This article summarizes the features and enhancements of the Windows Client.
In addition, it also lists the known limitations.
Admins and users can easily download the Client from the Client download portal without requiring authentication.
For more information about the requirements to implement Cato's remote access in your organization, see Installing the Cato Client.
During the week of July 1, 2025, we are starting the rollout of Windows Client version 5.16. This version includes:
-
Updates the Client embedded browser to Chromium version 135.0.220
-
Additional bug fixes and enhancements
ID |
Description |
Severity |
Impacted Versions |
---|---|---|---|
136449 |
Users sometimes received a fatal exception error, causing the Client to stop working. This occurred after users rebooted their computers. |
Critical |
5.15, 5.14 |
136300 |
When Always-On and PreLogin were enabled on Windows endpoints, devices retained full Internet connectivity even while the Cato Client was in Limited Access mode. This occurred during the authentication process, specifically before MFA was completed. Users were able to access the Internet after dismissing the MFA prompt and before initiating a full VPN connection. |
Critical |
5.15, 5.14 |
131251 |
Improved the connection time after detecting if users are on a trusted or untrusted network. |
Critical |
5.14 |
136943 |
Users sometimes received the following error message:
This caused the Client to stop working. |
High |
5.15, 5.14 |
130451 |
Connection Failed error messages appeared even after the Client was connected. |
High |
5.15 |
During the week of May 19, 2025, we are starting the rollout of Windows Client version 5.15. This version contains:
-
Advanced Device Posture Collection: To improve performance when connecting, Device Posture is now collected continuously, even before connecting. After connecting, the Client continues to collect the Device Posture to ensure it remains up-to-date.
-
Additional bug fixes and enhancements
ID |
Description |
Severity |
---|---|---|
104446 |
When there was an error with the embedded browser, the page was stuck with a blank white page. |
Critical |
119923 |
When the client received a token with user ID that is different from the stored user ID, it didn't update the token, which caused the authentication process to fail. |
Critical |
122274 |
When uploading a file while connected to the Windows Client, the Client would reconnect. |
High |
ID |
Description |
Severity |
---|---|---|
136943 |
Users on Cato Client for Windows v5.15 and v5.14 might receive the following error:
This error causes the Client to stop working. |
High |
136449 |
Users on Cato Client for Windows v5.15 and v5.14 might experience a fatal exception error, causing the Client to stop working. This occurs after users reboot their computers. |
Critical |
136300 |
When Always-On and PreLogin are enabled on Windows endpoints, devices retain full Internet connectivity even while the Cato Client is in Limited Access mode. This occurs during the authentication process—specifically, before MFA is completed. Users are able to access the Internet after dismissing the MFA prompt and before initiating a full VPN connection. |
Critical |
During the week of March 17, 2025, we are starting the rollout of Windows Client version 5.14. This version contains bug fixes and enhancements.
In addition, Windows Client 5.14 installs a driver to support Anti-Tampering. This driver is not loaded unless you enable Anti-Tampering. For more information, see Working with Anti-Tampering for the Cato Client (EA).
ID |
Description |
Severity |
---|---|---|
136943 |
Users on Cato Client for Windows v5.15 and v5.14 might receive the following error:
This caused the Client to stop working. |
High |
136449 |
Users on Cato Client for Windows v5.15 and v5.14 might experience a fatal exception error, causing the Client to stop working. This occurred after users rebooted their computers. |
Critical |
136300 |
When Always-On and PreLogin are enabled on Windows endpoints, devices retain full Internet connectivity even while the Cato Client is in Limited Access mode. This occurs during the authentication process—specifically, before MFA is completed. Users are able to access the Internet after dismissing the MFA prompt and before initiating a full VPN connection. |
Critical |
From January 5, 2025 we started the rollout of Windows Client version 5.13. This version contains:
-
The following DEM enhancements are now supported with this version:
-
Underlay Performance Monitoring in Socket Last Mile: Identify and diagnose out-of-tunnel issues that could impact last-mile performance
-
Use Multiple Devices: DEM hardware metrics are now grouped by device name, helping you easily understand the performance of each device when there are multiple devices for the same user
-
Support for Different LAN Gateways: LAN gateway probes are now grouped by LAN gateway IP, letting you easily understand the performance of each LAN gateway when different gateways are present at different timeframes
-
-
Bug fixes and enhancements
From November 3, 2024, we started the rollout of Windows Client version 5.12. This version contains:
-
Bug fixes and enhancements, including:
-
Enabling the Always-On policy with the registry key blocked access to Microsoft Self-Service Password Reset from the lock screen
-
From August 16, 2024, we started the rollout of Windows Client version 5.11.9. This version contains:
-
Bug Fix:
-
Resolved a connectivity issue impacting topologies that include a misconfigured DNS setting on the device network adapter set with an IPv6 address that does not respond
-
From July 14, 2024, we started the rollout of Windows Client version 5.11. This version contains:
-
IPv6 Support for Last Mile Connection: Users can connect remotely over ISPs that provide last-mile IPv6-only connections. Both IPv6 and IPv4 connections are now supported.
