- Push notifications with UserLock Push mobile app.
- Ability to choose which MFA methods are allowed for users.
- New tool VPN Connect allows a better UI for VPN connections with MFA.
- All reports are now available in Web App with new statistics dashboards.
- UserLock now available in the MSP console.
- Compatibility with Athena Health for SSO feature.
- New tool SSO Assistant.
- Settings for recovery codes and alternative MFA methods are now accessible in the MFA settings page of the console.
- List of audited users accessible from the console.
- When configuring a second MFA method, the cancel button does not automatically cancel the first method. The user can choose to cancel only the enrollment of the second method, and keep the first.
- SSO - Support for Google SSO profiles for groups and organizational units.
- SSO - Support for multiple Microsoft 365 domains.
- Recovery codes can now be displayed when enrolling via an IIS session.
- The IIS agent doesn't consider a session as open during the session timeout in some cases.
- Full synchronization sometimes fails because the transaction file is not correctly cleaned.
- SSO monitoring for the SAML certificate throws an exception in the desktop console.
- Failover to backup server is slow for MFA IIS and UserLock Anywhere.
- In some circumstances when receiving a notification in the Application UserLock Push (iOS), a white screen appears.
- Warning displayed on the UserLock web console for an Evaluation key license.
- After an IIS application pool recycle, new IIS sessions may be missing.
- The impersonation account is not initialized when the UserLock server starts up and a domain controller cannot be reached to validate its credentials.
- A permanent user protected account can interfere with other protected accounts of a user with a similar name.
- The UserLockInstaller sets invalid permissions for the IIS agent registry key.
- Memory leak in IIS HTTP Module agent.
- The "CustomUserAgentMfaWhitelist" advanced setting does not support spaces.
- All letters in the "CustomUserAgentMfaWhitelist" advanced setting are capitalized on save.
- Mobile browsers are not considered browsers by UserLock.
- The French message "Erreur lors de l'enregistrement de la clé" may appear on an English console if an error occurs while registering a license key.
- The MFA push mobile application does not always get login confirmation for IIS sessions.
- During enrollment when canceling at each step, display of a popup at the end of enrollment.
- New web app.
- Management of logons without network connections when the user has not logged on the machine online yet. How to manage logons without network connection
Fixed in 11.2.3 Post release
- In the desktop console, SAML certificate SSO monitoring may throw an exception.
- A permanent user protected account can interfere with protected accounts of a user with a similar name.
- The NPS agent can be blocked if the UserLock server has a problem.
- [SSO] "mS-DS-ConsistencyGuid" is not used even when set.
- After a restart of the UserLock service, MFA may not be requested.
- Full synchronization often fails because the transaction file is not properly cleaned.
- You can bypass MFA while unlocking if there is a program blocking Windows from restarting, for example the Word application with an unsaved change.
- When unlocking (or reconnecting), quickly opening the Security Options desktop and leaving it open for more than a minute allows entry without MFA.
- Failover to backup server is slow for MFA IIS and UserLock Anywhere.
Fixed in 11.2.3
- If the task manager is enabled and an unexpected exception occurs while logging on, unlocking, or reconnecting, the task manager is not enabled after this session event.
Fixed in 11.2.2 Post release
- A permanent user protected account with a period character at the end of the name can interfere with other protected accounts of a user whose name does not have this character.
Fixed in 11.2.2
- Black screen and blue screen issues at unlock.
- TimeSpan overflow exception while generating session history report.
- Error accessing database with read-only connection string when authentication is not the same as configured for primary connection string.
- Exception loading "Machines" view in UserLock web console.
- When unlocking and reconnecting, no restriction works except MFA.
- It is possible to bypass UserLock protection by setting a scheduled task to run at login.
- A "Circular Reference" error occurs in the "IIS History" report with an Access database.
- It is possible to bypass UserLock protection while logging in/unlocking/reconnecting through Windows 10 AutoRun.
- If the task manager is enabled and an unexpected exception occurs while logging on, unlocking, or reconnecting, the task manager is not enabled after this session event.
- The license mode for protected users only only leads to a black screen after enrollment.
- The desktop UserLock agent may not protect a computer that has at least one Citrix application installed that includes "wfapi.dll".
- The desktop UserLock agent may display a black screen on login if remote paths are included in the PATH environment variable of a user profile.
- Error handling no longer works during an administrative logout.
- An exception or crash may occur when loading the "ulsessions.cfg" file when starting the service.
- A dictionary key exception may occur when displaying protected accounts.
- Microsoft ARR proxy is not properly handled for IIS sessions.
- An NPS server with the NPS agent installed hangs if the user types a space before the username (eg "DOMAINNAME\ username").
- The unintelligible "bidon" message may appear when connecting, unlocking or reconnecting, especially if UserLock Anywhere is active.
- Administrative logoffs and locks do not work through UserLock Anywhere if the corresponding custom message spans multiple lines.
- It is possible to bypass the "Always deny connections" configuration of "Logons without network connection" if UserLock Anywhere is configured.
- If the "activity.log" file becomes larger than 100 MB, a new "activity.log" file is created but the UserLock service does not write to it until it is restarted.
Fixed in 11.2.1
- SSO - When the SSO service is not run under the Network service identity, new Saml certificates are not used by the SSO service.
- Error event for SSO when synchronizing primary and backup UserLock servers even if single sign-on is not configured.
- The functionality to test the UserLock server time on the Internet leaks TCP connections.
- In an environment with one primary and one backup UserLock server, recovery codes are lost after two synchronizations occur.
Fixed in 11.2
- After a reboot of the RD Gateway server, terminal Sessions may be seen with a wrong client IP address.
- After multiple MFA cancellations while trying to unlock or reconnect, MFA may not be requested.
- Geolocation blocks users even with correct geolocation.
- The IIS MFA web application sends the wrong IP address to UserLock when the IP address is local.
