This version includes all the enhancements and fixes from Zscaler Client Connector version 4.2.1 for Windows. To learn more, see the release notes for Zscaler Client Connector version 4.2.1 for Windows.

• Fixes an issue where a user encountered a login name mismatch error when logging into a partner tenant.
• Fixes a Bad URI Syntax error that occurred when handling Zscaler Internet Access (ZIA) URL with non-English characters.
• Fixes an issue where traffic was not going through the tunnel in hybrid tunnel mode if the health check to the proxy was failing.
• Fixes an issue where Zscaler Client Connector opened an external browser window during authentication, causing the authentication to fail when using WebView2.
• Adds retry logic for CrowdStrike ZTA score posture evaluation after an initial reboot of Zscaler Client Connector.
• Fixes an issue where traffic from a custom IP-based application was not bypassed even though it was added in the custom app bypasses.
• Fixes an issue where Zscaler Digital Experience (ZDX) web probes failed after upgrading Zscaler Client Connector in some scenarios.
• Fixes an issue where Zscaler Client Connector did not honor the Bind Trusted Criteria DNS Request to Default Adapter option when evaluating DNS-based trusted network criteria.
• Fixes an issue where the tunnel service could be stopped by initiating a repair app and quickly modifying the Tunnel executable path (CVE-2023-41969).

To successfully update to the latest version of Zscaler Client Connector, see Best Practices for Updating Latest Versions of Zscaler Client Connector Application.

Zscaler Client Connector version 4.2.1 has a known issue with anti-tampering. If you use or are planning to use anti-tampering, do not update to this release.

• Zscaler Client Connector supports passwords for upgrade, uninstall, and revert in the unattended mode.
• Adds enhancements for Zscaler anti-tampering service to provide additional protection for Zscaler Client Connector processes (CVE-2024-23463).
• Adds Alternate Cloud Domain support for both Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) to support better services in China.
• Fixes an issue where the PAC file on Tunnel with Local Proxy mode didn’t apply properly on Windows 11 devices when Zscaler Client Connector switched to an on-trusted network.
• Fixes an issue where Zscaler Private Access (ZPA) automatic reauthentication feature was not working in a few scenarios.
• Improves the method of DLL inclusions into Zscaler Client Connector for better resiliency.
• Fixes an issue to improve the resiliency of Report an Issue feature in Zscaler Client Connector (CVE-2023-41969).
• Fixes an issue where Zscaler Client Connector didn’t adopt the client-to-client FQDN when in the Machine Tunnel mode.
• Fixes an issue where Zscaler Client Connector didn’t enable the captive portal authentication in some scenarios.
• Fixes a compatibility issue with a third-party VPN that caused Zscaler Client Connector to experience a network error.
• Fixes an issue where the Zscaler Client Connector tunnel ran into an error condition due to a timing scenario.
• Fixes an issue where Zscaler Client Connector displayed a blank screen during reauthentication.
• Fixes an issue where Zscaler Client Connector was unable to detect the trusted network after waking up from sleep.
• Fixes an issue where domains required to bypass ZPA didn't work intermittently when mode was set to Always Bypass.
• Fixes an issue where Zscaler Client Connector directed the partner login reauthentication to the primary tenant's IdP.
• Fixes a Zscaler Client Connector installation issue with the HIDEAPPUIONLAUNCH command line parameter.
• Fixes an issue where the tunnel service could be stopped by initiating a repair app and quickly modifying the Tunnel executable path (CVE-2023-41969).
• Fixes an issue where, in certain cases, Zscaler Internet Access (ZIA) can be disabled by a PowerShell command with administrator rights (CVSS Base Score: 7.2 - High).

To successfully update to the latest version of Zscaler Client Connector, see Best Practices for Updating Latest Versions of Zscaler Client Connector Application.

Fixes an issue where a user could disable Zscaler Internet Access (ZIA) or Zscaler Private Access (ZPA) from the Machine Tunnel diagnostics page without a password (CVE-2023-28802).

