What's new in version 2025.2?

Please find the bug fixes in version 2025.2 in in our release notes.

Please note that some issues may cause a change in product behavior when you install the update. Before updating, make sure to check your settings to see if your existing environment is affected. These topics are marked with the icon.

The major version 2025.2 contains the following new features, general improvements and changes.

Application Control (AC)

Added two new optional columns in the rule overview in the DOC: 'Date created' and 'Date modified'. These enable better traceability of the rule history and facilitate the maintenance of complex sets of rules.

AC now uses the access permissions of the evaluated process, e.g. when calculating hashes for network paths. Reference EI-2991
The obsolete setting "Upload local whitelist to DriveLock Enterprise Service" has been removed from the configuration area Applications > Settings. It is still displayed if it is already set in an existing policy.
Extended process evaluation: The check now also applies to non-service-based processes and their child processes.
There is a new setting to control when signatures are accepted.
As of version 25.2, multiple filter conditions can be configured within a single rule in Application Control. This makes it possible to consolidate previously separate rule combinations into a single Application Control rule – improving clarity and simplifying rule management.
The command line support in the Application Behavior Control (ABC) has been extended:
- Command line checks can also be carried out for rules with several target objects.
- There is a new comparison type "matches" for the use of wildcards in addition to "contains".
  
  These extensions only apply to ABC rules with the "Execute" access mode.

Defender Management

A new option in the Defender dialog in the DMC now makes it possible to manually trigger a Defender offline scan.
The following rules have been added to the list of predefined rules: (Reference EI-2940)
- Block rebooting machine in Safe Mode (block rebooting of the computer in Safe Mode)
- Block use of copied or impersonated system tools (Block use of copied or impersonated system tools)

BitLocker Management

A new policy option enables the automatic suspension of the BitLocker or DriveLock PBA logon during a Windows system update. The PBA is automatically reactivated after the restart.
An event is now generated when BitLocker encryption is suspended, and another when it is resumed. Users are notified upon suspension, and the current status is visible in the DOC under Computer properties -> Volumes.
The post-encryption notification dialog for BitLocker Management and Disk Protection can now be disabled via policy setting.
Remote wipe now also supports system partitions encrypted with BitLocker PBA or BitLocker TPM only.
You can now specify which TPM registers are set for BitLocker encryption. The only exception is PCR 11, which is always enabled.
BitLocker recovery with key ID: When recovering BitLocker-encrypted drives via the key ID in the DOC, a password can now be entered for certificate access. (EI-3048)

Device Control (DC)

The temporary unlock functionality has been significantly enhanced:
- The unlock wizard now supports temporary unlocks.
- Custom device classes can now be unlocked temporarily.
- Individual drives or devices can be unlocked selectively.
- Multiple temporary unlocks can be active at the same time.

Event 787 is now generated instead of event 111 when a drive is completely blocked.
Drive and device control can now be enabled separately in the DOC. Important: Until all DriveLock Agents have been updated to version 25.2, both settings must remain identical to ensure consistent behavior.

Disk Protection

The automatic suspension of the DriveLock PBA logon during Windows system updates is now also available for Disk Protection.

DriveLock Agent

The DriveLock Agent has been improved with regard to the handling of permissions.
Support for LDAPS connections for Agent and MMC: The DriveLock Agent and the MMC now support LDAPS connections over port 636 by default, provided the system requirements are met. Otherwise, LDAP queries will continue to use port 389, with SSL encryption where possible. Note: A valid certificate must be installed on the domain controller, and port 636 must be open.

DriveLock Enterprise Service (DES)

Server Setup Wizard: If the database compatibility level cannot be checked, there is now an option to continue the installation anyway.
A new option is now available in the Server Setup Wizard to automatically perform database maintenance after a database update. This option is activated by default and helps to avoid potential performance problems that can arise due to a lack of maintenance.
Improved event data validation with agent identity verification enabled: Incoming event data is now more reliably validated and filtered when agent identity verification is active.
New output of the syslog in JSON format: The forwarding of events via syslog is now also possible in JSON format. This structured format facilitates processing by SIEM systems.
The protection of agent identity has been further improved to reliably prevent unauthorized access - e.g. through man-in-the-middle attacks.
Improved security when uploading trace data: Only ZIP archives can now be uploaded via the upload interface for trace data.
The DES now prefers Secure LDAP via port 389 for LDAP access.
Security improvements have been implemented in the areas of tenant name validation and system information access control.
Deprecated or unused methods have been removed from the DES SOAP interfaces.

DriveLock Operations Center (DOC)

In version 25.2, numerous improvements were made to the DriveLock Operations Center (DOC) user interface to enhance usability and clarity.

