Release Notes of KeyTalk client for Windows --------------------------------------------------- KNOWN ISSUES --------------------------- 1) When Kerberos tokens are being protected by third party solutions, KeyTalk for Windows cannot make use of Kerberos based authentication 2) When registry settings are protected from being changed by third party software, then KeyTalk for Windows cannot configure Outlook 3) New Outlook at this moment does NOT support S/MIME for any non-primary account, as per Microsoft specifications ------------------------------ Windows agent 7.8.0, 21 July 2025 ------------------------------ ADDED: Allow configuring custom command on Windows Server Generic Task to execute on successful retrieval of certificate ADDED: Allow specifying domains in the agent task to be added to the certificate SAN DNS ADDED: Sample script to apply the supplied certificate to the default IIS HTTPS binding aimed to demonstrate "Run Command on successful certificate retrieval" feature FIXED: Non-enterprise SES agent might fail to start when customized with multiple providers FIXED: Applying certificates for IIS and Generic Windows agent tasks Windows agent 7.7.4, 21 May 2025 ------------------------------ ADDED: Request Firstname and Lastname, when this info is unknown to the KeyTalk server, when requesting a Class 2 S/MIME certificate that requires this information as part of upcoming CA/B Forum rule changes for publicly trusted certificates. client-7.7.3, 21 May 2025 ------------------------------ FIXED: Make seat authentication respect caller's HWSIG when locating right authentication certificate on the server ADDED: Retrieve SMB certs after each successful interactive retrieval of user certificate ------------------------------ client-7.7.2, 15 May 2025 ------------------------------ FIXED: Fetching of SMB certs might fail because the agent incorrectly decodes an authentication challenge sent by KeyTalk server ADDED: Cache some non-frequently changed Public API requests to reduce the load on the server ------------------------------ client-7.7.1, 13 May 2025 ------------------------------ ADDED: Try to renew user certificates using (silent) seat authentication ------------------------------ client-7.7.0, 7 April 2025 ----------------------- CHANGED: Increase operational timeout for Public API calls to 1 minute CHANGED: Reduce excessive load to the server by approx.. 30% by caching non-essential Public API queries agent-side FIXED: Improve Ux of loading tasks.ini from file (Windows agent) ------------------------------ client-7.6.4, 27 February 2025 ----------------------- ADDED: Make "KeyTalk Certificate Renewal for Windows Server" Scheduled Task run with highest privileges (elevated) FIXED: KeyTalk Windows Server Certificate Renewal task kept requesting a certificate from KeyTalk server regardless a valid certificate was already present ------------------------------ client-7.6.3, 17 February 2025 ----------------------- ADDED: Allow loading task configuration from Config Manger UI ADDED: Allow skipping the creation of KeyTalk Scheduled Tasks by specifying CREATE_SCHTASKS=No in KeyTalk Windows agent MSI CLI (msexec) ADDED: Allow installing tasks.ini containing KeyTalk Windows Server tasks configuration by specifying WSVR_TASKS_CONFPATH= in KeyTalk Windows agent MSI CLI (msexec) ADDED: Allow manually creating KeyTalk Scheduled Tasks using 'ConfigUpdater.exe --install-scheduled-tasks' ADDED: Allow manually creating KeyTalk Windows server Scheduled Task using 'ConfigUpdater.exe ---install-winsvr-cert-renewal-scheduled-task' ADDED: Allow manually removing KeyTalk Scheduled Tasks using 'ConfigUpdater.exe --remove-scheduled-tasks' ADDED: Checkbox to allow Windows server cert renewal task to run whether user is logged on or not CHANGED: Make KeyTalk Windows agent MSI installer invoked with via msiexec respect current working directory when performing customization with RCCD ------------------------------ client-7.6.2, 5 February 2025 ----------------------- CHANGED: More verbose output of IIS powershell script to simplify troubleshooting ------------------------------ client-7.5.15, 10 October 2024 ------------------------------ FIXED: Allow configuring generic Window Server certificate renewal tasks on KeyTalk Windows agent ------------------------------ client-7.5.14, 4 