Released on 01.12.2025
The newest release of SystoLOCK delivers a broad set of improvements focused on reliability, manageability, and flexibility across the platform. This update enhances the user and admin experience by refining error handling, streamlining authentication workflows, and making system configuration more intuitive. Under-the-hood, the release strengthens integration with external systems, optimizes installation and upgrade processes, and introduces smarter automation for both administrators and end-users.
We’ve expanded NFC support, including Mifare Classic authentication and improved integration with a wider range of readers and cards. The identity provider is now more independent and flexible.
- Added Mifare Classic authentication to the NFC implementation, supporting more card types and readers.
- Included ATR Database in new installations for better out-of-the-box support for DESFire and Classic cards.
- Implemented a central database for card readers, enabling better management of reader properties and key slots for MIFARE Classic and UltraLight cards.
- NFC functionality is now a core part of SystoLOCK.
- SAML Identity Provider now replaces the original ADFS Identity Provider, which is now deprecated.
- The new Identity Provider is IIS-independent, allowing it to be self-hosted and run under http.sys for more deployment flexibility
- Updated and simplified the Identity Provider installer to reflect new paradigms.
Managing SystoLOCK just got easier and more intuitive.
- Added a new system-wide setting to disable time syncing, reducing unnecessary warnings in restricted environments.
- Improved MMC UI, including better localization and right-click context menu support even on empty spaces.
- Fixed error handling when assigning tokens to users without a UPN.
- Improved PIN management by replacing confusing password-related error messages with clear, PIN-specific feedback for all PIN actions.
- Added the ability to automatically add users to self-provisioning groups after delayed provisioning, with user-friendly prompts and error handling.
- Ensured offline GPOs now include the correct domain info even when the external domain is not set, preventing discovery issues.
- Added a new column to the user list view to indicate self-provisioning status, including temporary and unsafe states.
- Refactored the MMC side-bar for the root node, improving usability and adding icons for key actions.
- For computers running version 2.0.0.0 or lower, default version info is no longer reported in list views, keeping things tidy.
- Expanded the computer list view with a new column showing the policy name assigned to each computer, making it easier to audit and manage policies.
- Improved token search by user in MMC and PowerShell, making it more flexible and user-friendly (e.g., supporting wildcards and better error messages).
- Removed the client installer bootstrapper for a cleaner installation process.
- Improved installer logic to ensure Domain Admins have the correct AutoEnroll rights for all application templates.
- Improved installer to include DESFire ATR by default, ensuring better compatibility with supported cards.
- Fixed issues with LogonUI caching registry settings, ensuring changes take effect without requiring a reboot.
- Added ACLs to allow SystoLOCK Administrators and Services to manage members of self-provisioning groups, making group management more secure and flexible.
- Improved computer GPO/settings mapping by introducing shadow storage for GPO values, ensuring settings are properly reverted when GPOs are removed.
- Improved license status display in property pages by detecting known certificate problems (like expiration) and showing clear, actionable messages.
- Fixed an issue where certificate bindings were not preserved upon server re-install, ensuring smoother upgrades and migrations.
- Ensured that when a token is re-provisioned, any drift from previous assignments is cleared, preventing authentication failures.
- The installer now provides a script to remove legacy certificate template assignments from the local CA during upgrades, keeping your environment clean and up-to-date.
- PowerShell certificate template assignment commands now accept pipeline input from Get-CertificateTemplate, making scripting and automation easier.
- Added the ability to manually create or remove LogonUI keysets via regsvr32.exe, making advanced troubleshooting and testing more flexible.
- Updated documentation for Set-SystoLockFcmConfiguration to include a new example for login/password usage.
- Fixed a bug where Errors occurred on first start after a rolling server update on Server 2025, improving reliability after upgrades.
- Addressed an issue where the SystoLOCK service notification for expiring certificates lacked host context information.
- Fixed excessive warning logs from Proxy Agent when connecting to the proxy, reducing noise in event logs.
- Improved error handling for missing required directory attributes after server installation.
- Improved error handling for deleted users during login attempts, preventing server errors and improving log clarity.
- Fixed a bug where an error was logged if no certificate templates were available, ensuring cleaner logs.