User and tenant information in the header: The header of the DriveLock Operations Center (DOC) now always displays the logged-in user and the current tenant.
External links can now be executed via an object’s context menu and can also be imported and exported.
Extended printing options for reports: Reports can now also be output in A3 format and landscape format. This makes it much easier to display and print large tables and diagrams in particular.
In the configuration area ("workspace") of the Security Controls in the DOC, the view settings can now be exported and imported individually or collectively. This makes it easier to back up customized views and transfer them between tenants.
All view-related settings have been consolidated under a new menu item (Configure views). The associated dialogs have been simplified for improved usability.
The object picker dialog has been redesigned. Thanks to paging and improved filters, large object lists can now be searched much more efficiently.
The column selection dialog has been redesigned to offer a clearer structure, with categories and improved search and filtering options.
Context menus for linked objects: Right-clicking on linked objects in list views now displays the appropriate context menu (e.g., computer menu).
Context menus for grouped items: Items representing a specific object (e.g., computer or user name) now show the full context menu for that object.
It is now possible to select multiple entries in the computer or user view and add them directly to a new DriveLock group. The name and description of the group can be entered in the wizard.
Temporary unlock in DOC: Computers can now be temporarily unlocked directly in the DriveLock Operations Center (DOC) - without opening the classic DMC interface. This also applies when responding to unlock requests.
The management of dashboards and widgets has been comprehensively revised and significantly extended. For more details, see Dashboard and widget management.
- Introduced a redesigned widget selection dialog with categories, filters, search, and preview.
- Regular dashboard widgets can now also be used in detail views.
- Widgets can now be created based on additional, shared schemas.
- Diagram ('drilldown') widgets and the expert mode have been revised. The configuration interface for drilldown widgets and expert queries has been redesigned for improved clarity, with better filtering and search capabilities.
- The detail view now supports context-aware widgets such as computer, user, or device widgets, and is easier to configure.
- Improved Arrange My Dashboards dialog: Drag-and-drop is now clearly left-to-right, and a text search has been added.

DriveLock policies

Assignments can now be created directly via the toolbar or context menu in the policy view. They appear at the end of the list in the Policy assignments tab and become visible after switching to that tab.
The policy, policy version, and policy assignment views in the DOC can now optionally display a column showing how many computers have reported the respective policy.
A widget can now be added to the policy detail view to display which computers have received the selected policy.

DriveLock environment

New schema extensions available: In the Backend -> Schema extensions area, additional properties can be defined for the Users, Computers, Drives, Devices and Software schemas. These can be maintained via the scripting API or manually in the user interface.
Schema extensions can also be imported and exported
Properties can now be edited not only via the scripting API, but also directly on the respective objects. This means that a separate API action is no longer required.
Newly defined properties can now also be used as filter criteria in dynamic computer groups.

Linux Agent

IgelOS: The agent now reports the correct user name, even if the user is not logged on to the domain.
If a temporary unlock request is denied by an administrator, Linux endpoints can now display a custom message explaining the reason for the denial. This provides immediate feedback to users about their request.
Linux clients now support configuring access permissions with the “Block with exceptions” option. This allows blocking access to drives or devices while granting access to specific users or groups – including AD users if AD integration is enabled.
DriveLock Agents on Linux now correctly recognize AD users when the system is joined using Samba Winbind, enabling accurate user-based access control for AD environments.
The DriveLock Agent now supports file filter configuration within drive rules on Linux. This enables fine-grained control over access to individual files without blocking the entire device.

Licenses

In addition to managing licenses, certain modules can now also be activated directly in the DriveLock Operations Center (DOC). Switching to the DriveLock Management Console (DMC) is no longer necessary – provided that the settings for the module are already available in the DOC. For all other modules, activation must still be performed via the DMC.

macOS Agent

Drive control now supports user- and group-based rules — including Active Directory users and groups.

Security Awareness

Two new widgets are now available for user-defined Security Awareness campaigns in the user dashboard.

Self-service

In the DOC, self-service rules can now define not only a maximum unlock duration, but also a default unlock duration. This default is preselected for users but can still be adjusted.

Encryption

Starting with version 25.2, the DriveLock Operations Center (DOC) fully supports the configuration of all three Encryption 2-Go types – Container Encryption, File Protection, and BitLocker To Go. For each type, the following configuration options are available:
- Settings
- Recovery rules
- Enforced encryption
These configuration options are available via the respective tabs in each section.

The behavior of the general encryption settings in the DOC has been revised. Configuration now differs slightly from the DMC. Note: If older agent versions are still in use, care must be taken, as not all settings may be fully supported.