SafeNet Agent for Windows Logon Release Notes
Product description
SafeNet Agent for Windows Logon is a two-factor authentication (2FA) solution to help Microsoft enterprise customers ensure that valuable resources are accessible only to authorized users. It delivers a simplified and consistent user login experience, reduces support calls related to password management, and helps organizations comply with regulatory requirements.
The use of 2FA when accessing network resources, in place of traditional static passwords, is a critical measure for information security.
For a list of existing issues as of the latest release, refer to Known Issues.
Release description
Version 4.3.0
Build Number: 4.3.0.1507
Issue Date: May 2026
This release of SafeNet Agent for Windows Logon introduces the following feature and resolves the issues listed below:
-
Installer Prerequisite Validation: The SafeNet Agent for Windows Logon installer now checks for prerequisites such as administrative access and .NET Framework v4.8 before proceeding with installation. If these requirements are not met, the installer exits gracefully without making any changes.
-
End of support: Support for Windows 10 has been discontinued starting with SafeNet Agent for Windows Logon version 4.1.3.
Resolved issues
| Issue | Synopsis |
|---|---|
| SASNOI-24214 | After customizing the cursor size, the pointer reverts to the smallest size during CredUI operations. |
| SASNOI-23689 | The agent displays errors with source name "CredCryptoHelper" in event viewer logs even though the agent functions correctly after being upgraded. |
| SASNOI-23669 | The login screen displayed field labels (Username, Passcode) in English even when a different language was configured in the registry. |
| SASNOI-23312 | The agent sent incorrect client machine IP addresses during push authentication. |
| SASNOI-22987 | If Allow Outgoing RDP without OTP in the SafeNet Agent for Windows Logon management console is disabled, then FIDO authentication does not work. |
| SASNOI-22466 | After three failed authentication attempts with MobilePASS+, users saw a generic error message instead of being notified that the token was locked. |
| SASNOI-21517 | Group Policy-based exclusion configurations were not preserved when the agent was disabled and re-enabled using the managment console, causing exclusion settings to stop working. |
Version 4.1.3
Build Number: 4.1.3.1494
Issue Date: December 2025
This release of SafeNet Agent for Windows Logon introduces the following feature and resolves the issues listed below:
- Extended operating system support: SafeNet Agent for Windows Logon now adds support for Windows Server 2025.
Resolved issues
| Severity | Issue | Synopsis |
|---|---|---|
| M | SASNOI-22275 | After customizing the cursor size, performing CredUI operations caused the pointer to revert to the smallest size. This issue is now resolved. |
| H | SASNOI-22125 | The VSCEnrollment service within the Windows Logon Agent was configured with an unquoted service path. This issue is now resolved. |
Version 4.1.2
The SafeNet Agent for Windows Logon 4.1.2 resolves some customer-reported issues.
Note
In the Windows Logon Agent 4.1.1 documentation, for Error 1721, the affected Windows version was incorrectly mentioned as "22H2". This has been corrected to Windows 11, version 24H2 in the Windows Logon Agent 4.1.2 documentation.
Resolved issues
| Severity | Issue | Synopsis |
|---|---|---|
| H | SASNOI-22047 | Login attempts were failing if the username included special characters such as !, ~, `, ^, (, ), {, }, or ', displaying the error message "Username cannot be blank or contain any of the following special characters: /[]:; |
| C | SASNOI-21794 | An Error 1721 appeared while installing or upgrading the agent on Windows 11, version 24H2 and above. The issue is now fixed and the agent's dependency with WMIC has been removed. |
Version 4.1.1
The SafeNet Agent for Windows Logon 4.1.1 introduces security fixes and resolves a customer-reported issue.
Security fix
This release introduces security fixes for the SafeNet Agent for Windows Logon.
Resolved issues
| Severity | Issue | Synopsis |
|---|---|---|
| H | SASNOI-21362 | The silent uninstallation of the agent was not completed properly because certain actions were triggered incorrectly, resulting in a non-zero return code. This issue has now been resolved. |
Version 4.1.0
The SafeNet Agent for Windows Logon 4.1.0 introduces the following new features and resolves some customer-reported issues.
Language selection and customization
The agent now operates in multiple languages, which allows administrators to choose the display language for the Windows Logon agent as per the user's preference. A new registry setting, PreferredLanguage, is introduced that facilitates the agent to support a number of languages, including English (default), French, German, and more.