October 2024 ------------------------------ ADDED: Respect SmimeCertPurpose user.ini setting when importing RCCDs ADDED: SES Agent build with certificate scraper functionality FIXED: Outlook S/MIME profile configuration for 32-bit Office FIXED: More robust parsing of Outlook S/MIME profile purpose ------------------------------ client-7.5.13, 9 September 2024 ------------------------------ ADDED: Diagnose flavor of Outlook in use for the user (new or classic) ADDED: Extended SmimeCertPurpose setting in user.ini with 'none' (New values: "encrypt", "sign" (default), "encrypt-and-sign" and "none") ------------------------------ client-7.5.12, 3 September 2024 ------------------------------ ADDED: Extra logging related to automated S/MIME configuration for classic Outlook (as New Outlook does not support S/MIME at this time) client-7.5.11, 19 August 2024 ------------------------------ ADDED: Sign all KeyTalk executables ADDED: Diagnose Outlook installation on Windows agent CHANGED: Ignore failed attempts to create scheduled tasks during Windows agent MSI installation client-7.5.3, 10 June 2024 ------------------------------ ADDED: Codesigned all VBS scripts client-7.5.1, 22 May 2024 ------------------------------ ADDED: Send SEAT wide keep alive to KeyTalk server to aid KeyTalk managers understand which agents are still actively deployed and running properly. client-7.4.9, 09 May 2024 ------------------------------ ADDED: Enable automated configuring Outlook S/MIME settings for SMBs for KeyTalk Windows S/MIME cert scanner agent in addition to KeyTalk Enterprise Agent ADDED: Allow disabling certificate scraping on the TEMPLATE level agent-side (Windows Certificate Scanner agent only) ADDED: Scraping of certs&keys by Windows Certificate Scanner agent occurs on the schedule is pushed from KeyTalk server ADDED: The purpose of the certs&keys scraped by Windows Certificate Scanner agent is pushed from KeyTalk server ADDED: The stores to look up for the certs&keys to be scraped by Windows Certificate Scanner agent is pushed from KeyTalk server client-7.4.5, 4 April 2024 ------------------------------ ADDED: Allow configuring Outlook S/MIME settings for all SMB of for the given seat (KeyTalk Windows Enterprise Agent only) ADDED: Prompt user before automatically popping up KeyTalk agent ADDED: Per-provider SmimeCertPurpose setting to user.ini to specify the purpose of the S/MIME certificate applied to Outlook (possible values: "encrypt", "sign" (default) and "encrypt-and-sign") FIXED: S/MIME config of Outlook sometimes failed client-7.4.3, 19 March 2024 ------------------------------ ADDED: Prompt user before automatically popping up KeyTalk agent ADDED: Per-provider SmimeCertPurpose setting to user.ini to specify purpose of the S/MIME certificate applied to Outlook (possible values: "encrypt", "sign" (default) and "encrypt-and-sign") CHANGED: Merge the functionality of ApplyOutlookSmimeSettings.ps1 into the core agent code client-7.4.2, 16 February 2024 ------------------------------ ADDED: Entra ID App Permission testing ADDED: Allow specifying notification template for the message shown to end-users when KeyTalk agent automatically pops up ADDED: Allow creating TEMPLATES for enrolling DigiCert DV certs via ACME via Admin API ADDED: Allow enrolling DigiCert DV certificates for multiple domains ADDED: Display URL to be used by ACME Agents when configuring a template for ACME CHANGED: Entra ID/LDAP improvements (cancellation, throttling, batching, ...) ADDED: Tighten security of HTTP response headers FIXED: Clean up old system performance metrics statistics to reduce PR size FIXED: Missing valid SAN fields in imported Shared Mailbox seats FIXED: Invalid SAN fields coming from LDAP search client-7.4.1, 23 January 2024 ------------------------------ FIXED: Too early notification of S/MIME certificate holders on certificate expiry FIXED: Allow storing string with 4-byte Unicode characters in the Db FIXED: Include On-Prem only users in Intune import FIXED: Allow certificate rewriting during Intune import FIXED: Solved missing Shared Mailboxes after search FIXED: Clean up old system performance metrics statistics to reduce PR size FIXED: HTTP 404 for long operations such as PR generation of manual fw upgrade ADDED: Allow excluding the system load statistics from PR file ADDED: Allow accessing