• Adds optimizations to reduce the frequency of policy download requests on the Zscaler Client Connector Portal server.
• Fixes an issue with Zscaler Client Connector policy update when Zscaler Client Connector is reinstalled with a new policy token.

• Adds optimizations to reduce the frequency of policy download requests on the Zscaler Client Connector Portal server.
• Fixes an issue with Zscaler Client Connector policy update when Zscaler Client Connector is reinstalled with a new policy token.

• Fixes an issue where the Windows Narrator app announced the Zscaler Client Connector window as a pop-up.
• Fixes a performance issue related to Zscaler Client Connector interprocess communication.
• Fixes an issue where ZPA resources were not accessible after adding a partner tenant.
• Fixes an issue where Zscaler Client Connector detected a captive portal when the captive portal detection value was set to 0 in the Zscaler Client Connector Portal.
• Fixes an issue where user devices didn’t automatically enroll after upgrading Zscaler Client Connector to a new version.
• Fixes an issue where devices running Microsoft Edge WebView2 experienced an authentication error when connecting to Zscaler Client Connector.
• Fixes an issue where customers experienced crashes when upgrading to Zscaler Client Connector version 4.2.0.190.
• Fixes an issue with Zscaler anti-tampering API validation.
• Fixes upgrade issues for Zscaler Client Connector version 4.2.0.190 on devices using Unified Write Filter (UWF).
• Fixes an issue with Zscaler Client Connector revert API validation (CVE-2023-41972).
• Fixes an issue where the revert logic would append the previous installer name to a system path, which could be used to launch a different file (CVE-2023-41973).
• Fixes an issue where anti-tampering can be disabled under certain conditions when the uninstall password is enforced (CVE-2024-23457).

• Fixes an issue where using Zscaler Client Connector caused high CPU utilization issues in some devices.
• Fixes an issue where the DNS server sent the request back to the host server instead of the internal server.
• Fixes an issue where a customer encountered a login name mismatch error when logging into a partner tenant.
• Fixes frequent disconnections on Zscaler Client Connector when using the routing-based app profile with ZPA on a domain-joined Windows machine.
• Fixes an issue with Zscaler Client Connector revert API validation (CVE-2023-41972).
• Fixes an issue where the revert logic would append the previous installer name to a system path, which could be used to launch a different file (CVE-2023-41973).

This version of Zscaler Client Connector has a known issue with some embedded web pages appearing blank if you use WebView2. To learn more, see Zscaler Client Connector Displays Blank Page.

• Adds support for latency-based server configuration for ZPA. To learn more, see Configuring Forwarding Profiles for Zscaler Client Connector.
• Includes support for the Self Service feature that allows users to resolve potential device issues without the need to contact customer support.
• Supports configurable posture check intervals. To learn more, see About Device Posture Profiles, and Configuring Device Posture Profiles.

• Fixes a user access control issue by enforcing more validations when handling log files.
• Fixes a UI issue where the PIN dialog for smart card authentication hid behind the Zscaler tray in some scenarios.
• Fixes a latency issue with web traffic by enhancing DNS handling capability in Zscaler Client Connector.
• Fixes an issue with Microsoft Defender Antivirus device posture in a localized environment.
• Resolves an issue where PAC download redirections were added to the captive portal to bypass.
• Fixes an issue where the CrowdStrike posture evaluation failed in some scenarios after the user upgraded to Zscaler Client Connector version 4.2.0.190 for Windows.

This version of Zscaler Client Connector has a known issue with some embedded web pages appearing blank if you use WebView2. To learn more, see Zscaler Client Connector Displays Blank Page.

