Due in May 2026
This realease is a significant expantion of the NFC management, with new controls for session behaviour, card-level key management, and enterprise-wide policy deployment. Beyond NFC, this release includes driver modernisation, more flexible IdP deployment, and a smoother upgrade path.
- Session reactions on card events: Sessions can now be configured to lock or log out, and switch sessions automatically when an NFC card is removed or presented — giving administrators precise control over badge-in / badge-out behaviour.
- DESFire master & application keys: The card-write workflow now accepts master and application keys directly, exposed through a new interactive UI and PowerShell for DESFire operations.
- Simplified NFC provisioning: NFC token provisioning has moved to an advanced-only dialog, reducing error-prone steps during enrolment.
- Centralised NFC policy management: NFC configuration settings are now available in SystoLOCK Tools and the MMC console. New GPO settings allow enterprise-wide rollout of NFC policies.
- UMDF 2 virtual reader driver: The smart-card virtual reader driver has been ported to UMDF v2 for improved performance and long-term platform compatibility.
- IdP without AD FS: The Identity Provider can now run independently of AD FS, broadening deployment options.
¶ 🎨 Usability & Branding
- Faster user property pages: The property page now loads instantly even for accounts with dozens of attached tokens.
- In-place server upgrades: The server installer supports direct upgrades without requiring a full uninstallation first.
- Partner branding updates: Installer bootstrappers and interface colours have been updated for branded builds; the "About" dialog now supports full localisation.
- Clearer CRL error messages: Users now see actionable feedback when certificate-revocation-list checks fail or other system-related errors occur during authentication.
- Automatic ADCS dependency: The installer now includes ADCS management components automatically: one fewer prerequisite to install manually.
- QR code generation: Fixed a missing-assembly issue that caused errors when generating QR codes in the management tools.
- Offline login timestamps: Corrected a bug where the client-side timestamp displayed incorrectly during offline logins.
- Possession-factor verification: Resolved a scenario where possession factors could not be verified, causing login failures.
- Time-zone-sensitive tests: Fixed test failures caused by system time-zone differences.
- Google Cloud KMS signing: Build signing now uses Google Cloud KMS for secure key management.
Released on 13.02.2026
✨ This release is all about stability of OEM branding and other white label enhancements. It also includes some minor bug fixes and all improvements from the recent Service pack of the previous version.
- Centralized and improved branding for all applications and modules.
- Extended the licensing engine to support branding, with detailed license expiration events.
- Added per-branding control to disable “basic operation mode” when a license expires.
- Embedded per-tenant FCM packages into the server binary for improved FastLogin and easier configuration.
- Fixed various UI and localization issues: improved text placeholders, translations, button sizing, and Start Menu naming.
- Fixed an unhandled exception in the ADFS Adapter when a user account has no UPN defined.
- Improved wording and product references across the application for clarity and consistency.
Released on 01.12.2025
Service pack released om 29.01.2026
The newest release of SystoLOCK delivers a broad set of improvements focused on reliability, manageability, and flexibility across the platform. This update enhances the user and admin experience by refining error handling, streamlining authentication workflows, and making system configuration more intuitive. Under-the-hood, the release strengthens integration with external systems, optimizes installation and upgrade processes, and introduces smarter automation for both administrators and end-users.
We’ve expanded NFC support, including Mifare Classic authentication and improved integration with a wider range of readers and cards. The identity provider is now more independent and flexible.
- Added Mifare Classic authentication to the NFC implementation, supporting more card types and readers.
- Included ATR Database in new installations for better out-of-the-box support for DESFire and Classic cards.
- Implemented a central database for card readers, enabling better management of reader properties and key slots for MIFARE Classic and UltraLight cards.
- NFC functionality is now a core part of SystoLOCK.
- SAML Identity Provider now replaces the original ADFS Identity Provider, which is now deprecated.
- The new Identity Provider is IIS-independent, allowing it to be self-hosted and run under http.sys for more deployment flexibility
- Updated and simplified the Identity Provider installer to reflect new paradigms.
Managing SystoLOCK just got easier and more intuitive.
- Added a new system-wide setting to disable time syncing, reducing unnecessary warnings in restricted environments.
- Improved MMC UI, including better localization and right-click context menu support even on empty spaces.
- Fixed error handling when assigning tokens to users without a UPN.
- Improved PIN management by replacing confusing password-related error messages with clear, PIN-specific feedback for all PIN actions.
- Added the ability to automatically add users to self-provisioning groups after delayed provisioning, with user-friendly prompts and error handling.
- Ensured offline GPOs now include the correct domain info even when the external domain is not set, preventing discovery issues.
- Added a new column to the user list view to indicate self-provisioning status, including temporary and unsafe states.
- Refactored the MMC side-bar for the root node, improving usability and adding icons for key actions.
- For computers running version 2.0.0.0 or lower, default version info is no longer reported in list views, keeping things tidy.
- Expanded the computer list view with a new column showing the policy name assigned to each computer, making it easier to audit and manage policies.
- Improved token search by user in MMC and PowerShell, making it more flexible and user-friendly (e.g., supporting wildcards and better error messages).