ACME server for multiple TEMPLATES CHANGED: Treat empty subject attributes as well as empty SAN required by the server as "any" value for enrolling client-supplied CSR CHANGED: Communicate invalid HWSIG and locked out user occurred during Kerberos authentication as failed KRB authentication towards KT agents client-7.4.0, 19 January 2024 ------------------------------ CHANGED: Signed binaries and MSI package with new KeyTalk company EV signing certificate client-7.3.2, 16 November 2023 ------------------------------ FIXED: ApplyOutlookSmimeSettings.ps1 script does not always correctly resolve temporary directory client-7.3.2, 4 December 2023 ------------------------------ FIXED: ApplyOutlookSmimeSettings.ps1 script does not always correctly resolve temporary directory client-7.2.4, 01 October 2023 ------------------------------ FIXED: Fix crash exporting private keys from found S/MIME certificates (Windows S/MIME certificate scanner agent only) client-7.1.0, 08 May 2023 ------------------------------ ADDED: Add seperate agent build allowing to scan user S/MIME Outlook certificates and send them to KeyTalk. Contact KeyTalk to get the download link as its not considered part of the primary release branch. client-6.6.0, 25 April 2023 ------------------------------ CHANGED: Exclude BIOS S/N from HW Description sent by Windows agent to KeyTalk server during RCDP session client-6.5.0, 1 November 2022 ------------------------------ ADDED: When requesting Pfx over RCDP, use Pfx key encryption format compatible with OpenSSL version in use by the agent CHANGED: Always include CA trust chain in certificate received from the server, whenever available ADDED: Sign PowerShell scripts client-6.4.5, 30 May 2022 ---------------------------- CHANGED: Digitally signed all powershell scripts client-6.4.5, 19 May 2022 ---------------------------- CHANGED: Pre-select "user certificate auto renewal" by default during upgrade (Windows client) client-6.4.4, 25 April 2022 ------------------------------ FIXED: Various minor issues client-6.4.1, 25 March 2022 ------------------------------ ADDED: Multi certificate template based certificate renewal support ADDED: Windows system multi-user support for generating scheduled tasks FIXED: Oulook automated configuration sometimes failed client-6.3.2, 24 February 2022 ------------------------------ ADDDED: allow fetching and installing historical S/MIME certificates along with the latest certificate from the server (requires minimally firmware 6.3.4) client-6.2.9, 08 October 2021 ------------------------------ NOTE: This version requires firmware 6.2.9 for KeyTalk CKMS!! CHANGED: Access CA API over port 80 instead of 8000 for plain HTTP connections CHANGED: No longer terminate when CA API is unavailable to fetch Extra Signing CAs client-6.1.8, 17 August 2021 ------------------------------ NOTE: This version requires firmware 6.2.8 for KeyTalk CKMS!! ADDED: Support for GlobalSign AlphaSSL certificates (notice: requires KeyTalk virtual appliance firmware v6.2.7) FIXED: IIS Binding validation for IP 0.0.0.0 FIXED: IIS Tasks not running properly in some cases client-6.1.7, 6 July 2021 ------------------------------ ADDED: Automatically fetch Extra Signing CAs from KeyTalk server and install them CHANGED: Only open KT client once when automatically validating cert FIXED: Invalid scheduled task name for User Certificate Renewal client-6.1.6, 26 May 2021 ------------------------------ CHANGED: Minor Ux changes to SES agent client-6.1.5, 12 May 2021 ------------------------------ CHANGED: Minor Ux changes to SES agent client-6.1.4, 11 May 2021 ------------------------------ CHANGED: Minor Ux changes client-6.1.3, 06 May 2021 ------------------------------ ADDED: User defined CN definition when requesting Class 2 S/MIME certificates, whereby the auth method is OTP (ie KeyTalk's Secure Email Service) ADDED: Stand alone simplified KeyTalk Secure Email Service agent CHANGED: Improved readability of KeyTalk certificate validation scheduled task client-6.1.2, 03 May 2021 ------------------------------ CHANGED: Misc Ux improvements FIXED: Certificate validation scheduled task client-6.1.0, 13 April 2021 ------------------------------ ADDED: Secure Email App client offering simplified user experience compared to the regular Client CHANGED: Misc Ux improvements KeyTalk