• Provides support for ZDX Autosense probes by dynamically detecting and probing the endpoints. To learn more, see Configuring Zscaler Client Connector Profiles.
• Supports excluding traffic from applications based on Application Identity attributes. To learn more, see Configuring Zscaler Client Connector Profiles and About Application Bypass.
• Restricts access to Zscaler's registry to privileged processes.
• Adds support for downloading the default PAC file using HTTPS.
• Allows administrators to bypass the IdP traffic during Zscaler Client Connector authentication. To learn more, see Configuring Defined Application Segments.
• Adds a default bypass for partner tenants when the partner being added is on a different cloud.
• Provides the ability to configure the Zscaler Client Connector synthetic IP range used by ZPA.
• Adds enhancements to improve DNS traffic processing for ZIA and ZPA services.
• Provides support for retrieving the updated policy based on Device Groups within the App Profiles section of the Zscaler Client Connector Portal. To learn more, see Configuring Zscaler Client Connector App Profiles.
• Admins can allow non-admins access to the Zscaler Client Connector logs folder. To learn more, see Allowing Non-Administrators to Access Client Connector Log Files.
• Upgrades Npcap version to 1.75.
• Supports integration of Endpoint Data Loss Prevention service with Zscaler Client Connector. To learn more, see Configuring Zscaler Client Connector Profiles and Zscaler Endpoint Data Loss Protection (DLP) Integration with Zscaler Client Connector.
• Allows Gov customers to add partner tenants if the tenants are on the same cloud.
• Supports creation of custom app bypass rules for packet tunnel exclude filters.
• Zscaler Client Connector notifies users when a captive portal is detected and allows them to launch their default browser to show the captive portal.
• Fixes a Zscaler Client Connector crash issue during the registration process.
• Fixes an intermittent network disconnect issue on select ports when working with the DLP solution.
• Fixes an issue where the ZIA Disaster Recovery feature did not work on Palo Alto Network’s GlobalProtect remote access VPN.
• Supports rate-limiting in disaster recovery notifications to prevent frequent and duplicate notifications.
• Fixes an issue where users couldn’t log into Zscaler Client Connector when enrolled via the Strict Enforcement mode.
• Fixes an issue with username validation when logging into Zscaler Client Connector.
• Fixes an issue with OS device posture detection for Windows 11 virtual machines (VMs) in Azure.
• Fixes an issue where the Zscaler Client Connector app's drop-down menu opened on a different monitor for users connected to multiple displays.
• Fixes an issue with Microsoft Defender Antivirus device posture in a localized environment.

• Fixes an issue with Zscaler Client Connector where users are not immediately redirected to the captive portal when using Z-Tunnel 2.0 in some scenarios.
• Fixes an issue where the Zscaler Private Access (ZPA) client certificate posture check failed for devices using Zscaler Client Connector version 4.0.0.89 for Windows.
• Fixes an issue where ZPA was stuck in a connecting state in some scenarios.
• Fixes an issue where Zscaler Client Connector stayed in a connecting state for a few minutes when connected to ZPA.
• Fixes an issue where CrowdStrike users experienced connectivity issues in certain conditions when they upgraded the CrowdStrike app to a later version.
• Fixes a user access control issue by enforcing more validations when handling log files.
• Fixes an issue where Z-Tunnel 2.0 ran into a deadlock in a specific condition for users using Domain Name for ZIA Public Service Edges in PAC.
• Fixes an issue where DNS requests were being sent directly when a device woke up from sleep.
• Fixes an issue where, in certain cases, anti-tampering can be disabled (CVSS Base Score: 7.8 - High).
• Fixes an issue with local privilege escalation in Zscaler Client Connector for Windows devices (CVSS Base Score: 7.3 - High).

• Fixes an issue where the user experienced a Zscaler Client Connector application crash after restarting the device in some scenarios.
• Fixes a Zscaler Client Connector authentication flow issue with WebView2.
• Fixes a ZIA posture trust evaluation issue that appeared in some scenarios.

Issues resolved as part of version 4.1.0.102 for Windows were also included in this release. Refer to the Windows 4.1.0.102 release notes for details.

• Fixes an issue where machine tunnel enrollment failed because of an issue with the policy download.
• Fixes an issue with anti-tampering by adding additional configurations for registry protection.
• Fixes an issue where the Force ZPA Reauthentication feature did not work as expected in some conditions.
• Fixes an issue where adding partner tenants failed due to an issue in domain name validation.
• Fixes an intermittent issue where bypassed traffic didn’t get excluded due to a race condition in some scenarios.