- Addressed a false negative log message on PIN change for users in smart-card only mode (issue was not reproducible and may have been a replication issue).
- Fixed a console crash on NFC scan.
- Fixed an issue where NFC sessions from localhost could not be authorized, ensuring smoother authentication in local test environments.
- Improved error handling in the proximity subsystem to avoid server errors when LogonUI attempts to acquire a card context with an empty UID.
- Fixed legacy offline login issues where DNS locator would fail outside the domain network, improving reliability for remote and offline scenarios.
- Fixed a bug where the client tools would crash if the client service was not available, improving robustness in support scenarios.
- Improved error handling and messaging throughout the platform.
- Various under-the-hood enhancements for stability and maintainability.
¶ 🧪 Testing, CI and Interna
- Switched to XUnit v3 for more flexible and skippable tests, making CI pipelines more robust.
- Improved CI reliability by running tests inside DCCA-xx machines with a GitHub runner.
- Optimized file signing tasks in CI/CD builds to skip unnecessary signing in non-release branches, speeding up everyday development workflows.
- Resolved an inf2cat.exe “DriverVer set to a date in the future” error in the build pipeline by using the correct local time parameter.
- Updated MSBuildTasks to be installed and used the modern way, resolving compatibility issues with dotnet CLI.
- Moved project-related VMs into a dedicated VLAN, improving isolation and reliability for CI hosts.
- Updated the Kerberos debugging tool with better verbosity, standalone operation, and improved usability for diagnostics and testing.
- Added a Kerberos-testing suite to help diagnose FastLogin session establishment issues in test environments.
- Users, who are part of SystoLOCK Administrators group, but are not members of Domain Admins group are not able to manage various platform settings.
Released on 20.06.2025
This release discontinues suppoort for advanced features on older (prior to Windows 10) operating systems. Basic functionality (PIN+OTP) remains available.
Released on 01.10.2024
Service pack 1 released on 13.11.2024
Service pack 2 released on 24.03.2025
- Bluetooth logon support (including offline)
- Central policy management for client stations directly from MMC
- Improved log view in MMC, providing more space for text and ...
- Log view controls optimisations
- Token list view is now sortable and filterable
- New token creation experience when assigning tokens to users
- Clearer user view for users without tokens
- Improved installation experience with DC script deployment
- QR code and push on ADFS even in mobile mode
- MMC resiliency for services in remote locations
- MMC and PowerShell resilience for missing system groups
- Alerts for expiring tokens
- UPN enforcement now in PowerShell
- Location awareness for diagnostics
- Better event handling in logs
- Better handling of mail server TLS behaviour
- Offline/Online transition fix
- Fix formatting bug in Tools
- Fix automatic deployment via GPO
- Fix New-SystoLockToken secret calculation for some scenarios
- Fix PowerShell examples in PowerShell docs
- Fix missing GPO during installation
- Fix installation problems on non-domain machines
- Relax PSKC import format to accommodate OneSpan tokens
- Signal MFA capability to Entra ID in federated scenarios
- Move some server events around for easier viewing
- Correct wrong client default for KSP usage
- Correct password rotation scheduler
- Correct PEAP interpretation in VPN client
- Improve client installer resilience
- Fixed certificate subject handling due to changes in January Windows updates
- Fixed Domain Controller detection for hybrid settings with an Azure Kerberos object in AD
- Changed the AD group
SystoLOCK Users scope to allow for proper handling of password policies
Released on 08.05.2024
- New phishing resistant ECDH-based token type
- New token creation defaults
- Full ADCS management by SystoLOCK server
- Automatic certificate re-enrollment for SystoLOCK server
- Application proxy for smart login
- Server time checker background task
- MMC sorting in list views
- License updates directly in MMC
- Prevent HSTS on CRL endpoints
- Deleting functionality for roaming devices
- Contact management for urgent notifications
- Granular control for provisioning of priviledged accounts
- Support for external keys in PSKC files
- SystoLOCK client aggregated log for Event Viewer
- 20 new PowerShell Cmdlets
- Re-branding
- White label capability
Various improvements in:
- Token provisioning in MMC
- MMC token list views
- Online and offline login experience
- Certificate template management via PowerShell
- Parameters for New-SystoLockCertificate
- Rights management component
- Push notification component
- Logon screen resilience
- Offline login detection
- Server diagnostics
- Client diagnostics
- Client logging component
- Management components usability
- MMC help
- Application installers
- Background task engine
- Error code resolver in the control panel
- Windows 11 driver installation compatibility
Original version released on 24.08.2023
Service pack 1 released on 30.10.2023
Service pack 2 released on 29.01.2024
- Improved user, token and computers view in MMC
- Total items count in status bar of MMC
- Improved token search in MMC and PowerShell
- Copy-able rows in diagnostics
- Lookup for error values in client diagnostics
- Easier push notification management on server level
- Designated VPN push notifications and their attribution
- Correct deprovisioning of push notification configuration
- Password-deleting functionality for retained passwords
- Automatic password management for smartcard-based accounts
- Better clarity on choosing host certificates
- New host certificate template
- New management CmdLets
- Push notifications for named tiles
- Offline login: new and improved approach
- New autonomous offline mode
- Simplified offline provisioning and ...