- Misspelling in the "Time quotas" section of the properties of protected accounts.
- When redirecting MFA IIS to URL with non-ASCII character, the character is not properly url-encoded.
- When generating the "Working hours by week" report for the current week, full days are displayed for the coming days.
- The console freezes when applying a new database connection string.
- When any protected account property has been changed, a change of email or pop-up notification is notified.
- In French version, the 'Parameters' tab in the SSO section is not translated.
- Incompatibility with a last firmware version of Token2.
- New SaaS applications for SSO.
- UserLock SSO now allows you to configure a custom SaaS application using Saml protocol with a dedicated configuration file.
- SSO Certificate Rollover.
- SSO Disaster Recovery.
- Diagnostic MFA IIS Test.
- Retrieve the real IP address of a client who accessed via RD Gateway.
- The diagnostic tool (F12) now automatically creates the "LicUsrs.csv" file, which lists currently licensed users and the date from when they are considered an "active user".
- An error occurs in working hours reports if user account data has different case.
- When several UserLock servers are listed in the console and the current view is the "Server properties" view of the second (or third or other) server in the list, then F7 displays the advanced settings of the first server in the list.
- The Skip button does not appear on the SSO MFA enrollment page.
- Logons denied by Active Directory that are not notified to UserLock in real-time, are not transmitted asynchronously with UserLock.
- When the UserLock service deploys the desktop agent, it renames the target file "UlAgentExe.exe" to "ULAgentExe.exe".
- If the UlAgentService service is not running, when logging on, unlocking or reconnecting, the user process waits 1 minute for no reason, (2 minutes if MFA is configured for logons without network connection)
- SSO does not work when IPv6 is configured.
- SSO - The SAML certificate rollover does a "renewal loop" if configured for 1 month.
- Errors about DEPLOYER commands are displayed in the diagnostic tool on UserLock servers of type backup.
- After you validate IIS MFA from one IP address, MFA is no longer requested from other IP addresses.
- MFA recovery codes cannot be deactivated through the UserLock console.
- If UserLock server has no access to internet, invalid TOTP codes cause the agent to freeze for some time.
- Improved: NTP calls have changed from synchronous to asynchronous.
Added in 11.0.1 Post release
- Ability for the "Only one active session" feature to close the sessions instead of locking them. This can be activated by configuring the new advanced setting "OnlyOneActiveSessionLogoffIOLock".
Added in 11.0.1
- Disconnect and lock user sessions over the Internet. This new feature is based on UserLock Anywhere (a web application for UserLock’s agent/service communication) and can be activated by configuring the new advanced setting "SessionsWithoutNetworkLogoffAgentInternet". This allows logon hours or time quotas to be respected; even if a computer is not connected to the corporate network.
- The ability to configure the wait time of the user process during logon via the WinLogon registry value "UserLockLogonTimeout" (number of seconds, 60 by default).
- UserInit registry values are now checked every minute.
Added in 11.0
- UserLock SSO and MFA for Microsoft 365 and Cloud Applications.
- Access Management for Microsoft 365 and Cloud Applications.
- MFA for Microsoft IIS applications.
- MFA recovery codes.
- Enforce MFA for logins from any machine without a network connection.
- The "Force MFA" option has been added in the "Logons without network connections" parameter: if this option is chosen, logons without network connections will be refused for users who have not connected with MFA and with network connection on the affected machine.
- Alternatives methods for MFA.
- HOTP for machines without network connection (YubiKey, Token2 ALU).
- MFA now supports Token2 ALU (HOTP).
- Using VPN with RADIUS Challenge for MFA.
- UserLock Anywhere: A new on premise web application for UserLock’s agent/service communication. This allows the Desktop Agent to communicate with the server through the Internet via an IIS application. This will allow UserLock restrictions to continue to be enforced in the event the remote connection through VPN pipes fails.
- The "Event timeline" report has been created.
- The advanced setting "IpConsideredInside" has been created to list the IP addresses to be considered as inside the network (considered as private addresses). IPv4 ranges in 'ip/bits' format such as '192.168.1.0/24' are supported. This setting has a higher priority than the 'IpConsideredOutside' setting.
- The "AdminActions" and "AdminActionResults" tables have been added to the UserLock database.
- Portuguese translations for messages displayed to end users on Portuguese operating systems.
Improved in 11.0 Post release
- During unlocks and reconnects without network connection, if unlocks and reconnects are protected and "Ask for MFA" or "Force MFA" is configured, then the desktop is disabled immediately.
- Improvement of the tooltip texts for "Logons without network connection".
Improved in 11.0
- Don't try to contact a server named "userlock" if server address is deployed (in WinLogon or GPO).
Fixed in 11.0.1 Post release
- A semicolon in the "Description" field of a machine account in Active Directory generates an exception in the "Agent Distribution" view.
- When Webex is installed, the MFA dialog is not visible during an unlock and the session is locked after 5 minutes.
- MFA enrollment is asked again if the primary Userlock server is unreachable.
- The SSO administration console crashes if a plug-in is missing for a configured profile.
- When reconnecting a session via RDP, eventually two minutes of black screen before the desktop is displayed.
- The buffer used to construct the request may be too small if the workstation has a lot of IP addresses.
- Cannot send a popup with Japanese characters.
- When the advanced setting "DeployFQDN" is set to True and the backup server is migrated, the FQDN of the old backup server is deployed until the primary UserLock service is restarted.
- When the advanced setting "DeployFQDN" is set to True, the NetBIOS name of the backup server is registered on client computers instead of the FQDN.
- If "Logons without network connection" is set to "Force MFA", in a specific case the displayed error message is blank.
- When more than one time quota is defined and "Carry over unused time count" is enabled, at the start of the next time quota period, only one unused time is carried over.
- Desktop agent depends on VC 2008 runtime.
- The "Group by" filter does not work when the "Event timeline" report is scheduled.
