What's New and Release Notes 25.2

To ensure consistent policy enforcement in environments where Network Location Awareness (NLA) is required, beginning in VEN release 25.2.40, Endpoint VENs now maintain resilient workload interface classification when the PCE’s NLA service is temporarily unavailable or unreachable. The VEN continues operating using the last known corporate or external interface classification, preserving security posture and policy alignment across transient network interruptions or service restarts.

This behavior persists across VEN restarts and is fully observable through explicit logging. The VEN refreshes interface classification and logs the transition, all without requiring administrator intervention.

Today, the VEN relies primarily on machine‑wide connectivity changes to infer domain presence, which can lead to delayed classification in multi‑network scenarios like VPN plus Wi‑Fi, DNS misconfiguration, or dramatic changes in network connectivity.

VEN 25.2.40 and later releases improve domain detection and interface classification by shifting the source of truth from machine-level connectivity signals to a broader per‑network classification. Instead of reacting only to high‑level connectivity changes, VEN 25.2.40 and later subscribe to another sink interface (NetworkEvents) to report finer-grained network connectivity profile changes. This allows the VEN to immediately detect when a specific adapter transitions in or out of a domain‑authenticated state, aligning more closely with how Windows Firewall and WFP profiles are evaluated.

In practical terms, this change makes domain awareness more reliable in real‑world endpoint conditions, especially for mobile and VPN‑connected workloads. The VEN can now better handle scenarios where domain membership and active network reachability diverge, reduce misclassification caused by transient DNS or routing changes, and ensure that security policies consistently reflect the true network context of each interface. For administrators, this means more predictable enforcement, fewer false transitions between corporate and external classifications, and better alignment with Windows’ native network profiling behavior.

The 25.2.40‑VEN release expands the number of operating systems eligible for automatic cloned VEN remediation. For details, see VEN Clone Detection and Remediation.

Before 25.2.40-VEN 

Automatic remediation was available only for cloned VENs on Windows (domain-joined) workloads.

All other operating systems required manual remediation.

Starting with 25.2.40-VEN 

Assuming both the VEN and the PCE are version 25.2.40 or later, automatic remediation is now also available for:

As before, VENs on Windows (domain‑joined) workloads are eligible for automatic cloned VEN remediation with any PCE and VEN versions.

AIX workloads still require manual remediation for all PCE and VEN versions.

VEN release 25.2.40 provides the following CIHP enhancement:

If rule validation fails, the VEN reports a policy error to the PCE and does not apply that rule; if rule validation succeeds, the VEN applies the policy normally with no change to the existing user experience.

VEN release 25.2.40 is supported for use Debian 13 workloads.

VEN release 25.2.40 is supported for use on SUSE Linux Enterprise Server 16.0 workloads.

SQLite 3.51.2 provides minor bug fixes and stability improvements.