diff --git a/meshcentral-config-schema.json b/meshcentral-config-schema.json
index 6ed9dd03..4f33a665 100644
--- a/meshcentral-config-schema.json
+++ b/meshcentral-config-schema.json
@@ -100,6 +100,7 @@
         "agentLogDump": { "type": "boolean", "default": false, "description": "Automatically downloads all agent error logs into meshcentral-data/agenterrorlogs.txt." },
         "agentCoreDump": { "type": "boolean", "default": false, "description": "Automatically activates and transfers any agent crash dump files to the server in meshcentral-data/coredumps." },
         "agentCoreDumpUsers": { "type": "array", "description": "List of non-administrator users that have access to mesh agent crash dumps." },
+        "agentSignLock": { "type": "boolean", "default": false, "description": "When code signing an agent using authenticode, lock the agent to only allow connection to this server. (This is in testing, the default value will change to true in the future)." },
         "ignoreAgentHashCheck": { "type": [ "boolean", "string" ], "default": false, "description": "When true, the agent no longer checked the TLS certificate of the server. This should be used for debugging only. You can also set this to a comma seperated list of IP addresses to ignore, for example: \"192.168.2.100,192.168.1.0/24\"." },
         "exactPorts": { "type": "boolean", "default": false },
         "allowLoginToken": { "type": "boolean", "default": false },
diff --git a/meshcentral.js b/meshcentral.js
index 831fe79a..15e06d97 100644
--- a/meshcentral.js
+++ b/meshcentral.js
@@ -2870,6 +2870,9 @@ function CreateMeshCentralServer(config, args) {
             var xdomain = (domain.dns == null) ? domain.id : '';
             if (xdomain != '') xdomain += '/';
             signUrl += '/' + xdomain;
+
+            // If requested, lock the agent to this server
+            if (obj.config.settings.agentsignlock) { signUrl += '?ServerID=' + obj.certificateOperations.getPublicKeyHash(obj.certificates.agent.cert).toUpperCase(); }
         }
 
         // Load agent information file. This includes the data & time of the agent.
diff --git a/sample-config-advanced.json b/sample-config-advanced.json
index 0d9df467..38ed43b3 100644
--- a/sample-config-advanced.json
+++ b/sample-config-advanced.json
@@ -59,6 +59,7 @@
     "_userBlockedIP": "127.0.0.1,::1,192.168.0.100",
     "_agentAllowedIP": "192.168.0.100/24",
     "_agentBlockedIP": "127.0.0.1,::1",
+    "_agentSignLock": true,
     "_authLog": "c:\\temp\\auth.log",
     "_InterUserMessaging": [ "user//admin" ],
     "_manageAllDeviceGroups": [ "user//admin" ],