- When you connect through an RDS gateway and "Allow connections when Geolocation cannot be determined" is configured, the connection is refused.
- The UserLock service may terminate unexpectedly when connecting to Outlook Web Access.
- If UserLock protects multiple domains, the UserLock GUI does not display "Ask for help" requests from user accounts that are members of domains other than the domain of the UserLock server
- Form-based authentication does not work with the UserLock HTTP module agent.
- The text displayed when the MFA fallback feature is disabled indicates that the configuration of a second method is required.
- Error generating a session history report after importing database data from an old version to the new one.
- The IIS MFA return URL is relative rather than absolute.
- When UserLock Anywhere is enabled, MFA is not required for unlocks (and reconnections) without a corporate network connection and without an Internet connection.
- The web interface may try to display a message box when it cannot query the database.
- Recovery codes are not displayed for users who register for MFA through the IIS MFA registration page.
- IIS sessions are not notified to UserLock if some fields are too large.
- Limiting the number of concurrent Wi-Fi / VPN sessions to 0 does not prevent the VPN connection.
- In a graphical console (French language version), within the protected account properties, the name of the "Display the welcome message" and "Warn users in real time of all connection events involving their credentials" settings are incorrect.
- Some agent settings are deployed for agents other than the desktop agent.
- An unexpected exception occurs on the backup server while synchronizing with the primary server.
- If "Force MFA", "Ask for MFA" or "Always deny connections" is enabled and UserLock Anywhere is configured, logons with local accounts are denied when UserLock is available.
- The MFA is bypassed if ‘Cancel’ is chosen when configuring the second MFA method.
- If a session is reset and then the actual logoff occurs, the consumed times become false.
- In the case where the Desktop Agent and another program registered in the UserInit registry value are installed; if then that program is uninstalled, and the Desktop Agent is then also uninstalled, users without administrative rights on this computer cannot log on.
- Error 8519 may be logged while updating members of universal groups.
- If the task manager is enabled but an unexpected exception occurs while logging on, unlocking, or reconnecting, the task manager is not enabled after this session event.
- The SSO service may fail to start if the UserLock service is unavailable during the startup.
- An "Invalid account" error may be displayed when attempting to login through UserLock Anywhere.
- IIS MFA does not fall back to the backup server when the primary server is unreachable.
- The YubiKey configuration dialog does not display key information correctly.
Fixed in 11.0.1
- Form-based authentication does not work with the UserLock HTTP module agent.
- The text displayed when the MFA fallback feature is disabled indicates that the configuration of a second method is required.
- The installation may be blocked if the Visual Studio C ++ 2010 Redistributable is not found.
Fixed in 11.0
- Token2 configuration has been changed to continue to allow FIDO2 with HOTP.
- When MFA is configured at every logon, a connection to a workstation suppresses the MFA prompt for the next connection to a server and vice versa.
- In the configuration of protected accounts, the "Geolocation Restrictions" section is located between the "Hour restrictions" and "Time quotas" sections instead of being after "Time quotas".
- In some cases, MFA is not requested when unlocking or reconnecting.
- The MFA skip end date is not synchronized between Primary and Backup UserLock servers.
- The IpConsideredOutside advanced setting is reset after restarting the UserLock service.
- The "Wake up computers when needed" server property is not synchronized between the primary server and the backup server.
- Offline MFA for users not connected to the network. This new "Connections from offline machines" setting is available in the "General" section of the "Server Properties". You can choose "Always allow connections", "Ask for MFA" or "Always deny connections". This replaces the advanced setting "DenyInteractiveConnectionsIfUserLockInaccessible".
- MFA now supports VPN sessions on an RRAS server authenticated by an NPS server (version 10.2 or higher of the NPS UserLock agent is required).
- The advanced setting "IpConsideredOutside" has been created to list the IP addresses to be considered as outside the network (considered as proxy addresses). This can be useful for requesting the MFA for RDP sessions through a gateway, in which case you will need to add the gateway's IP address to this list.
- The computer command "Remote Assistance" has been added in the 'Quick access panel' of the Agent Distribution view. To be able to use it, the "Remote Assistance" feature must be activated on the computer on which the console is installed (by default, this feature is activated on workstations and deactivated on servers) and "Offer remote Assistance" must be configured in domain policy and allowed in firewalls.
- The UserLockSendGateway registry setting in the Desktop Agent. If activated, the address of the RDP gateway will be considered instead of the address of the client.
- The settings in the "General" section of the "Agent distribution" properties are now also available in the "Agent distribution" section of the "Server properties".
- The settings in the "Agent configuration" section of the "Agent distribution" properties are now also available in the "Advanced" section of the "Server properties" ("Consider screen saver time as locked time" is also in the "General" section of "Server properties").
Fixed in 10.2.1
- The program used for administrative session logoff hangs when Citrix sessions are logged off.
- Some messages are in English when UserLock is installed in French on an English Windows server.
- An error occurs in the "Protected accounts" view if there is at least one temporary protected account and a click is made on the filter icon in the "Account status" column.
- The MFA dashboard does not work with an OLEDB read-only connection string of the default database.
- Geolocation restrictions.
- MFA for YubiKey (HOTP programmable token).
- Ability to apply MFA For all RDP connections or only those originating from outside of the network.
- UserLock restrictions (including MFA) now also apply to interactive unlocking or reconnection events. If you prefer not to protect these events, configure the new advanced setting "ApplyRestrictionsOnUnlock" to False.
- Native TLS 1.2 support for the UserLock database (insertion, reports) and e-mails (the SMTP server must support TLS 1.2).
- The advanced setting "DenyInteractiveConnectionsIfUserLockInaccessible" has been created. If this option is activated and an interactive logon, unlocking or reconnection event is attempted on a computer on which the Desktop UserLock agent is installed, the connection will be refused.
- Forms authentication is now managed for IIS sessions (new option available in the HTTP module, disabled by default).