- Automatic offline deprovisioning
- QR code login for UAC prompts
- Extended NPS plugin configurability
- Remove reboot requirements for offline registration
- New server installation experience
- Management console is now part of server installer package
- Client diagnostics DNS improvements
- Workgroup members diagnostics improvements
- Installer improvements for workgroup members
- Diagnostics in AD FS components
- Diagnostics of an external domain
- Improvements in diagnostics CmdLets
- Accommodation of MS KB5014754 changes for certificate authentication
- New server installation experience
- Full support for locally managed CA instances
- Improved granularity for certificate template installation
- Tooltips in MMC dialogs
- Logging engine and log viewer improvements
- New release delivery formats (ISO)
- Credential provider overrides in CredUI
- SystoLOCK-Enabled users can now be easier discovered by components
- Smart use of KSP/Smart card subsystems based on scenario
- Local AD CS instance installer and management
- New certificate template for the host
- Better RADIUS configurability
- Simplified CRL publishing
- New TCP port 21571 for CDP endpoints
- Username display on AD FS adapter form
- TPM support for offline login
- No x86 builds for Windows client as standard (available on request)
- Imporvement in bulk token import resilence for duplicates
- Descriptions for SystoLOCK AD groups
- Corrections on keyboard handling in the Tools app
- Focus maintenance in credential UI with QR code displayed
- Help for Setup and Diagnostics PowerShell modules
- Allow autonomous group to be processed
- Review service exceptions handling in regards to SCP restart policies
- Add secure boot and device guard configuration status to client diagnostics
- Rename One-Time Password on CredUI tiles
- Improve server installer wrapper GUI
- Improve changing 'smart-card' only users password on regular basis
- Fixed: Client service crashes when machine is offline
- Fixed: Copying from tracer to clipboard does not work sometimes
- Fixed: MMC crash if policy is not present
- Fixed: Wrong default values for OATH policies
- Fixed: Diagnostics is not displayed localized
- Fixed: Test-SystoLockEnrollmentService: Add error handling for incorrect config strings or hosts
- Fixed: Credentials not valid on assignment view
- Fixed: Unhandled error upon OTP reuse
- New logo
- Small MMC fixes
- Conditionally allow DNs in subjects for issued certificates
- Correct error lookup in client tools
- Fix roaming devices handler in MMC
- improve MMC debugging for in release mode
This is the last release to fully support Windows 7 / 2008 R2 as a client.