• Fixes an issue where some users received a Driver Error for ZPA when installing a lightweight filter driver with GlobalProtect VPN enabled.
• Fixes an issue where Zscaler Client Connector was uninstalled after an auto-upgrade from Windows Zscaler Client Connector version 3.7.1.53 to Windows Zscaler Client Connector version 4.0.0.89.
• Fixes an issue where Zscaler Client Connector app profile bypasses didn’t work in scenarios where the default interface had more than one IP address.
• Fixes an issue where the Zscaler Deception service failed to update in some scenarios.

• Fixes an issue where upgrading to Zscaler Client Connector version 4.0.0.70 caused the ZSATrayManager service to go to 25% CPU usage in a VDI pool.
• Fixes an issue where Zscaler Private Access (ZPA) didn’t connect and displayed the Connection Error message on Zscaler Client Connector version 3.9.0.175 for Windows.
• Fixes an issue where some users experienced PAC configuration issues when connected to a VPN Trusted Network.
• Fixes an issue where the nslookup command, which targets a DNS request to a specific DNS server by domain, failed on devices running Zscaler Client Connector with only an IPv4 address if the DNS domain is a Zscaler Private Access (ZPA) application. To learn more, see DNS Request Failure in Zscaler Client Connector version 4.1.0.89.
• Fixes an issue where users lost access to internal resources after upgrading to Zscaler Client Connector version 4.1.0.82.
• Fixes an issue where the Zscaler Client Connector system tray icon displayed the Service is Disabled message, although no services were affected.
• Fixes an issue where disabling Zscaler Internet Access (ZIA) did not always prompt users to enter a reason for disabling the service.
• Fixes an issue where Microsoft Outlook and Microsoft Teams applications were not accessible in Tunnel with Local Proxy (TWLP). To learn more, see Microsoft Outlook and Microsoft Teams Not Accessible.
• Fixes an issue where Zscaler Client Connector didn't evaluate the Detect Antivirus posture type within the usual time frame after a reboot because of a race condition with the Windows Security Center Service.