- MFA cache now uses the client IP address instead of the target name. This concerns the two following MFA modes only: "Every X days" and "After X days...". This is more secure and more intuitive for administrators with many remote desktop sessions (prompted once if they initiate their sessions from the same workstation).
- MFA data is now kept if the UserLock service restarts.
- "VPN" and "Wi-Fi" have been separated in the "User sessions" view and in the "Session history" and "Wi-Fi / VPN history" reports.
- The "DisableGhostSessionCheckingOnAgent" agent configuration setting is not available in "UserLock.adm".
- For interactive connections only: When UserLock is inaccessible, an incorrect event type is written to "UlAgent.log" and then transmitted to the UserLock server, causing confusion in reports
- Interactive logons denied by Active Directory for local user accounts are sent to the UserLock server, which rejects them, and then written to "ULAgent.log".
- Session events with local accounts are not treated live by UserLock.
- The edit box where to enter the MFA code is not displayed correctly in dialog boxes (QR code, YubiKey, MFA code) on computers where the size of text, apps and other items is not configured to 100% (which is generally the case by default on laptops).
- When activating MFA for a protected account for every logon, MFA is not always requested.
- The Active Directory "Description" field of the client computer accounts of the UserLock sessions is not correctly registered in the configuration files.
- When the lock is deactivated and the screen saver is password protected, exiting the screen saver does not ask for a password, which makes the setting "Consider screen saver time as locked time the time of day" unreliable.
- Wi-Fi sessions may not be displayed correctly in the "View by machines" mode of the "User sessions" view.
- If MFA is enabled for at least one group and disabled for at least one other group, the effective value of MFA for a user who is a member of these groups is not correct.
- If a VPN session is reconnected quickly after being disconnected, this session no longer appears in the "User sessions" view.
- When a restriction applies after MFA configuration, no error message is displayed.
- Multi-factor authentication.
- The server properties view is now accessible in the UserLock server tree.
- Texts displayed after agent installations and uninstallations via the console have been improved.
- For errors with the 1000 EventID containing more than 100 characters, the last 100 characters are displayed instead of the first 100 characters.
- The NPS UserLock agent log file reports incorrect errors after the NPS server has restarted, no sessions were in progress before this restart, and a new logon occurs.
- The "Windows Version" field displayed in the diagnostic tool is not reliable for Windows Server 2012 R2, Windows 8.1 and later operating systems.
- If group restrictions are configured as follows: "Unlimited", UserLock calculates the number of sessions in the group.
- In the "Working hours by week" report, the week selector does not select the first week of the year.
- Misleading title when entering the UserLock service impersonation account in the configuration wizard.
- An exception occurs when you install the Web console on a site where there is only one https binding defined.
- Some fields are bold in advanced settings even if they have the default value.
- In report configuration, an empty SQL server name in the database settings causes an exception.
- In case MySQL ODBC drivers are not installed, it is possible to choose MySQL.
- VPN sessions that are linked to the NPS agent have a bad client name when the name of this client contains the "-" character.
- If, for a Wi-Fi disconnection, the database field "Param5" (session time) is very large, then the generation of "Wi-Fi / VPN" reports fails and displays an error for an Access or MySQL database.
- In the Wi-Fi / VPN history report, the Client address and Client name columns have incorrect names in English.
- A warning is constantly inserted in the logs if Windows XP, Windows Server 2003 R2, or Windows Server 2003 computers are in the protected zone.
- The "Web admin configuration" tool does not automatically install the dependent features.
- The "Web admin configuration" tool does not automatically install the required "Static Content" feature.
- When updating the list of computers in the UserLock protected network zone, if the new list is empty, an incorrect message is written to the logs.
- When updating the list of computers in the UserLock protected network zone, if the new list contains far fewer computers, no error is written to the logs.
- When computers are no longer in the network zone, they can reappear if they are in the check queue.
- New report "Unauthorized working hours".
- In both UserLock consoles, the "How To Fix" column in the agent distribution data grid. This field contains "HTF00X" if the case of referenced error, otherwise it is empty.
- In UserLockAPI, the "HowToFix" property in the "MachineStatus" class. This field contains "HTF00X" in case of referenced error, otherwise it is empty.
- Added a progress bar for generating Working Hours reports and the Concurrent session history report.
- For the "Working hours history" report, added an option "None" to the filter "Group by".
Fixed in 9.8.2
- The UlTerm tool automatically disconnects if no command requiring UserLock permissions has been executed and no command has been sent within 30 seconds since the last command execution.
- All tools using UlProto (UlTerm, CheckBeforeUninstall...) do not work in Windows 10 Build 1803 and higher, or in Windows Server 2019 and higher.
- With some Wi-Fi access points, in RADIUS Accounting events, the Calling-Station-Id RADIUS field contains the value of the Framed-Ip-Address field, which is incorrect, and the NPS UserLock agent does not correct this.
- The client IP address of a VPN session can be displayed as a MAC address.
- Wi-Fi sessions are reset prematurely with certain Wi-Fi access points and controllers.
- Session history and User status history cannot be displayed in the web console for a user in a different domain than the UserLock server.
- For logons denied by UserLock or Active Directory, invalid values can be written to the EventType field of the UserLogonEvents table in the database.
- The reports displayed in the "User Sessions" view do not use the read-only connection string if the server uses the default database.
- If, for a Wi-Fi disconnection, the database field "Param5" (session time) is very large, then the generation of "Wi-Fi / VPN" reports fails and displays an error for an SQL database.
- Wi-Fi session events may be missing if Accounting session ID is as follows "5c3fba6d/28:3a:4d:26:40:df/3248".
- In the "Agent Distribution" view, for Windows computers, a SSH error for Mac is displayed instead of the HTF003 error.
- When a machine outside the network zone contacts the UserLock server, the names of the primary and backup UserLock servers are automatically deployed.