Original version released on 22.12.2022
Service pack released on 27.03.2023
- Offline Login:
- Full offline login for environments without internet (preview)
- Guided inputs for offline login
- Better offline registration
- Offline login client management
- Password policies for offline login
- DPAPI secrets management for offline login (preview)
- Management improvements:
- Automatic password policy management
- Diagnostics enhancements
- Diagnostics module direct in MMC
- MMC resilience improvements
- Expiring certificates logging
- PSKC import for ZIP-containers
- User and token lists improvements in MMC
- Disabled and locked tokens handling in MMC
- PowerShell improvements
- New Components:
- RADIUS plugin for NPS
- Autonomous certification authority
- AD Interfacing improvements:
- AD sites detection improvements
- Special charachters handling improvements
- Support for custom location of Program Data
- Client service for tasks offloading
- Server setup experience improvements
- Introduction of AD CS local setup
- Client logging improvement
- Fixes:
- Correct AD FS IdP installer to mitigate Microsoft's flaws
- Correct server installer missing new scripts
- Correct Test-SystoLockInstance irregularities
- Correct various MMC crashes
- Correct handling of special characters in DN paths
- Correct LogonUI going offline with no reason
- Correct LogonUI freeze upon tile change
- Improvements:
- Improve CA Templates installer granularity
- Improve Offline computers registration
- Remove default values from registry in RADIUS plugin
- Change logging channels for AD FS components
- Set default OTP validation window to 1 Minute
(Warning: manual adjustment might be required for exiting installations with drifted physical tokens)
- Remove 32-bit client installation from distribution (available upon request)
Released on 04.05.2022
- New license models: Free, Standard, Full, NFR
- Full management for push notifications
- Phone owner management
- Token and domain policies
- Brute force protection
- Multi-Domain support for MMC
- MMC stability improvements
- Better password retention management
- GC discovery improvements
- DNS scavenging solution
- Clearer messages in logs
- CRL and time skew checks in infrastructure diagnostics
- Introduction of operational master
- RDS Gateway multi-domain enhancements
- Installer improvements for RD-Servers and elevated run
- Fixed Windows 7 regressions
- Fixed native VPN connectivity problems
- Missing AD sites solutions
- Multiply NICs solution for clients
Released on 20.01.2022
- Multi-Domain installer improvements
- Multi-Domain infrastructure tests
- Multi-Domain licensing support
- Token Lock / Unlock
- Token Disable / Enable
- PDF-embedded license support
- Error-reporting improvements
- Credential provider granular control
- Self-provisioning enhancements
- Server-side diagnostics enhancements
Original version released on 25.10.2021
Service pack released on 13.12.2021
- RDS Web Portal support
- RDS Gateway plugin
- Server and RDS installers now elevate privileges upon start
- Improved rights assignments in AD
- New and faster method for serving data to Companion App
- Missing UPNs handling on token assignment
- Ad-hoc permission corrections via MMC
- Bulk and parametrized token creation in MMC
- Show used up licenses on license panel
- Optionally disable automatic search as an MMC setting
- Control LDAP Query policies from MMC
- MMC now uses separate port 21573 with Kerberos instead of 21572 with TLS
- Pre-provisioning QR codes in MMC and PowerShell
- ConvertTo-SystolockQRCode now supports -CopyToClipboard
- Migrated diagnostics and client settings into SystoLOCK Tools
- More configurable Client options
- Fast login support on secure screens
- Password retention for self-provisioned users
- Cisco AnyConnect VPN support
- Hostname in keep-aliver allows to distinguish between various sessions
- Improved logging of failed authentication attempts
- Credential provider should not apply filters on Login UI
- Discovery resilience for duplicated DNS entries
- Grant-SystoLockAccountManagementPermission uses wrong DN
- Set-SystoLockRoamingDevice invalidates PN token
- Use secure random number generator for session TSGW session ids
- IdP crash if metadata fetching results in error
- Push notifications for ADFS
- Detect VLV problem upon directory search
- Windows VPN client improvements and fixes
- MMC crash if DNS entries were missing
- MMC crash if users or tokens are moved or deleted
- Focus is lost if QR is displayed
- Documentation updates
- Clarifications on diagnostics for RDS hosts
- Show token drift on property pages
- Property pages lacked borders
- Better LDAP query policy conditions
- Corrections to satisfy faulty Gemalto PSKC files
- IdP language generalisations, add Italian
- Extend logging to include token ID upon logins
- Provide more control for self-provisioning users