- Removed the client installer bootstrapper for a cleaner installation process.
- Improved installer logic to ensure Domain Admins have the correct AutoEnroll rights for all application templates.
- Improved installer to include DESFire ATR by default, ensuring better compatibility with supported cards.
- Fixed issues with LogonUI caching registry settings, ensuring changes take effect without requiring a reboot.
- Added ACLs to allow SystoLOCK Administrators and Services to manage members of self-provisioning groups, making group management more secure and flexible.
- Improved computer GPO/settings mapping by introducing shadow storage for GPO values, ensuring settings are properly reverted when GPOs are removed.
- Improved license status display in property pages by detecting known certificate problems (like expiration) and showing clear, actionable messages.
- Fixed an issue where certificate bindings were not preserved upon server re-install, ensuring smoother upgrades and migrations.
- Ensured that when a token is re-provisioned, any drift from previous assignments is cleared, preventing authentication failures.
- The installer now provides a script to remove legacy certificate template assignments from the local CA during upgrades, keeping your environment clean and up-to-date.
- PowerShell certificate template assignment commands now accept pipeline input from Get-CertificateTemplate, making scripting and automation easier.
- Added the ability to manually create or remove LogonUI keysets via regsvr32.exe, making advanced troubleshooting and testing more flexible.
- Updated documentation for Set-SystoLockFcmConfiguration to include a new example for login/password usage.
- Fixed a bug where Errors occurred on first start after a rolling server update on Server 2025, improving reliability after upgrades.
- Addressed an issue where the SystoLOCK service notification for expiring certificates lacked host context information.
- Fixed excessive warning logs from Proxy Agent when connecting to the proxy, reducing noise in event logs.
- Improved error handling for missing required directory attributes after server installation.
- Improved error handling for deleted users during login attempts, preventing server errors and improving log clarity.
- Fixed a bug where an error was logged if no certificate templates were available, ensuring cleaner logs.
- Addressed a false negative log message on PIN change for users in smart-card only mode (issue was not reproducible and may have been a replication issue).
- Fixed a console crash on NFC scan.
- Fixed an issue where NFC sessions from localhost could not be authorized, ensuring smoother authentication in local test environments.
- Improved error handling in the proximity subsystem to avoid server errors when LogonUI attempts to acquire a card context with an empty UID.
- Fixed legacy offline login issues where DNS locator would fail outside the domain network, improving reliability for remote and offline scenarios.
- Fixed a bug where the client tools would crash if the client service was not available, improving robustness in support scenarios.
- Improved error handling and messaging throughout the platform.
- Various under-the-hood enhancements for stability and maintainability.
¶ 🧪 Testing, CI and Interna
- Switched to XUnit v3 for more flexible and skippable tests, making CI pipelines more robust.
- Improved CI reliability by running tests inside DCCA-xx machines with a GitHub runner.
- Optimized file signing tasks in CI/CD builds to skip unnecessary signing in non-release branches, speeding up everyday development workflows.
- Resolved an inf2cat.exe “DriverVer set to a date in the future” error in the build pipeline by using the correct local time parameter.
- Updated MSBuildTasks to be installed and used the modern way, resolving compatibility issues with dotnet CLI.
- Moved project-related VMs into a dedicated VLAN, improving isolation and reliability for CI hosts.
- Updated the Kerberos debugging tool with better verbosity, standalone operation, and improved usability for diagnostics and testing.
- Added a Kerberos-testing suite to help diagnose FastLogin session establishment issues in test environments.
- Users, who are part of SystoLOCK Administrators group, but are not members of Domain Admins group are not able to manage various platform settings.
- We’ve made it easier for admins to manage Systolock in complex environments, with better permissions, improved diagnostics, and more robust scripting.
- Investigated and fixed permission issues for SystoLOCK Administrators in restricted environments, ensuring full management capabilities and smoother policy handling.
- Created a PowerShell command for disabling sync, complete with tests and documentation for easier automation.
- Updated scripts for compatibility with the latest PowerShell changes
- Fixed SAML IdP problems including login errors on mobile, improved event logging, and made configuration changes safer and more transparent
- Improved SAML IdP installer to better handle slow servers by adding retry logic
- Fixed default language detection in SAML Provider so users always get the right language experience.
- Added dependent certificates to the client installer to prevent failures when signer certificates are missing
- Added EventSource DLL to the RDWeb Installer for better event logging and troubleshooting.
- Fixed the action button on the email test screen so it updates correctly after test completion.
- Extended the licensing engine to support detailed license expiration events.
- Embedded per-tenant FCM packages into the server binary for improved FastLogin performance and easier configuration.
- Fixed errors in the management console and PowerShell diagnostics when no AD site is assigned, preventing crashes.
- Fixed ECDH tokens being displayed incorrectly in list views, ensuring accurate representation.
- Fixed the PowerShell generator to include the missing -RetainPassword flag for provisioning.
- Fixed the client service to correctly handle NFC routines in certain scenarios.
Released on 20.06.2025
This release discontinues suppoort for advanced features on older (prior to Windows 10) operating systems. Basic functionality (PIN+OTP) remains available.
>> Jump to older release notes >> (2.16 and below)