- If a computer outside the UserLock protected zone contains a Desktop Agent and sends a session event to the UserLock server, the session is saved under User sessions and the computer is added in Agent Distribution until the next update of the Agent Distribution.
- A UserLock server that is no longer active is considered as conflicting.
- After a zone conflict, the warning does not disappear once the correct UserLock server name has been deployed.
- An error message is displayed when you click on the filter button in the "Account" column in the "Protected accounts" view.
- If the NPS or RRAS agent is deployed on Windows Server 2008 64-bit or Windows Server 2003 64-bit, the agent registry key permissions are not set as expected, which prevents the agent from running and displays its status as "Not installed".
- Text displayed after the NPS agent is deployed through the console lacks information.
- If you configure either a 'Maximum session length' or a 'Maximum locked time', you will see the wrong restriction in the 'Effective restrictions' view.
- When updating the usernames daily, if the display name is correct, it is replaced by the SAM account name if an error occurs while obtaining the display names.
- In the "Wi-Fi / VPN history" report, the "User account" checkbox is checked by default.
- The "Concurrent session history" report does not work when the chosen session type is only "Wi-Fi / VPN".
Fixed in 9.8.1
- In some cases, scheduled reports fail if the "Run with highest privileges" option is not enabled.
- If an exception occurs while logging off a session remotely from the UserLock dialog box, the exception is displayed to the end user even if the "Do not display errors to the user" setting is enabled.
- UserLockPowerShell read-only cmdlets are denied for connections with read-only permissions.
- Error information regarding the Mac Agent installation is not correct when the machine can not be contacted.
- Regional settings are not applied in the "User Sessions" and "Agent Distribution" views of the Desktop Console.
- The Vista Desktop Agent does not correctly manage registered programs containing arguments or whose name contain quotation marks.
- The "DcToContactForServerMember" advanced server setting is not retained after restarting the UserLock service.
- When "Show Auto Filter Row" is enabled in the "Agent Distribution" view of the Desktop Console, an exception is displayed.
- The "Invalid user" filter is offered in the "All denied logon" report.
- Non-standard words in the notification when a user status has changed to "High risk", due to a logon denied by Active Directory or UserLock.
- In the "Reason(s)" filter of the "User status history" report, "Microsoft" is displayed instead of "Active Directory".
- The "Working hours history" and "Unauthorized working hours" reports indicate an invalid end date.
- Unable to install Mac Agent with UserLock consoles, UserLockPowerShell, or UserLockAPI.
Fixed in 9.8
- If the Automatic mode is turned off, and the option to exclude servers from deployment scope is unchecked, then turning on the Automatic mode keeping disabled this option will automatically enable it.
- Wrong "How to fix" article displayed if the service impersonation account is a local account.
- Emails sent with Implicit SSL in scheduled tasks are not encoded in UTF8.
- The SMTP settings of the UserLock service do not support Implicit SSL.
- The UserLock service does not start if an exception occurs while loading the transaction file.
- An exception occurs when launching Working Hours reports on an SQL server database via ODBC.
- It is possible to launch all Working Hours reports without specifying a session type.
- The Working Hours by week and by month report configuration section allows users to hide combo boxes.
- The transaction log is not closed until the UserLock service is marked as stopped.
- An exception during service initialization does not appear in the "ServiceLog.txt" file.
- Some UserLock service logs are not written to the "ServiceLog.txt" file.
- In workstation restrictions, if IP From is greater than IP To, a connection with the From or To IP address will not be taken into account for the restriction.
- Logs for closing, locking, and popup administrative actions do not include the user name of the target session, and are not written to the service log file.
- Incorrect display of effective restrictions if the display name of the related protected accounts contains "A%252C".
- New "Working hours" reports: "Working hours history", "Working hours by Week" and "Working hours by Month".
- Allow up to 4GB x64 and 3GB x86 memory for the UserLock service (instead of 2GB previously).
Added in Post Release version:
- New advanced setting "DisableGhostSessionCheckingOnAgent". The default value is False. If set to True, this disables the automatic ghost session reset performed by the Desktop Agent and the UserLock service. It can be adapted in some installations where Citrix agents are installed which can interfere with Windows APIs.
- Performance of the UserLock service.
- For the NPS Agent, added two options to auto reset the previous session, if a new session has the same data (user name, device, Wi-Fi Access Point).
- 7 days after updating the status of a machine, added a new test to refresh this status.
- Added the 903 event ID for sessions reset when a computer is no longer in the network zone protected by UserLock (the associated Active Directory account may have been deleted or the UserLock protected network zone may have been modified).
Fixed in Post Release
- In the "User sessions" view of Desktop and Web consoles, the "Only sessions on unavailable computers" predefined filter does not work.
- The report "Session count evolution" shows only the first two dates in the abscissa bar.
- In the web console, if you click on the link of the filters displayed in the dashboard, the result is not filtered.
- In the "Working hours history" report, the filters show "AM" and "PM".
- Running hours reports with dates not included in the dates in the database displays an error.
- The English version of the report "Working hours by month" shows some table captions in French.
- The exception "The columns don't currently have unique values." may occur when generating the 3 reports "Working hours".
- The Working Hours By Week and By Month reports do not maintain the column chooser configuration.
- The message displayed after installing the NPS or RRAS Agent does not prompt to stop, then start the NPS and RRAS services.
- For a computer that is no longer in Active Directory but listed in the MACHINES view of the Web console, a 500 error is displayed when you click the name of the computer.
- Time zone shift is not recorded for session events written in offline logs.
- Cirilic characters are not managed in e-mail notifications.
- Shutdown and Restart operations are now available for Mac computers.
- Fully compatible with Windows Server 2016.
- Session events can be notified to a webhook. By configuring the Webhook URL in UserLock (HTTPS and HTTP are supported), JSON notifications containing session events will be notified to this webhook.
Added in 9.6.2:
- The UserLock Desktop Agent is compatible with Windows 10 Build 1803.