- Preserve IdP configuration on update
- Cisco AnyConnect client enhancements
- Compatibility enhancements in AD FS Identity provider
Released on 12.05.2021
- VPN connection improvements, PLAP compatibility
- Microsoft certification for protected proceses
- Push notifications for SystoLOCK Companion
- Push notifications control via PowerShell
- Preserve SSL binding configuration across service re-installation
- Persistent connection management in PowerShell
- Inactive sessions detection
- RDP keep-aliver for remote apps
- RDP farm helper multi-farm environments
- Stand-alone IdP for older ADFS setups
- MMC localisations
- New Client control panel (tools)
- New client options defaults
- Tracing now works without elevation
- Confirmations in destructive PowerShell Cmdlets
- Client installer auto-reboot suppression
- AD FS Installer might not detect OS Version correctly
- Indirect 'domain admin' group membership in server installer
- Grant user management rights on adminSdHoler template upon installation
- Improvements to working with DNs containing special characters
- Better session handling for RDP (and other) sessions
- Cannot choose a date range for the log view
- Enabling offline for a computer leads to errors
- Import-License should resolve file path
- License expiration prevented service from start
- Provisioning QR code improvements
- Client logs improvements
- MMC UI improvements
- LDAP connection management improvements
- On secure screen "Show QR code" appears after executing provisioning dialog
- Parent certificates gets cached and it is a problem
- Client Diag on x86-machine falsely looks for a x64 module
- AD related PowerShell setup commands should use the same domain controller
Released on 14.09.2020
- VPN support
- ADFS plugin QR code login support
- Certificate-based login support for Active Sync
- MS Office ClickToRun sandbox compatibility
- IP address functions for siting API
- Client option self-provisioning and smart/fast login
- Certificate expiration notification in MMC
- Computers node in MMC for offline computers managing
- Client diagnostics
- License error reporting improvement
- CA errors diagnostics
- KSP crashes on Windows 10
- Handle 127.0.0.1 in Machine Resolution
- Make fast-login tile to live longer than 30 seconds
- Credential provider attempts to double submit after fast login
- Server Installer should try doing best effort to install all components
- Network diagnostics hangs under non-domain user
- Change password screen is broken on Windows 10
- Icons for start menu
- MMC stability
- Setup PowerShell clashes with psreadline module
- Referrals problem in subdomains
Released on 28.02.2020
- Implement data protection service
- Make Get-SystolockService -Site * to work
- Use SHA256 instead of SHA1 for default software token
- Make Get-Clipboard | Import-License possible
- ADFS provider
- Token View Needs a Help on Filter Syntax
- PSKC import should auto detect suite based on the key length
- Confusing Get-SystoLockEndpointPermission output
- License load exception
- Windows 2008 R2 does not tolerate zero pKIOverlapPeriod
- FastLoginClientContext should check COMPUTERNAME$ case
- Do not accept fast login credentials if session is inactive
- RDP does not work with KSP
- Make dynamic smart-card masking enabled by default
Released on 18.12.2019
- User Property Page redesign
- Configuration diagnostics tool
- Synchronize button is disabled for unassigned tokens
- Token property page redesign
- Improved Users filtering by token assignment
- Event logs aggregation
- Server service status page
- Allow creating new token from the "Choose Token to Assign" dialog
- Copy QR code to clipboard by double click on it
- KeysContainerInstaller does not remove Authenticated Users read ACE
- Token release does not work on disable users
- Reader driver won't install on Windows 1903
- Server property page disappears by clicking on certificate thumbprint link
ConventTo-QRCode -File file.name is broken- Add-SystoLockCertificateBinding ignores Force parameter
- DNS record installer should check existing SRV RR record presence
- Token Status is Needed in the Token list
- Pre-provisioned tokens should have user name in URL
- ISecurityAuthority service should support hashed PIN
- Error installing in a site without a domain controller
Released on 09.03.2019
From now on all releases relate to Version 2.0
- Allowed controlling SmartcardLogonRequired option during provisioning
- Events filtering is service view
- Preferred domain controller property support in management module
- Expose machine unique identifier via Discovery service
- Expose client fine tuning options to UI and PowerShell
- Importing Wrong File Crashes MMC
- No Need in Milliseconds in Service Property
- Service Installer should add recovery options
- Service won't start upon reboot
- Logs are too verbose on user DNs
- Management UI does not work on Windows 2008 R2