• Supports configuring dynamic Zscaler Internet Access (ZIA) Public Service Edge use based on latency settings for the probe interval, frequency, and threshold limit. To learn more, see Configuring Forwarding Profiles for Zscaler Client Connector.
• Assigns a virtual IP address to Zscaler Client Connector to support some Server-to-Client applications such as remote troubleshooting and software distribution.
• Adds the ability to configure the VPN name for flow logging.
• Adds configurations to display critical notifications until users dismiss them for Zscaler Private Access (ZPA) reauthentication, system reboot requests, captive portal, and packet capture. To learn more, see Configuring End User Notifications for Zscaler Client Connector.
• Enhances the built-in browser for IdP authentication by using WebView2 based on configuration. Supports multi-factor authentication (MFA) and Fast Identity Online (FIDO) authentication methods for YubiKey.
• Supports configuring a one-time password (OTP) to disable anti-tampering and an option to reactivate anti-tampering after a user disables it, and enables the Zscaler Endpoint Protection (ZEP) driver to accept root CA certificate validation for trusted processes in the ZEP policy. To learn more, see Configuring Zscaler Client Connector Profiles.
• Enhances the Learn More link with new error codes reported by Zscaler Client Connector.
• Supports tracking the Zscaler Client Connector upgrade history (i.e., version) and date and time the version was installed.
• Adds additional end user notification controls configured in the Zscaler Client Connector Portal.
• Supports force reverting to a previous version in the Zscaler Client Connector App Store. To learn more, see About the Zscaler Client Connector Store.
• Supports blocking access to keyboard shortcuts and the drag-and-drop procedure in Zscaler Client Connector WebBrowser Control (WBC).
• Supports configuring advance authentication notification alerts for ZPA applications. To learn more, see Configuring Zscaler Client Connector Profiles.
• Supports including browser-based configurations in keepalive policy downloads.
• Supports the PcapNG file format for packet capture.
• Adds a configurable option to force ZPA authentication if a user’s computer goes into sleep or hibernation, on system restart, or because of a network IP change. To learn more, see Configuring Zscaler Client Connector Profiles.
• Supports configuring a preferred port to enable Zscaler Client Connector to SME server communication. To learn more, see Configuring Zscaler Client Connector Profiles.
• Improves accessibility with keyboard navigation.
• Ensures that new Zscaler Digital Experience (ZDX) versions remain compatible with older Zscaler Client Connector versions.
• Allows configuration of the default RDP 3389 bypass.
• Supports the Windows 365 platform with some additional configuration. To learn more, see Configuring Zscaler Client Connector for Microsoft 365 Cloud PCs.
• Improves the process of updating a large number of GPO rules during the Windows logon process.
• Supports Advanced RISC Machines (ARM) architecture in 64-bit with AMD64 builds in compatibility mode. ARM64 is not natively supported.
• Supports ZPA client-to-client (C2C) remote assistance for Azure Active Directory (AD) domain-joined and hybrid-joined devices, while still supporting enterprise local domain-joined devices.
• Removes support of legacy cipher suites from Zscaler Client Connector TLS connections.
• Supports adding certificate template information of the issued certificate for the Client Certificate posture type to confirm that the certificate contains the correct value. To learn more, see Configuring Device Posture Profiles.
• Provides the ability to use the Zscaler Client Connector synthetic IP range on the LAN address space, based on Zscaler Client Connector Portal configuration. To learn more, see Configuring the Zscaler Client Connector Synthetic IP Range. (CVE-2023-28803).
• Supports the SCCM VPN Boundary method with ZPA to support client-initiated SCCM use cases for content delivery.
• Fixes an issue where reauthentication failed after users' systems woke up from hibernation.
• Fixes an issue where a logon script lost connectivity when Zscaler Client Connector transitioned from machine tunnel to user tunnel.
• Fixes an issue where, in some configurations, users received a blank IdP page after logging out and then logging back in when not connected to a VPN.
• Fixes an issue where a client-to-client (C2C) request timed out before forwarding the ICMP request over ZPA.
• Fixes an issue where traffic received an SSL handshake error if the maximum transmission unit (MTU) was incorrectly set.
• Improves DNS inclusions and exclusions for Z-Tunnel 2.0 by comparing the DNS Domains and matching against the longest domain name suffix. To learn more, see Configuring Zscaler Client Connector Profiles.
• Fixes an issue where Zscaler Client Connector wasn’t using the configured cipher suite in the TLS connection to SVPN.
• Fixes an issue where users were disconnected from ZPA and the connection on port 443 couldn't be established because of a configuration change in the ZPA Admin Portal.
• Fixes an issue where users were not able to bypass the 100.64.1.0 -100.64.255.255 subnet traffic when added to a VPN bypass or the Destination Exclusions list for ZIA customers only.
• Fixes an issue where users received an internal error in Zscaler Client Connector when connecting to the network on a docking station because the local DNS proxy did not restart.
• Fixes an issue where Zscaler Client Connector did not tunnel DNS traffic over TCP for Z-Tunnel 2.0.
• Fixes an issue where Zscaler Client Connector fell back to IP address 8.8.8.8/8.8.4.4 on port 53 when no system DNS server was detected.
• Fixes an issue where a user could disable ZIA or ZPA from the Machine Tunnel diagnostics page without a password. (CVE-2023-28802).

Zscaler Client Connector version 4.1 has a known issue with DNS request failures when using the nslookup command for IPv4-only devices. For more information, see DNS Issues with Zscaler Client Connector version 4.1.

• Fixes an issue where a logon script lost connectivity when Zscaler Client Connector transitioned from machine tunnel to user tunnel.
• Fixes an issue where users were not able to bypass the 100.64.1.0 - 100.64.255.255 subnet traffic when added to a VPN bypass or the Destination Exclusions list for Zscaler Internet Access (ZIA) customers only.
• Fixes an issue where Zscaler Client Connector sent IPv6 packets to non-IPv6 capable SME servers, causing Z-Tunnel 2.0 disconnections.
• Fixes an issue where users received an internal error in Zscaler Client Connector when connecting to the network on a docking station because the local DNS proxy did not restart.