- Notifications (e-mail and popup) to inform the UserLock administrator that the number of concurrent sessions is close to the maximum allowed by the UserLock license (customizable percentage via advanced setting PercentageLicenceNotifications (F7)).
- Added the "DcToContactForServerMember" advanced setting specifying the DC name to contact first.
- Send Webhook notifications from the UserLock backup server only if the primary server is unavailable.
- The "Agent Distribution" data is now updated by a multi-threaded mechanism. By doing this, for environments with many protected computers, the data will be updated much faster.
- New "AddUserDataInUserSessionsIfEffRestReq" advanced setting to automatically add user account data in the "User sessions" view if effective restrictions are explicitly asked for that user (through UserLockPowerShell or UserLockAPI).
Improved in 9.6.2:
- After the evaluation expires, there is no pop-up window anymore for each logon.
Improved in post release:
- In agents, increase the ping timeout and add a double ping.
Note: This improvement created the temporary bug "The GINA Desktop agent (used for Windows XP and Server 2003) no longer works." (from 18.104.22.168 to 22.214.171.124, from 126.96.36.199 to 188.8.131.52, from 184.108.40.206 to 220.127.116.11).
Fixed in Post Release
- Possible crash of the UserLock service when an asynchronous action is requested whilst another one has just ended.
- There is a memory leak in the UserLock service whenever the Agent Distribution view is displayed.
- Logon events are processed very slowly.
- Administrative actions initiated by the UserLock service do not work on XP and Server 2003 target operating systems.
- The GINA UserLock Desktop agent (used for Windows XP and Server 2003) no longer works.
Fixed in 9.6.2
- Since Windows 10 has been updated to Build 1803, users can not log on to the computers on which the UserLock Desktop Agent is installed.
- The calculation of the effective restriction of the "Allow only one unlocked interactive session" feature is not logical.
- Resetting multiple sessions is handled by one thread instead of several.
- When the audit is in Debug mode, the 'Conflicting UserLock installation data has just been reset.' is written to the event log each time UserLock reiterates to check the list of protected machines, even if no conflict has been detected.
- In the web console, when viewing a specific user's graph, the number of sessions for a specific day is not correct if a session ends after midnight that day.
- No e-mail is sent if the current number of concurrent sessions is close to the maximum.
Note that these emails will only be sent if the following UserLock settings are configured:
- E-mail settings for event notifications: see https://www.isdecisions.com/products/userlock/help/console/server_administration/server_properties/e-mail-settings.htm.
- UserLock modification notifications: see https://www.isdecisions.com/products/userlock/help/console/server_administration/server_properties/permissions.htm.
- Initial access points are not correctly counted for Macs.
- The default permissions granted when adding an account in the Security section include write permissions.
- The client address displayed for interactive logons denied by Active Directory is 127.0.0.1.
- In rare cases, a logon is denied to a user even if no existing session is displayed in the notification.
- Canceling the printing of the "agent distribution" view generates an error.
- Updating the UserLock server version is generating an admin action event with a wrong content as sending a wrong alert.
- The database connection string in the Console displays the SQL password in clear when set with SQL authentication.
- The not counted computers registry setting is not integrated in the configuration file.
- In the Debug audit mode, there is no audit trace of deactivation and activation of the task manager in the Agent Desktop audit file.
Included in the 18.104.22.168 MSI package of the UserLock Desktop Agent.
- The OWA 2010 logout is not submitted to UserLock with the HTTP module.
- In Logoff notifications, the Action field is "Not available".
Fixed in 9.6.1
- Manual installation of the Mac UserLock Agent results in permission changes.
- Not all message variables are resolved in some notifications.
- In the Advanced Settings dialog box, there is no description for some properties.
- The automatic mode configuration is not retained after an upgrade if the console is open during the upgrade.
- Logons denied by UserLock directly notified to the backup server (when the primary server is unavailable) are not properly inserted into the primary server database (when it is available again and after synchronization).
- In some cases, popup notifications do not work on Vista / Server 2008 and later OS.
- It is not possible to ignore IIS sessions generated by Exchange healthmailbox accounts when there are several Exchange servers in the domain.
- In the server properties, it is possible to set the service impersonation account with an account that is not allowed to log on as a service, without an error being displayed.
- It is possible to set the service impersonation account with an account that is denied and allowed (and therefore denied) to log on as a service without an error being displayed.
- In the Configuration Wizard, setting the service impersonation account with an account that is not allowed to log on as a service displays an inappropriate error.
- Opening and closing server properties (without modification) generates incorrect e-mail notifications.
- The console freezes when a change to a server property other than the database settings is applied and the database is unavailable.
- Verifying the existence of the UserStatus table generates a request to create this table.
Fixed in 9.6
- Enabling the DeployFQDN advanced setting makes the detection of a conflicting installation of UserLock unsuccessful.
- Manually deploying the FQDN of the right UserLock server on a workstation generates the conflicting installation message.
- Once a conflicting installation is detected, the warning is displayed until the service is restarted.
- In the Webhook notifications configuration, changes to the HTTP and HTTPS combo box values do not allow you to apply changes. And the Webhook notification settings are not disabled on the backup server.
- Error renaming a scheduled task.
- The UserLock scheduler does not work well on Windows Server 2016 and Windows 10 when the default domain administrator account is not used.
- In the UserLock Scheduler, the last run time information is not correctly updated.
- It is not possible to turn on the automatic distribution mode of the agent if the base account of the UserLock service is set to LocalSystem.
- Automatic upgrade of the Mac Agent for Mac machines (if the Automatic Mode is enabled).
- Added the "Description" field of computer accounts from Active Directory to UserLock Console and variables. To enable this new feature, an upgrade to the Desktop Agent is required.
- Installing (and uninstalling) the Mac Agent from the UserLock Console (and UserLockPowerShell and UserLockAPI).
- Automatic deployment (and undeployment) of the Mac Agent for Mac machines (if the Automatic Mode is enabled).
