In this article
Due to an issue with certificate validation logic in the Windows Roaming Client (WinRC) versions 1.11.0 and 1.12.0, users running either of these two versions require a manual update of the Windows Roaming Client to the current version (1.13.0) to reinstate the auto-update capability and to ensure they are operating with the latest Windows Roaming Client features.
We offer two versions of the Windows client, DNSFilter Agent and DNS Agent (non-branded) — the non-DNSFilter-branded agent versions of 1.11.0 and 1.12.0 are not affected by this issue and will auto-update to new releases (e.g. 1.13.0) as they are deployed. If you wish to change an installation from branded to non-branded, be sure to uninstall the existing client to avoid problems from having both versions of the client running.
Update to release 1.13.0
To ensure Windows users with DNSFilter Roaming Client versions 1.11.0 and 1.12.0 continue to receive updated clients through auto-update, it is necessary to install the latest release 1.13.0 (or a subsequent release). Use one of the methods described below to perform an update.
Manual update
Download and install the latest MSI from the deployments page.
Command-line update
Copy the Site Secret Key
Verify your SITESECRETKEY is copied as it appears directly from your dashboard (Deployments > Roaming Clients > Install tab).
To perform a silent installation of the client, install the Roaming Client with all default options, and use the below command in an administrative prompt.
msiexec /qn /i "C:\path\to\DNSFilter_Agent_Setup.msi" NKEY="SITESECRETKEY"
Refer to the information on Command-line (silent) installation for additional command-line options.
Powershell script update
Copy the Site Secret Key
Verify your SITESECRETKEY is copied as it appears directly from your dashboard (Deployments > Roaming Clients > Install tab).
When using an RMM or other tool to install the Roaming Client, below is a useful PowerShell script that will download and install the Roaming Client without the need to distribute the MSI file to the computers.
mkdir C:\temp
Invoke-WebRequest -Uri "https://download.dnsfilter.com/User_Agent/Windows/DNSFilter_Agent_Setup.msi" -OutFile "C:\temp\DNSFilter_Agent_Setup.msi"
msiexec /qn /i "C:\temp\DNSFilter_Agent_Setup.msi" NKEY="SITESECRETKEY"
Entra ID (formerly Active Directory) update
The WinRC can be mass distributed via Entra ID by creating a Group Policy Object (GPO). Using Microsoft Transform (MST) files, integrate any of the command-line options listed above with the installer.
The installation procedure for the Roaming Client is based on the standard method of using Group Policy.
- Create a distribution point for the MSI and MST files. This is done by creating a shared network folder on Windows Server
- Generate an Orca transform. This is an MST file containing the Site Secret Key (SSK) for the building location you would like the clients to associate with and any custom tags you would like to attach to the client. You must generate a new transform file for different locations to use the SSK only for a particular site. Otherwise, the clients will all be associated with one network. (Note that the Orca tool can be obtained for free from the Windows SDK)
- Create and Assign GPOs. For each location (and for each unique configuration), create a GPO which is linked to your desired OU for that network. Assign the MSI and MST files using the “Advanced” deployment method
Background
The certificate for our DNSFilter branded WinRCs 1.11.0 and 1.12.0 expired in early March. The certificate is used during the installation to ensure the software being installed is from DNSFilter. To make certain we had released a version with an up-to-date certificate for all new installs, we released WinRC 1.12.1 on March 8th with no changes from 1.12.0 except with an updated installation certificate.
When the original certificate expired (and after our 1.12.1 release), we discovered that the Windows trust function, used to revalidate our new certificate, had an undetected bug. Specifically, this means the auto-update capability now fails to install new versions when running DNSFilter WinRC versions 1.11.0 and 1.12.0.
Unfortunately, we are unable to resolve the issue without a manual or pushed update to the roaming client itself. This means that DNSFilter branded WinRCs 1.11.0 and 1.12.0 installs will not auto-update to newer releases and therefore requires a manual or pushed installation to restore the auto-update capability. Our latest release, 1.13.0, fixes the issue and the Windows Roaming Client is able to receive subsequent releases as expected through auto-update.
We apologize for this inconvenience. To prevent these issues from reoccurring we have made changes to our testing process to ensure future compatibility with new installation certificates when they are required.
FAQ
Q. Why have some agents auto-updated?
A. Only the DNSFilter branded WinRCs 1.11.0 and 1.12.0 were impacted. Users on earlier versions and users of the whitelabel DNS agent were not impacted.
Q. What happens if I don’t update beyond my current version?
A. You will miss out on new features and capabilities as they’re developed. Watch the Roadmap and Changelog to keep informed.
Q. Do I have to do this immediately?
A. No. If you were waiting on a big fix that was released with v1.13.0, you may want to prioritize this sooner rather than later, though. For example, v1.13.0 reduced the frequency of the RC querying the windows domain controller for retrieving local user details, which should reduce CPU load on the domain controller.
Q. What caused this? Why didn’t DNSFilter catch this?
A. See the Background section. In short, after it was too late, we discovered that the Windows trust function, used to revalidate our new certificate, had an undetected bug.
Additional Help
In need of additional assistance? We have a number of resources available.
- DNSFilter Community. Make a post to ask questions related to this issue
- DNSFilter knowledge base, including articles on Windows Roaming Client deployments and Windows Roaming Client commands
- Contact our Support team with any other requests or issues not resolved by these other resources
Comments
0 comments
Article is closed for comments.