Login for Windows release notes
The version numbers here apply to the Login for Windows (L4W) product version.
To download the latest version of SecureAuth Login for Windows, go to Product Downloads.
See also the Login for Windows configuration guide.
L4W version 23.07
Release date: July 31, 2023
SecureAuth® Identity Platform release 19.07.01 or later
Windows 8.1 is no longer supported
CP-1360 – Added support for FIDO2 as an MFA factor on RDP session connections.
Note: This feature is supported only on these Windows versions:
Windows Server 2022
Windows 11
Windows 10, version 1903 or later
CP-1361 / CP-1352 – New installer configuration properties to bypass MFA or request MFA for users in defined groups or organizational units.
Note: This deprecates the configuration property for
group_bypass. However, this property is converted tobypass_mfaso the login flow will be the same for the user.CP-1363 – New installer configuration property to display password expiration warning before "x" number of days.
Note: For SecureAuth Identity Platform releases 21.04 to 22.12, contact Support to request an UI update to the Login for Endpoint Installer Configurations in the New Experience.
Release date: June 13, 2023
Compatibility: SecureAuth® Identity Platform release 19.07.01 or later.
CP-1369 – Smart card performance improvements
Release date: February 10, 2023
Compatibility: SecureAuth® Identity Platform release 19.07.01 or later.
CP-420 – Support FIDO2-enabled devices as MFA on Login for Windows
CP-1316 – Added new property in the installer configuration to enable smart card authentication as the first factor
CP-1321 – Addressed issue in cross domain logins with group bypass.
CP-1322 – Extend current passwordless experience to use Windows Hello face and fingerprint authentication
CP-1323 – Login for Windows support on Windows Server 2022
Note
Microsoft has reached end of support for Windows 8.1. This will be the last Login for Windows version supported on Windows 8.1.
Release date: October 21, 2022
Compatibility: SecureAuth® Identity Platform release 19.07.01 or later.
CP-1033 – Addressed issue with the bypass interval not working correctly after a machine reboot.
Release date: June 21, 2022
Compatibility: SecureAuth® Identity Platform release 19.07.01 or later.
Hybrid Azure AD support. Login for Windows now supports hybrid Azure AD domain-joined machines.
New properties in the installer configuration. New properties are available to use in the installer
config.jsonfile.Note: These new properties will be available in a later update to the Identity Platform on the Login for Endpoints installer UI. As a workaround, you can manually add these new properties to the installer
config.jsonfile.LDAP request timeout. This new configuration property,
ldap_timeoutallows you to set the timeout in seconds, that the Login for Windows endpoint waits for the LDAP request to respond before ending the connection.User bypass. This new configuration property,
user_bypassallows you to define a local username to bypass multi-factor authentication (MFA).
For more information about the installer configuration properties, see Configure Identity Platform and Login for Endpoints.
CP-1094 – Login for Windows now supports hybrid Azure AD domain-joined machines.
CP-1279 – New installer configuration property,
ldap_timeoutto define a timeout setting for LDAP requests to the Active Directory.CP-1296 – When a user logs in locally on a workstation with a validated password that does not match their password stored in their organization's domain data store, the login screen will prompt the user for their domain password before MFA.
Note: This issue is resolved only in the Identity Platform release 21.04 and requires at minimum, hotfix 21.04-9.
CP-1298 – New installer configuration property,
user_bypassto define a local username to bypass MFA.CP-1300 – You can install Login for Windows on the workstation by double-clicking the msi installer file, as long as the config.json file is in the same folder.
CP-1314 – Better handling of logins on workstations and servers with Windows local policies enabled on lock screens.
Release date: May 7, 2021
SecureAuth IdP 9.3 or later and the SecureAuth Identity Platform 19.07 or later.
Biometric fingerprint recognition requires the Identity Platform release 19.07.01 or later, using the 2019 theme.
Transactional logging requires the Identity Platform release 20.06 or later, using the
/authenticatedendpoint.
All of these features are supported only in the Identity Platform release 21.04 or later.
New integrated Login for Endpoint configuration page in Identity Platform. Open the new Login for Endpoint page from the Identity Platform user interface to customize your Login for Endpoints user experience. The easy-to-use pages help you set up your operating system, the multi-factor methods, and even personalize your users' experience during authentication. (Existing customers will recognize the options that were manually set in the config.json file in previous releases.)
To learn more, see Configure Identity Platform and Login for Endpoints
New second-factor authentication methods added. You can now choose the following new 2FA methods: PIN and link-to-accept available for both SMS/text and email.
Azure AD support. Login for Windows now supports Azure AD domain-joined machines.
CP-924 – Admins can set the Suggests use of an OATH-based method on first login regardless of your Adaptive Policy settings option, which causes a message to display to end users suggesting that they authenticate for the first login by using an OATH-based method. This ensures that they can log in when offline.
CP-1000 – Login for Windows supports Azure AD domain-joined machines.
CP-1023 – The following error messages have been enhanced to give end users more information about issues: password expired, change password, account locked.
CP-1037 – PIN as a second factor works with Login for Mac release 21.04 in the SecureAuth Identity Platform release 21.04.