-
Authenticating with Windows Credentials Supported on Azure Hybrid AD Joined Devices: Users on Azure Hybrid AD Joined Devices can authenticate with their Windows credentials for an improved user experience. You can configure the Client to launch, add a user, authenticate, and connect without any user action. Azure AD with MFA is now also supported.
-
New Cato Root Certificate: We added a new root certificate that is automatically installed on the device with the Cato Client.
-
The new certificate is called Cato Networks Root CA and expires in March 2034.
-
The previous certificate is from 2015 and is called Cato Networks CA. It will expire in Oct 2025.
-
-
Bug Fix:
-
If a login attempt failed, in some cases users were unable to connect to the network
-
From June 6th, 2024, we started the rollout of Windows Client version 5.10.34. This version contains an important security update and bug fixes. For details of the updates, see these articles:
-
CVE-2024-6978 Windows SDP Client: Local root certificates can be installed by low-privileged users
-
CVE-2024-6977 Windows SDP Client: Sensitive data in trace logs can lead to account takeover
-
CVE-2024-6974 Windows SDP Client: Local Privilege Escalation via self-upgrade
-
CVE-2024-6975 Windows SDP Client: Local Privilege Escalation via openssl configuration file
-
CVE-2024-6973 Windows SDP Client: Remote Code Execution via crafted URLs
From February 12th 2024, we started the rollout of Windows Client v5.10. This version contains:
-
User Notifications for CASB and DLP: The device displays a notification to the user when their activity is blocked by App Control or Data Control rules. This educates the user about which app was blocked and why.
-
Improved Client messages for failed upgrades and token expiration
-
Stability enhancements, including Pre-login mode
-
Bug fixes
From November 20th, 2023, we started the rollout of Windows Client version 5.9. This version contains:
-
New Experience for Secured Remote Internet Access (Early Availability): We are introducing new features that transform the user experience for secured Internet access. Users can benefit from Internet security based on a one time authentication and Always-On can be used while ensuring business continuity:
-
Remote Internet Security with One Time Authentication: For secured Internet access, remote users only need to authenticate once.
-
Cato Security policies are always enforced for Internet traffic with this mode, users have continuous access without needing to re-authenticate.
-
-
New Bypass Mode for Always-On: Users can temporarily access the Internet without waiting for admin approval. Users provide a reason in the Client and they can temporarily bypass Always-On and disconnect the Client.
-
The duration of the bypass can be configured by administrators
-
-
Always-On Recovery Mode: Users can access the Internet if a connection to the Cato Cloud is unavailable. For example, if a Captive Portal prevents the Client from connecting to the Cato Cloud, users can still access the Internet. However, Cato security is bypassed.
-
-
Device Posture Check Improves Security Posture: You can now include a check for DLP within your Device Posture Profiles. The Device Posture Profile can be included in your Client Connectivity and security policies.
-
Client UI Improvements: We have updated the Client UI, to display:
-
A message if the Client experiences issues establishing a connection to the Cato Cloud
-
The indication if Always-On is enforced is moved to the Settings page
-
-
Updated Vendors and Versions for Device Posture Checks: We updated the OPSWAT framework used by the Client to version 4.4.3.3714
Windows Client version 5.8 was uploaded to the Client download portal on September 14th, 2023, and includes:
-
SDP Users With Always-On Can Authenticate to a Captive Portal by Default: Captive Portal Detection temporarily bypasses Always-On to allow login to the Captive Portal. This feature is enabled by default.
-
The Captive Portal Detection checkbox is removed from the Settings page in the Client
-
No impact to SDP users that don’t connect to a captive portal, or aren’t using Always-On
-
-
SDP User Authentication is No Longer Required Behind a Site: To simplify the user experience for SDP users behind a site, the Windows Client can connect automatically in Office Mode without SDP users manually authenticating. There is no impact on Security and User Awareness policies.