- Automatic detection of Mac computers in the network zone protected by UserLock ("Agent Distribution" view).
- Automatic detection of conflicting installations of the UserLock service.
- Mac Agent to monitor Interactive sessions on Mac computers.
- New IIS reports: "IIS history" and "IIS sessions statistics".
- New denied logon reports: "All denied logon", "Logon denied by Active Directory", "Logon denied by UserLock", "Concurrent session restrictions", "Initial access point restrictions", "Machine restrictions", "Hours restrictions", "Time quota restrictions", "Group restrictions".
- New report "Concurrent session history".
- Changes to the "Concurrent session history" report.
- Reorganized old report filters for the following reports: "Session history", "Session statistics", "Wi-Fi / VPN history", "Wi-Fi / VPN users statistics", "Wi-Fi / VPN statistics evolution".
- All references to "Logon denied by Windows" have been replaced with "Logon denied by Active Directory".
- Replaced "Logs" with "Database" in the server properties.
- Documentation has been updated.
- Removed the trial popup displayed for each logon.
- Removed the beta version popup displayed for each logon.
- Windows Server 2003 is no longer supported for the installation of UserLock (Windows Server 2003 is still compatible with the UserLock Desktop agent).
- Logons Denied by Active Directory are not correctly detected when certain Credential Providers are used. To enable this new feature, an upgrade to the Desktop Agent is required.
- When upgrading from 22.214.171.124, if a server name starts with a number, the agent distribution displays an error.
- The 'Maximum session time' and the 'Maximum locked time' values are inverted in the 'Effective restrictions' view.
- Under certain conditions, the UserLockAppPool process consumes 100% CPU.
- In some specific situations, the UserLock service may crash if the "CheckIpConflict" advanced parameter is enabled.
- In the web console, in "Agent Distribution", filtering on the "installed" agent status doesn't work.
- Logon Denied by Active Directory are not correctly detected when specific Credential Providers are used.
- SharePoint 2010 sessions are not handled by the UserLock IIS agent.
- Logons denied by Active Directory are not handled if the session name contains spaces.
- If a very large number of OUs is selected in the "Network zone" step of the Configuration Wizard, an error occurs.
- In the hours restrictions, when two continuous time frames are defined, one before midnight, the other after midnight, a logout occurs at midnight.
- If the user account corresponding to a temporary protected account is renamed in Active Directory, this change is not updated in the protected account data.
- Session events performed with a local user account are not directly notified to the UserLock server.
- The text used to set the workstation restriction mode refers to sessions on listed machines instead of sessions opened FROM listed machines.
- Exporting reports to Excel with more than 65,000 rows results in an "Out of memory" exception.
- In the "Database" section of the Server properties (formerly "Logs" section), the password is not saved if "SQL Server Authentication" is set.
- Closing a session already logged off from the UserLock user dialog does not automatically remove it from the dialog box and the user can't log in without canceling and then trying to reconnect.
- In the "Time Quotas" section of the properties of a protected account, when a time quota is set to "0:00", this change is not correctly applied (no problem with "00:00").
- In the UserLock API, the "UserLockServer.GetProtectedAccount()" method is misleading.
- In the mobile phone format of the Web console, displaying the User Details page results in a 500 error on each load.
- In rare cases, when a session must be denied by UserLock due to another session, and that session is inaccessible, then the new session can be accepted due to a timeout.
- The "Session history" report can be launched with the "Display active sessions at" option enabled with an empty date field.
- Enabling the "Logoff disallowed sessions" server property does not allow you to change the "Session logoff order".
- The "ServerAddress" and "TimeZoneShift" fields are missing in the Microsoft Access database file installed with the package.
- Initial access point audit & restriction. Any session which is a new point of entry to the network will be considered as the initial access point for the user initiating the connection. UserLock has the ability to analyze sessions to determine if this is a new initial access point of the user or a nested/children session (connection performed from an existing session). The number of concurrent initial access points allowed can be restricted through Protected account for a user, a group or an organizational unit.
- Ability to block all connections for a user. It is possible from the 'User sessions' view to block all logon attempts and close all existing sessions remotely.
- A new option in the UserLock server properties allows you now to apply the time restrictions according to each client machine’s time instead of the UserLock server time.
- A new view 'Effective restrictions' to easily check which restrictions are applied to a specific user. On previous version it was necessary to iterate over all protected groups to check if a user was a member or not, and what restrictions were applied.
- The UserLock database connection builder now supports MySQL database system 5.6 and newer versions.
- Switch the local .chm help to the online HTML help when launching the help from the console menu help/content.
- User status can now detect, alert and display as ‘high risk’ behavior when a user has simultaneous connections from inside and outside the local network (private and public IP address), which is in many cases an abnormal situation.
- User status can now detect, alert and display as a ‘risk’ situation, users opening a new session from an existing session with different credentials.
- All kinds of sessions are now displayed in the session view by machine. Previously only interactive sessions were displayed.
- History reports can now be filtered according to a machine organizational unit.
- The ‘Session count evolution’ report can be displayed for all computers with a name matching a wildcard pattern.
- In some cases, the option 'Allow only one unlocked interactive session' doesn't properly lock the others open sessions.
- The UserLock service may set a wrong logoff date for logoffs automatically added due to a computer crash.
- The configuration wizard is crashing in Japanese.
- When no protected accounts are defined, the Quick access panel is lost everytime the Protected accounts view is displayed.
- An error occurs when trying to select the SQL server database name in the database wizard of the server properties.
- The option closing automatically disallowed sessions is not effective when the user is blocked.
- The option closing automatically disallowed sessions is not effective if the cause is a workstation restriction.
- Scheduling a database cleaning job launches the report scheduling wizard.
- For some hybrid computers the web interface switches to the tablet mode although it is not relevant.
- For Wi-Fi sessions that were already authenticated, switching from allowed to forbidden time frames will not work until NPS restarts.