Windows client version 5.8.12, 17 March 2021 ------------------------------ ADDED: OTP (One Time Password) authentication method with a temporary password sent by out-of-band channel KeyTalk Windows client version 5.8.11, 15 December 2020 (Windows client only) ------------------------------ Changes wrt the previous version: ADDED: ServiceUseClientOsLogonUser/Machine settings are now supported through master.ini (config file when no valid config is available) KeyTalk Windows client version 5.8.10, 4 December 2020 ------------------------------ Changes wrt the previous version: ADDED: Add script to change the KeyTalk Certificate Validation Check scheduled task user FIXED: installation of KeyTalk Linux client on some RHEL8 distros FIXED: MSI Silent Installer script fixed to accept username & password for the tasks-at-boot option KeyTalk Windows client version 5.8.8 , 30 October 2020 ------------------------------ FIXED: improperly appending email disclaimer in Outlook FIXED: Msi Silent Installer would not allow install with both Keytalk client config file (RCCD) and KeyTalk client server tasks KeyTalk Windows client version 5.8.7 , 21 October 2020 ------------------------------ ADDED: Enrollment of GlobalSign DomainSSL certificates via KeyTalk Windows client CHANGED: Improve automatic application (append) of Disclaimer to (existing) Signature for Outlook KeyTalk Windows client version 5.8.1 , 21 September 2020 ------------------------------ CHANGED: Add ComputerName Changed type option to Task Settings (windows only) KeyTalk Windows client version 5.8.0 , 08 July 2020 ------------------------------ CHANGED: Add support for CMS, JKS, JCEKS on IBM Websphere HTTP server certificate management KeyTalk Windows client version 5.7.10 , 14 June 2020 ------------------------------ ADDED: Support for certificate management on IBM Websphere HTTP server 9.x KeyTalk Windows client version 5.7.5 , 23 March 2020 ------------------------------ ADDED: Support for automated configuration of Windows Outlook textual email signatures/Disclaimer upon succesful fetching of an S/MIME certificate. Compatible as of Outlook 2010 ADDED: Support for multiple different Windows Outlook textual email signatures/Disclaimers, provided the email addresses are configured on Outlook ADDED: Support for once every 2 hour validation of configured textual email signatures/Disclaimer, to overwrite potential changes made by a user to the disclaimer text ADDED: Support for skipping textual email signatures/Disclaimer validation when no valid S/MIME certificate is present for a configured Outlook account KeyTalk Windows client version 5.6.3 , 1 October 2019 ------------------------------ FIXED: Fix HWSIG hdd device instance ID crash when determining HardwareFootprint for device recognition purposes ADDED: Added Machine Name verification and monitoring functionality when machine certificates are issued, and enabled automated authenticated revocation and renewal when machine name changed KeyTalk Windows client version 5.6.2 , 2 September 2019 ------------------------------ - ADDED: Add Address Book To Address List - ADDED: Detecting machine hostname, to support issuing and installation of machine certificates KeyTalk Windows client version 5.6.1 20 August 2019 ------------------------------ - ADDED: Additional CN options for LDAP Auth module to support user machine certificates - FIXED: Fix pulled S/MIME / key-server LDAP address book 'url', 'port' and 'use SSL' for Outlook KeyTalk Windows client version 5.6.0 07 July 2019 --------------------------- - ADDED: Added optional automated Outlook configuration for SHA256 and AES 256 based S/MIME email digital signing and encryption KeyTalk Windows client version 5.5.8 24 June 2019 --------------------------- - ADDED: SNI support for multiple certificates coming from the same KeyTalk certificate template/service - ADDED: Non-SNI support for multiple certificates coming from the same KeyTalk certificate template/service - ADDED: Kerberos authentication support for Windows servers. Note that for SNI only 1 username exists Kerberos wise, so Kerberos cannot be used in combination with SNI whereby all certificates comes from the same KeyTalk certificate template/service 5.5.7 19 June 2019 --------------------------- - FIXED: Removed IIS presence verification upon certificate