-
Supported on Windows Client v5.8 and higher
-
This replaces the previous behavior where, behind a site, authentication was required but had no impact on Security or Access policies
-
-
Updated OPSWAT OESIS Framework: We updated the OPSWAT OESIS framework used by the Client to version 4.3.3644
-
Upgrade OpenSSL Library: We upgraded the OpenSSL Library used by the Client to version 3.1.1
-
Upgraded Chromium version: We upgraded the Chromium version used by the embedded browser in the Client to version 107.1.120
-
New User Interface: We improved the Client’s user interface so that it is even more intuitive and easy to use
-
Known Limitation:
-
When the Client is in Office Mode, the Connect button in the Client is disabled, however users can click Connect from the system tray icon and may be required to re-authenticate
-
When a user is configured for Connect on Boot only (not with Always-On), they are sometimes prompted to re-authenticate even when connected behind a Cato site. This is a UI issue, and users can ignore and close the authentication prompt, and connect to the network in Office Mode (the Client shows Office Network).
-
Windows Client version 5.7 was uploaded to the Client download portal on August 7th, 2023 and includes:
-
Device Posture for SDP Users in the Office: The Device Posture Profiles and Device Checks are now also applied for SDP users in the office behind a site (connected to the network). This lets you apply the same security level by enforcing the same device requirements whether SDP users are working from home, or in the office.
-
SDP User Feedback: To help us continually improve our remote access, SDP users can now provide feedback to Cato from within the Client.
-
Every few months, users are prompted to give a rating and comments
-
SDP users can also manually provide feedback at any time
-
-
Improved Client Resiliency with Rapid Reconnect: The Client infrastructure now includes multiple tunnels to provide redundancy. So, if there’s an issue, there is minimal packet loss and negligible impact to the SDP user experience.
-
Enhanced Client PoP Selection: We improved the PoP selection process to better consider multiple factors including geography and availability. The Client now more accurately selects the best PoP to connect to.
-
Ensure the following URLs can be accessed to use this feature:
-
https://network-segmentation.catonetworks.com
-
https://ip2location.catonetworks.com/pub/getMyLocation
-
-
The rollout for the gradual upgrade for Windows Client version 5.6 started on February 6th, 2023, and includes:
-
Improved Out-of-the-Box-Security:
-
Deploying Clients with Always-On Enabled: You can automatically enable Always-On for new Client installations so that users will not have Internet access until after they are authenticated.
-
Automatically Show Client when the Device Starts: To let an SDP user set up a new device and easily find the Client and then Connect to the network, you can now use a registry flag to define if the Client app automatically opens or not.
-
-
Exclude Network Ranges from LAN Blocking: Use the Split Tunnel feature with LAN Blocking to define subnets that are excluded from the tunnel. For example, this lets a device connect to a LAN printer even though LAN Blocking is enabled.
-
Enhanced Windows Client Upgrade Process: We added roll-back functionality to the Client, and if there’s an issue during the upgrade, the Client automatically rolls back to the previous version.
-
The Client automatically upgrades to the next minor Client version when it is available
-
-
Improvements to Client Self Service: When using Self Service to troubleshoot the Client, now includes data from the Cato Cloud in addition to the local device.
Windows Client version 5.5 was uploaded to the Client download portal on December 15th, 2022, and includes:
-
Client Self Service: SDP users can now take steps to support the troubleshooting of issues with the Client.
-
SDP users can now record and then reproduce an issue that occurred with the Client. The traffic capture and log files can be uploaded to Cato Support for further analysis
-
SDP users can clear cookies from an embedded browser used for authentication
-
-
New Client Installer: We are introducing a new installer for the Client that includes improved stability for the upgrade process.
-
Bug fixes and enhancements
Windows Client version 5.4 was uploaded to the User Portal on September 19th, 2022, and includes:
-
Support for First Upgraded Users for Client Upgrade
-
Improved error messages in the Client for SDP users which better explain connectivity issues
-
Bug fixes:
-
When the Client is in Office Mode, it now uses the PAC file of the local system instead of the PAC file defined in the Cato Management Application
-
Windows Client version 5.3 was uploaded to the User Portal on April 18th, 2022, and includes:
-
SDP Users Can Enjoy SSO Simplicity and with Security of Never-Off: Cato Clients now support the ability to authenticate with Single Sign-On (SSO) at the same time that the Client Access Connectivity policy is set to Never-Off. Read more.
