sign-on.

  • From the console of a backup server, attempting to launch a machine action for a machine in the protected zone indicates that the machine is outside the protected zone.

  • The UserLock service may not stop properly when the server is shut down.

  • After scheduling the "MFA events" report and/or the "Denied logons" report, the 404 page is displayed if you try to view the report from the scheduled reports page.

  • Fixed in version 13.0.0.119

  • Problems encountered when launching an administrative shutdown of a machine from the "Machines" page of the "Environment" section.

  • An attempt to update the agent on a computer connected via VPN may fail with error 53 even though the target machine's FQDN is reachable.

  • If the MFA key reset via the backup UserLock server is performed while the primary UserLock server is down, an MFA request is made instead of an MFA enrollment when the primary server is operational again.

  • In the access policy wizard, the information about target containers does not allow them to be distinguished in tiered AD environments.

  • If you install version 13.0 of the desktop agent MSI and version 12.2 or earlier of the desktop agent MSI is already installed, you will see two desktop agent MSI installations.

  • The evaluation license may be marked as "expired" if it is installed in time zones with a negative time offset from UTC.

  • When UserLock is configured to use a local SQL Server Express database some logons may not be inserted in the database.

  • The "Simultaneous session history" report does not display a sub-table for a listed user with simultaneous sessions.

  • The legacy agent station technology is used when connecting with a local account on a Standalone UserLock server.

  • In a Japanese OS, the UserLock uninstallation dialog box displays incomprehensible characters.

  • Negative consumed time quotas may be displayed when carry-over is enabled, and resetting the time consumed to zero does not work.

  • There is no link for entity name in AD Environment pages (All machines, All users, Groups, OUs) to open detail view from the selected row.

  • Non-functional machine links in Admin Actions panel.

  • The "Country" column and associated filter are missing in Activity > Active Sessions page.

  • The "Reset the MFA config" action is disabled for non-audited users.

  • After restarting, a machine connected to AnyWhere cloud can apply "Logons without UserLock connection" (instead of using AnyWhere cloud).

  • A logon denied by Windows, received via UserLock Anywhere in delegation mode, generates an entry with an unnamed computer.

  • Each SSO logout results in an error.

  • The "Without agent" default view of the "Machines" page in the "Environment" section does not display agentless machines.

  • There is a memory leak when the UserLock service treats many logon commands.

  • Unexpected behavior of the desktop agent due to the absence of some string resources in Japanese, Portuguese, German, Dutch, Spanish, and Arabic.

  • SSO - Error during configuration in the UserLock configuration wizard.

  • MFA is required after an invalid password.

  • The desktop agent is uninstalled with the NetBIOS name instead of the FQDN.

  • Fixed in 13.0

  • The Wi-Fi session reset database records have "VPN" as the session type.

  • Timeout issues in the credential provider.

  • The behaviors for the "Ask for MFA" and "Force MFA" configurations of the "Logons without UserLock connection" feature are not correct in the credential provider.