management task creation 5.5.6 18 June 2019 --------------------------- - CHANGED: IIS is no longer a requirement when installing the client on Windows Server series - CHANGED: IIS as a certificate fetch target is now selectable instead of mandatory when creating a certificate management task - ADDED: Computer certificate store as a certificate installation target can now be enforced from the KeyTalk SERVICE certificate profile 5.5.5 15 May 2019 --------------------------- - FIXED: Prevent client Outlook error from showing when applyAddressBooks is not set 5.5.4 14 May 2019 --------------------------- - FIXED: Windows 10 / Windows Server 2016 support for Tasks in 32 bit KeyTalk client for Windows - ADDED: 64 bit Windows client - ADDED: Auto configure of KeyTalk LDAP secure email address book, when configured in a target KeyTalk virtual appliance S/MIME service 5.5.1 25 January 2019 --------------------------- - FIXED: Error importing RCCD file by Windows client when over 200 Windows services are in use 5.5.0 25 January 2019 --------------------------- - ADDED: Extend HWSIG with random number to support virtual environments and hardened physical hardware - ADDED: Allow "certificate validity percentage" in absolute time - FIXED: Windows 7 client support for certificate auto-renewal including Kerberos 5.4.0 22 October 2018 --------------------------- - ADDED: Allow using OS logon username as KeyTalk client username - FIXED: KeyTalk client no longer removes S/MIME certificates 5.2.3 13 September 2018 --------------------------- - CHANGED: Always use system (IE) HTTP proxy settings for Windows Client connections - CHANGED: Removed KeyTalk Internet Explorer add-on on Windows systems - ADDED: Support for Kerberos (Windows domain) authentication 5.2.2 6 July 2018 --------------------------- - ADDED TPM 2.0 support for Windows 10 - ADDED virtual smart card support for windows 10 - ADDED SNI support for Windows Server 2012R2 and 2016 as of IIS 8.5 - ADDED background based verification of certificate validity for non-IIS environments 5.2.1.p1 9 November 2017 --------------------------- - FIXED Client Config (RCCD) auto-enrolment url issue 5.2.1 14 September 2017 --------------------------- - ADDED Check CRL during auto updating of Apache/IIS SSL certificates - ADDED Add self FQDN to the list of users in KeyTalk Windows IIS client configuration UI - CHANGED Dropped support for http proxy on Windows and Linux clients as well as in RCCDs - FIXED KeyTalk Windows IIS Client installation hangs during upgrade 5.2.0 16 May 2017 --------------------------- - FIXED minor bug in problem report generation 5.0.0 25 January 2017 --------------------------- - REMOVED support for <4.6.0 KeyTalk virtual appliance - ADDED Enforces KeyTalk RESTful API over TLS communication. - REMOVED support for older configuration files - ADDED new style configuration (RCCD) based on YAML - REMOVED RCCD signature verification due to Amazon Web Services store requirements 4.5.0 02 Mar 2016 --------------------------- - FIXED incorrect handling of corrupt or missing config file, when a master config template was present (note: requires update of the RCCD file for use on windows based multi-user systems including RDP and Citrix) 4.6.1 02 Feb 2016 --------------------------- - ADDED support for public CAs - FIXED minor known Windows compatability issues 4.4.4 02 Dec 2015 --------------------------- - FIXED incorrect handling of empty Hot URL from RCCD 4.4.3 --------------------------- - FIXED client UI scalability for Ultrabook support - FIXED misleading diagnostics when KeyTalk IE add-on is not installed - ADDED Windows Server 2012 support - ADDED IIS7 support 4.4.2 --------------------------- - CHANGED Windows XP and Vista are not longer supported by KeyTalk client - FIXED KeyTalk Configuration Manager does not understand HTTP redirects - FIXED Windows client fails to distinguish providers that differ in character case only 4.4.1 --------------------------- - CHANGED Hide provider IP settings from service selection view 4.4.0 --------------------------- - FIXED KeyTalk client does not use http_proxy environment variable any more - FIXED KeyTalk client does not use http_proxy environment variable any more - ADDED Problem Report generator function in Information ToolTip - ADDED RCCD config deletion option - REMOVED KeyTalk