• Fixes an issue where a logon script lost connectivity when Zscaler Client Connector transitioned from machine tunnel to user tunnel.
• Fixes an issue where users were not able to bypass the 100.64.1.0 -100.64.255.255 subnet traffic when added to a VPN bypass or the Destination Exclusions list for Zscaler Internet Access (ZIA) customers only.

• Provides the ability to use the Zscaler Client Connector synthetic IP range on the LAN address space, based on a Zscaler Client Connector Portal configuration. To learn more, see Configuring the Zscaler Client Connector Synthetic IP Range. (CVE-2023-28803).
• Fixes an issue where Zscaler Client Connector forwarded traffic directly because of a PAC parser issue when an invalid domain was accessed.
• Fixes an issue where users were disconnected from Zscaler Private Access (ZPA) and the connection on port 443 couldn't be established because of a configuration change in the ZPA Admin Portal.

• Provides the ability to use the Zscaler Client Connector synthetic IP range on the LAN address space, based on a Zscaler Client Connector Portal configuration. To learn more, see Configuring the Zscaler Client Connector Synthetic IP Range. (CVE-2023-28803).
• Fixes an issue where users ran into connection errors in some scenarios when multiple active network interfaces were present on the system.
• Fixes an issue where the SCCM CMG registry key was incorrectly set after upgrading to Zscaler Client Connector version 4.0.0.70.
• Fixes an issue where Zscaler Client Connector removed routes for Zscaler Private Access (ZPA) applications.
• Fixes an issue where Zscaler Client Connector forwarded traffic directly because of a PAC parser issue when an invalid domain was accessed.
• Fixes an issue where users were disconnected from ZPA and the connection on port 443 couldn't be established because of a configuration change in the ZPA Admin Portal.
• Fixes an issue where the Zscaler Client Connector MSI installer file was not created in the Program Files folder during the repair app process.

• Provides the ability to use the Zscaler Client Connector synthetic IP range on the LAN address space, based on a Zscaler Client Connector Portal configuration. To learn more, see Configuring the Zscaler Client Connector Synthetic IP Range. (CVE-2023-28803).
• Fixes an issue where DNS traffic was bypassed from Z-Tunnel 2.0 in some scenarios.
• Fixes an issue where users ran into connection errors in some scenarios when multiple active network interfaces were present on the system.

Zscaler Client Connector version 4.1.0.82 and later has a known issue where Microsoft Outlook and Microsoft Teams applications are not accessible in Tunnel with Local Proxy (TWLP) in some scenarios. To learn more, see Microsoft Outlook and Microsoft Teams not accessible.

• Fixes an issue where client-to-client (C2C) timed out before forwarding the ICMP request over Zscaler Private Access (ZPA).
• Fixes an issue where VPN trusted network tunneling might send traffic directly after upgrading to Zscaler Client Connector version 3.9.0.175.
• Fixes an issue with Autopilot and strict enforcement.
• Fixes an issue where users received an Internet Security Safe Mode Failure notification because of a timeout error.
• Fixes an issue where the SCCM CMG registry key was incorrectly set after upgrading to Zscaler Client Connector version 4.0.0.70.
• Fixes an issue where traffic could receive an SSL handshake error if the maximum transmission unit (MTU) was incorrectly set.
• Fixes an issue where users received an error when trying to log in to the partner tenant because the partner tenant did not belong to the same cloud as the main tenant.
• Fixes an issue where users were not able to access file drive shares and the Group Policy Update command (gpupdate) failed with a connectivity error to the Active Directory (AD).
• Fixes an issue where Zscaler Client Connector removed routes for ZPA applications.
• Fixes an issue where a PAC file didn’t remain in the system proxy after moving from a trusted network to an off trusted network and then back to a trusted network.