CP-1039 – Link-to-accept as a second factor via SMS/text and email works with Login for Mac release 21.04 in the SecureAuth Identity Platform release 21.04.
CP-1167 – After installation where "Suggests use of an OATH-based method on first login regardless of your Adaptive Policy settings" is set and "Bypass interval" is set, when end users first log in, they will no longer automatically see a login page that suggests setting a second factor.
Version 20.09.01 – 12-Jan-2021
Version 20.00.00 – 15-Sep-2020
SecureAuth IdP 9.2 or later and the SecureAuth Identity Platform 19.07 or later.
Biometric fingerprint recognition and face (iOS only) requires the Identity Platform release 19.07.01 or later, using the 2019 theme.
Transactional logging requires the Identity Platform release 20.06 or later, using the
/authenticatedendpoint.The
grace_periodoption replaces thelogin_attemptsoption.
CP-507 – Characters in user IDs sent to Login for Windows are handled appropriately.
CP-949 – After rebooting a machine where passwordless is set up and functioning correctly, passwordless login works correctly at next login.
CP-507 – Characters in user IDs sent to Login for Windows are handled appropriately.
CP-956 – Passwordless login is available in scenarios where end users' first login was bypassed so they logged in the first time with password-only.
CP-959 – End users in a bypass group who must change their password at next login now see the password reset screen when they next log in.
CP-962 – On the Login for Windows login screen, the face and fingerprint icons now display the correct tool tips when you hover the cursor over the icons.
CP-966 – If Login for Windows is installed and references a realm that does not have the Authentication API enabled, the installation fails. This is the appropriate behavior.
CP-970 – Product logging is enabled by default for DEBUG; when troubleshooting product issues, Support might require that you view this log located at C:\ProgramData\SecureAuth
CP-971 – Log files are not uninstalled to assist with troubleshooting any issues with the uninstallation.
CP-985 – During login, the username is bypassed for end users in a bypass group, even after canceling a login because of an expired password.
CP-991 – Message improvements to help the user experience.
CP-993 – The credential prompt will be displayed quickly in the following scenario: Install Login for Windows, open a remote desktop connection, and then connect to another machine that has a remote desktop connection enabled and Login for Windows installed.
CP-1082 – Push-to-accept works with Login for Windows version 20.09.01 in the SecureAuth Identity Platform version 20.06+ cloud deployment. If you use a load balancer, there is no cloud deployment restriction.
Release date: June 24, 2020
SecureAuth IdP 9.2 or later and the SecureAuth Identity Platform 19.07 or later.
Biometric fingerprint recognition and face (iOS only) requires the Identity Platform release 19.07.01 or later, using the 2019 theme.
CP-925– If the Login for Windows saconfig database is deleted or unavailable, end users will not be able to log in.
Workaround: A message on the UI guides end users to log in with a different method, such as user name and password, and guides administrators to check the Event Viewer.
After reading the event log, export it so it is available if you need to contact SecureAuth Support for assistance with the issue.
Release date: April 14, 2020
SecureAuth IdP 9.2 or later and the SecureAuth Identity Platform 19.07 or later.
Biometric fingerprint recognition and face (iOS only) requires the Identity Platform release 19.07.01 or later, using the 2019 theme.
CP-106 – If the "login_attempts" attribute is set in conf_version 4 in the config.json file, end users are allowed to log in with a password only for a set number of times. This enables end users to have time to set up their 2FA methods, such as PIN creation and answers to Security Questions, before they must authenticate to access their device.
CP-755 – If any settings that determine login are changed, for example, an adaptive rule is changed or users no longer belong to a bypass group, end users automatically receive a 3 minute time period to enter their password.
CP-433 – When end users click the "Click to update your password" link on the login screen, they are directed to a Login for Windows SSPR login screen that opens in a modern browser, Chromium version 79.1.36, and not in Internet Explorer.
CP-815 – Improvements to login performance were completed.
CP-823 – The installation version number now matches the public version release value; for example, if the public product version is 20.03.01, then the installation version number, which is visible if you uninstall Login for Windows manually, is also 20.03.01. (In previous versions of Login for Windows, the versions were different, but now they match.)
CP-825 – The error log displays system information, such as the type and version of the operating system, the version of Login for Windows your organization is running, and more.
CP-816 – End users with external fingerprint readers should not disconnect the reader from their computer before logging out; doing so will cause an error to be displayed: Fingerprint data not found. The error is an "unknown identity" signal that the reader sends to the driver; however, the fingerprint data will be found when the reader is connected to the same computer.
The fingerprint feature works as designed. When the reader is disconnected and sends the "unknown identity" signal, the code does not differentiate between the signal and an unrecognized finger touch.
CP-824 – The error log will have new start lines and threads if connecting through RDP; RDP connections cause new instances of the credential provider to be created, which causes the new start lines and threads.
TW-926 – When upgrading to the Identity Platform v19.07 or later, admins must use the 2019 theme and end users who already use the SecureAuth Authenticate app must reconnect their accounts to add the ability to accept biometric push notifications to use face (iOS) or fingerprint recognition through the mobile app.
Workaround: None