- UserLock detects 127.0.0.1 as IP address of sessions without an available network connection and can't resolve its Initial Access Point.
- The user effective restrictions view doesn't display the Hours restriction when 'The following time frames are" is set to 'Denied' and the list is empty.
- Sometimes the mouse cursor switch to an hourglass cursor when navigating in the Quick access panel although no task is running and the console responds to actions.
- The log file for the web console is not created.
- Remote desktop is considered as Initial access point when IPv6 is displayed/captured.
- Full session synchronization generates an access denied error when the backup server's impersonation account has not be used before at least once.
- The UserLock Windows console displays an exception when Primary UserLock service is stopped.
- There is no button to test the configuration of the section 'E-mail settings for scheduled reports' from the Console Options.
- UserLock displays duplicate sessions when an unespected shutdown occurs for a machine with a locked session.
- Effective time frames, client restrictions (computers, IP ranges and workstation OUs) and time quotas are not handled in the API if the name of the protected account contains comma characters.
- It's not possible to launch a search using a full user name in the web console (first name + space + last name).
- Passive SSL on port 465 is not supported in console SMTP settings.
- Modifying time frames in the console automatically modifies the Logoff notification timeout setting.
- The Syslocator is not able to inform the user whether a computer is free or not.
- IPv6 addresses are not retrieved correctly.
- Scheduled reports always send E-mails through the SMTP port 25 even if another port is configured.
- New computer commands aren't available until a refresh action is performed in the console.
- The User status history cannot be launched from the 'User Sessions' view.
- In the Windows console, if the Logoff timeout value is set to 0, then it will be displayed as 'Not configured' the next time the Protected account will be edited.
- It's not possible to send an E-mail to an MS Exchange 'Receive connector' allowing Windows authentication when the option 'Provide credentials' is selected in UserLock SMTP configuration.
- Some characters are truncated in the fields of the 'E-mail settings for event notifications' section.
- In some cases, the console displays an exception when launching the 'Database connection' wizard.
- In the view 'Time consumed' the column name is missing in the menu 'Reset column' of the 'Quick access' panel.
- Scrolling in the Quick access panel over the User sessions view by using the mouse wheel can cause some focus shifts.
- The Quick access panel menus displayed on the Welcome page are not relevant.
- There is a memory leak while processing lock/unlock events asynchronously.
- The 'User sessions' report transforms empty instances of last logon and logoff dates to "0001-01-01 00:00:00".
- Logon denied by Windows events aren’t synchronized between server’s databases.
- The Hours restriction doesn't permit to authorize a session from 00:00 to 00:00 (the day after).
- Wi-Fi connections are considered as outside connection.
- The variable %sessions% is empty in denied VPN logon notifications.
- The permission displayed in the Security section of the server properties doesn't reflect the automatisms performed by the UserLock service.
- The Welcome view cannot be displayed if one of the servers added to the console is not reachable.
- VPN logon denied by Windows may not be audited by UserLock.
- IIS Logon denied by Windows from a workstation session triggers the notification of 'Same credentials in use' in this same session.
- The Hours restriction section of the web console presents a text overlap on the Session types field of the time frames definition.
- Impossible to cancel a protected account edition when some invalid settings are configured in the web console.
- The web console allows to configure second values in time frames.
- There is no verbose log for the console to see all commands sent to the server.
- The client name for an IIS logon denied by Windows caused by a wrong password is not correct.
- The agent status statistics may be wrong in some cases.
- A VPN logon refused by UserLock generates an invalid logon denied by Windows.
- When a VPN initial access point is detected, the service counts one initial access point too many
- VPN logon denied by Windows are notified as workstation logon denied.
- A console exception error is displayed when refreshing several times in a row the Consumed time view.
- After an upgrade to UserLock 9, invalid passwords are reported with two different strings in French.
- A misleading error message is displayed in the Agent distribution view when a computer doesn't answer to the ping.
- In some cases, the configuration files cannot be saved after a synchronization performed on the Backup server.
- The UserLock service may crash when manipulating temporary protected accounts or during the servers synchronization.
- The SMTP password encryption for the console SMTP settings is not FIPS compliant.
- A logon attempt with a locked account doesn't raise the risk status for the relevant user account.
- When the Active Directory computer account name doesn't end with a '$', UserLock truncates the last character of the computer name.
- Server properties cannot be modified when the option 'Send a notification at every modification in UserLock' is enabled.
- Customizable messages composed by more than 2 lines cannot be modified.
- If the RADIUS Accounting Session ID field is formatted like "3859F9AB5F06-AB:STRING", then it is no longer possible to display any session through the UserLock Console.
- When a Client address is a MAC address formatted with the ‘:’ separator, and a Logon and Logoff occured using it, the UserLockAPI displays the MAC address with incorrect characters in 'Last workstation logged on' and 'Last workstation logged off' fields.
- In some cases the 'Logoff previous session' dialog box may be minimized.
- A new Protected account type is now available: the temporary Protected account. Unlike the classic and permanent Protected account, this temporary account is valid only for a period of time defined by start and end dates.
- A new report ‘User status history’ shows a complete history of status changes for the risk indicator ‘User status’.
- It is now possible to clone a selected Protected account from the ‘Quick Access Panel’ or the context menu of the ‘Protected accounts view’.
- The database table of ‘UserStatus’ can now be viewed directly from the Windows Console.
- When creating Protected accounts you can now copy the rules and restrictions set for any other existing protected account.
- New filters in the ‘Protected accounts view’ allow you to show only active accounts, permanent accounts, or the different temporary accounts depending on their status.
- UserLock PowerShell now includes the Management Cmdlets of temporary Protected Accounts.
- No session is selected by default in the "Logoff existing session" dialog box.
- Outlook Web Access may generate numerous logon/logoff events in a short time interval in some cases.
- IIS Session revocation is not supported by the UserLock ISAPI Filter agent type.