word reference in client title bar 4.3.3 p2 --------------------------- - Compatible as of KeyTalk server 4.3.3 - FIXED IE failstop occured under certain conditions - FIXED Popup to close IE now correctly appears on top of the installer window - ADDED extra logging such as client and server IPs in DEBUG mode 4.3.3 --------------------------- - Compatible as of KeyTalk server 4.3.3 - FIXED Improved Binary Hardening on Windows Client Executables - FIXED KeyTalk client UI does not properly scale - FIXED Improved crypto on client-keytalk handshake 4.3.2 --------------------------- - Compatible as of KeyTalk server 4.3.2 - FIXED Client-server protocol does not correctly handle credentials containing some non-ASCIIs - FIXED Change key color in the KeyTalk client shortcut to white - ADDED Full support for RADIUS SecurID protocol - ADDED Both side clients-server RCDP version negotiation 4.3.1.production --------------------------- - Compatible as of KeyTalk server 4.3.1 - FIXED [Usability] Not all information fits config manager screen - ADDED Respect "user must change password at next logon" AD setting 4.3.0.production --------------------------- - FIXED Misleading losing of focus by IE client - ADDED Upgrade client without de-install - ADDED Download package KeyTalk configuration - ADDED Client compatibility Windows server 2003/2008/2012 - CHANGED Rebranding KeyMaster Client to KeyTalk - CHANGED Rebranding KeyMaster Client tools to KeyTalk - CHANGED Rebranding KeyMaster Server to KeyTalk 4.3.0.a1 --------------------------- - FIXED Opening ntp server page redirects to home when browsing with Google Chrome browser - FIXED More descriptive error needed on WebUI when the imported license is signed with incorrect cert - FIXED No way to select user during first phase of CR authentication - ADDED Virtualize KT server to run on WMWare - ADDED Replicate more state between redundant RESEPT Servers in HA setup - ADDED possibility to make binary backendauthd release - ADDED Add “wmic bios get serialnumber” to the list of Windows desktop client HWID components - ADDED Password expiration support for LDAP/AD - ADDED KM Client shall support Windows 8 - ADDED DEVID reference to user-known device identity - ADDED KeyMaster client LDAP/AD password change support - ADDED Support for RADIUS CR and OTP authentication including EAP-TTLS, PEAP, EAP-MD5, LEAP, EAP-MSCHAPv2, EAP-GTC, EAP-TLS, SIM/AKA and OTP - CHANGED Question mark in URL doesn't trigger RESEPT Client 4.2.0.p2 --------------------------- - CHANGED Changed default application and installer logos to KeyTalk 4.2.0.p1 --------------------------- - FIXED Error when restoring configuration 4.2.0 --------------------------- - ADDED Production license keys. Delivery package now can be made in 2 variants: with production (default) or demo license keys 4.2.0.b3 --------------------------- - FIXED It was possible to install RESEPT Client 4.2 on top of the already installed client version 4.3+ which resulted in corrupted installation since both products installed side-by-side 4.2.0.b1 --------------------------- - FIXED Error changing provider in multi-provider setup - CHANGED Question mark in URL doesn't trigger RESEPT Client 4.2.0.b1 --------------------------- - CHANGED Ported HA mechanism from DEVID to RESEPT Server 4.2.0.a1 --------------------------- - FIXED Ambiguity with LDAP bind errors caused by invalid DN - FIXED LDAP secure connection failing for AD - ADDED Advanced logged in users information - ADDED Client message to user on successful login - ADDED Add admin GUI action confirmation button - ADDED A possibility to do key ceremony via WebUI - ADDED button to remove 10% of the oldest logged-in users to WebUI - ADDED Show RESEPT Version on RESEPT Client - ADDED Suppport for wildcarded subdomains in service URL - ADDED Check for DNS validity - ADDED Allow for per-NIC gateway configuration - ADDED Web-partner interface for RCCD & license file creation - CHANGED Descriptive names of cert/key files - CHANGED Make more specific names for files downloaded from RESEPT Server to easier identifying them by an admin - CHANGED BHO doesn't check service of certificates, just the provider 4.1.0 --------------------------- - ADDED Possibility to upgrade the system by uploading the image to the server - ADDED WebUI->main statistics on logged-in users