-
You can configure SSO and Never-Off for the entire account or for specific SDP users.
-
-
Enhanced Re-authentication Experience: A notification lets users know that the SSO or MFA session will soon expire and allows them to seamlessly re-authenticate
-
Bug fixes:
-
Computers recovering from sleep mode were unable to connect to the Cato Cloud
-
For Windows Clients with Never-Off enabled and behind a Socket, the user couldn’t use Office Mode to connect
-
Sometimes the Client didn’t reconnect when moving between different networks, such as cellular to WiFi
-
After the MFA session expires, the OS browser didn’t open the authentication page
-
-
For known limitations for this version, see details below.
Windows Client version 5.2 was uploaded to the User Portal on February 27th, 2022, and includes:
-
Improved SDP User Experience with Browser Authentication: We updated the Authentication screen (Access > Client Access > Authentication) so you can select the Browser Authentication experience for your users and use the in-Client browser or the external default OS browser. Read more.
-
Enhancements:
-
Enhancements for Client SSO authentication and support for Internet Explorer as the OS browser
-
Device Posture enhancement, periodic checks that devices are compliant with the Device Posture policy
-
Cato authentication server supports CA issued certificates (non-self-signed)
-
-
For known limitations for this version, see details below.
Windows Client version 5.0 was uploaded to the User Portal on October 24th, 2021, and includes:
-
Improved SSO Workflow: Windows Client version 5.0 introduces an improved SSO authentication workflow that enhances the user experience to log in directly to the Client.
-
Support for Windows 11: Cato officially supports Windows 11
-
For known limitations for this version, see details below.
This section lists known limitations that apply to all the Windows Clients version 5.2 and higher.
-
For deployments with a third-party proxy, Internet Explorer is not supported as the default browser.
-
Configure a different default browser on the device.
-
This section lists known limitations that apply to all the Windows Clients version 5.0 and higher.
-
This Client version uses the 85.255.31.1 IP address as part of the infrastructure to support Single Sign-On (SSO)
-
Make sure that this IP address is NOT blocked by any third-party anti-malware software
-
-
For accounts that use Azure Conditional Access, please set the Browser Authentication to External Browser (Access > Client Access > Authentication) For more information about Browser Authentication, see Configuring the Authentication Policy for Cato Clients
-
Set Browser Authentication to internal In-Client Browser to authenticate to OneLogin
-
For OneLogin SSO, we recommend that you use the internal in-Client browser. When Browser Authentication is set to External Browser, if the browser window or tab is closed, the end-user can't authenticate to OneLogin
-
Windows 8.1 OS is only supported when all the newest Microsoft updates and patches are installed
-
Automatic Upgrade for Windows Servers is currently not supported
-
Automatic Upgrade for the Windows Client version 5.0 is disabled for hosts that use the Windows Server operating system and the Trusted Browsing feature on the Windows Server blocks the Client from authenticating
-
Solution: To use Windows Client v5.0 on a Windows Server you can use one of the following solutions and then install or upgrade the new Client version:
-
Allowlist the domains for your IdP for Trusted Browsing
-
Disable the Trusted Browsing feature
-
-
-
In some cases, for Windows devices with the Intel Killer Wireless NICs, after the Client connects to the network all traffic is blocked
-
Workaround: Disable the Killer Network Service on the Windows device, and then use the Cato Client to connect to the network
-
-
When using TAP virtual adapter, the MAC address of the Cato virtual adapter in the Client is randomly generated and isn’t guaranteed to be unique across the Clients in your network. Sometimes the MAC address isn’t shown for the virtual adapter.
-
When the MAC address is required, we recommend that you use the MAC address of the physical device instead of the Client virtual adapter.
-
-
If you change the default installation folder, during a Client upgrade or if you delete the Client, other files within the directory are deleted. If you add items to the default installation folder (C:\Program Files\Cato Networks\) they are deleted during a Client upgrade or if you delete the Client.
-
If IP routing is enabled on the device, the Client cannot authenticate.
-
Workaround: Disable IP routing on Windows. For more information, see IP Routing Prevents Windows Client Authentication.
-
3 comments
Updated Windows Client v5.11 to include new Cato root certificate
When is this certificate available in the Certificate Management part of the Cato portal?
Windows Client v5.16 its checked with Proper posture check , 5.15 is not released proper posture check .
Please sign in to leave a comment.