- Credential UI wont load with a MUI file present
- Management UI package should include PowerShell manifest files as well
- Management UI crashes if SystoLock servers RPC unavailable
- Non-canonical ACLs are created
- NCryptEnumAlgorithms causes event log error
Released on 22.10.2018
- User search improvements
- New Multilingual User Interface (MUI) modules
- Fixed: Installer should check elevation status on uninstall
- Handle remove service event logs unavailability
- Token list improvements
- Fixed: Try validating PIN upon receiving it via CardAuthenticatePin
- Fixed: Display service instance certificate
- Various property page changes
- New Copy as PowerShell command
- Fixed: Confirmation massage boxes should have Yes, No, Cancel buttons
- Fixed: Crash upon clicking on a list view column header
- Fixed: Could not assign token from the user property page
- Handle server exceptions while searching for tokens
- Management UI cosmetic changes
- Fixed: Confirmation dialogs title text do not contain token id
- Fixed: Copy Powershell button looks weird
- List view error list margins need better calculation
- Fixed: Service certificate information window requires two clicks to close
- Fixed: Choose Token dialog should not enable Ok button unless a token is selected
- Fixed: UPN based provisioning does not work
- Updated token property page icon
- Fixed: Handle service Fault when performing a server operation
Released on 31.07.2018
- Added Active Directory rights delegation management command
- Fixed: Timeout exception while installing event log
- Fixed: Service should round-robin through available enrollment services
- Added Subject parameter to Add-SlockCertificateBinding command
- Fixed: Certificate templates require Network Service account enrollment right ACE
- Fixed: Server should log startup error
- New Server licensing engine
- Prefix all PowerShell verbs with SystoLock and remove default module prefix
- Removed version from the client settings path
- Fixed: OtpToken should contain information if the user completed provisioning
- Fixed: Client should push its information to the server
- New Property Page for ADUC snap-in
- Fixed: "User name is empty" error when unlocking workstation
- Added thumbprint awareness to the NT Authority certificate list
- Implemented license information support
Released on 30.04.2018
- Fixed: New-SlockToken -Algorithm SHA256 generates an invalid URL
- Fixed: Token assignment should be 1 to 1 entity
- Fixed: Windows 7 credential tile multiple Advice/Unadvice calls
- New: Add New-HotpSecret command
- Fixed: Add-SlockTokenAssignemnt should understad token object when it comes from pipeline
- Test-SlockService output does not contain hostname
- Fixed: ConvertTo-SlockXxxxString should accept value parameter from pipeline
- Fixed: ConvertTo-SlockQRCode should understand token and token assignment types
- Fixed: Add-SlockAssignment: make -PIN parameter optional
- New: Add Set-SlockAssignmentPin command
- Fixed: Add-SlockAssignment do not suggest User parameter in some cases
- Support CA certificate fetching via IDiscoveryService
- Fixed: Change Get-Token default parameter set from Filter to TokenID
- Fixed: ETW rights adjustment does not seem to work or is broken
Released on 02.04.2018
- Key storage provider (KPS) based login support
- Fixed: Certificate template installer is broken
- Fixed: Reboot is required after installing service on a machine
- Add IOCTL_SMARTCARD_GET_LAST_ERROR support
- Keys container security rights corrected
- Fixed: Logon screen should not show currently logged on users
- fixed: Get-SlockCertificateBinding does not work (but netsh does)
- Positional arguments support
- Certificates without subject are ignored
- Fixed: Certificates without private key should be excluded
- New: Management module installer
Released on 27.10.2017
- Kerberos authentication proxy for non-domain RDP clients
- Update installer with code signing public key
- Fixed Reader locks
- Fixed: Status is not updated while executing custom actions
Released on 31.05.2017
- Enabled EWT logging in native modules
- In CPUS_CREDUI scenario the Ok button is not active / default selected
- Expired certificates garbage collection
- Unlock scenario now works properly
- Implemented authority for medium-term certificates
- Change PIN operation support
- Implement Change PIN operation
- Dynamic masking of the smart-card provider
Released on 12.08.2016
- Checks for assigned tokens count
- WEB based frontend
- Multiple tokens support
Released on 01.14.2014
Paradigm change
- OTP URLs parsing support
- RFC 6030 support (PSKC)
- Installer repacked
- mOTP support
- DNS SRV registration
Released on 13.12.2013
- Improved logging
- TSGW authentication support
- HOTP security policy config section
- Generic form based authentication support
- OTP rollout wizard
- HTTP SSL registration
Initially released in May, 2011