The default text messages of a specific language file (for example, en.json) that is available at C:\Program Files\SafeNet\Windows Logon\Languages can also be customized.
Note
While uninstalling or upgrading the agent, ensure to take a backup of the language files. You will need to manually edit the key values in the required JSON files to match the previous customization.
Local admin MFA privilege control
In Windows Logon Agent, administrators had rights to modify the Windows Logon Agent registry settings locally, such as disabling the agent, which allowed users to bypass two-factor authentication. To mitigate this issue and enhance security, a new registry setting called RegEditCount has been introduced to restrict admins' ability to make local modifications.
This feature enables enterprises to control the privileges of a local admin user on a Windows Logon Agent-installed machine. Its count specifies the maximum number of logon attempts a local admin user can use with modified sensitive registry settings. Once the logon attempt reaches the set threshold (the RegEditCount value), any local changes to the registry settings will be reverted to their original values, and the modifications will not be retained.
Push UI enhancement
The MobilePASS+ Push screen and user messaging within the existing UI/UX have been improved throughout the entire user authentication journey.
Resolved issues
| Severity | Issue | Synopsis |
|---|---|---|
| C | SASNOI-21050, SASNOI-21365, SASNOI-21437 | On Windows 10, after installing Microsoft's Windows update KB5043064 (OS Builds 19044.4894 and 19045.4894), the Windows Logon Agent users authenticating with SafeNet MobilePASS+ authenticator were facing critical issues affecting the PUSH authentication. This issue is now resolved. |
| H | SASNOI-21378 | The agent was sending wrong IP address of the client machine during push authentication. This issue is now fixed. |
| H | SASNOI-18389 | After customizing the cursor size, when the user locks the machine and logs back in, the mouse pointer resets to the smallest size. This issue is now fixed. |
| H | SASNOI-20812 | Login attempts failed if the username included a blank space (for example, "local admin"), displaying the error message "Username cannot be blank or contain any of the following special characters: / \ [ ] : ; = @ + * < > " ". After the fix, the error no longer appears, and the username field supports blank spaces. |
| C | SASNOI-17617 | After deploying Windows Logon Agent, CredCryptoHelper errors and WLANotificationService warnings appeared in the event viewer and agent log due to database failure and runtime exceptions. Now, on enabling the Debug mode in the Windows Logon Agent management console, the event viewer logs provide more specific and detailed information. |
| H | SASNOI-20854 | An Error 1722 message appeared while uninstalling the agent through the control panel due to insufficient user permissions. This issue is now resolved and the agent can be uninstalled successfully via the control panel. |
| H | SASNOI-20598 | Users were unable to install the agent due to improper cleanup of the required registry entries. It displayed an error "Upgrade from current installed WLA agent is not supported. Please uninstall the agent before running". This issue is now fixed. |
| H | SASNOI-8625 | During logon, if a user long presses the Enter key without providing a Passcode, Windows Logon Agent sends a large number of authentication requests to the SafeNet Authentication Server. To prevent multiple authentication requests to the server, auto-focus is disabled after submission of the blank Passcode. The users can proceed with their journey through the mouse click on the displayed message. |
| L | SASNOI-19218 | The "Exempt Local/Domain Administrator strong authentication" feature was not working for the users of a custom domain group who are also a nested member of any of the following built-in groups: Domain Admins, Enterprise Admins, Schema Admins, Group Policy Creator Owner. In this case, the users were not able to bypass the SafeNet OTP and they need to login via MFA. This issue is now fixed. |
Version 4.0.0
The SafeNet Agent for Windows Logon 4.0.0 introduces the following new feature.
Passwordless Windows Logon
The Passwordless Windows Logon feature is based on SafeNet Agent for Windows Logon (STA version). It enhances secured access to Windows machines by eliminating the need to provide a password for machine access and beyond, by replacing the password with a certificate-based authentication mechanism. It further eliminates the end-user friction, as users no longer need to manage or remember their passwords.
Note
This feature is not available for SAS PCE customers.
Resolved issues
| Severity | Issue | Synopsis |
|---|---|---|
| H | SASNOI-14902 | After upgrading the agent, the password caching feature was not working when logging into a Windows Logon Agent-protected machine, even if Enable Microsoft Password Caching is selected in the SafeNet Windows Logon Agent Manager > Policy tab. This issue is now fixed. |
Version 3.7.0
The SafeNet Agent for Windows Logon 3.7.0 introduces the following significant features and resolves a customer-reported issue.
Number matching
Windows Logon Agent now supports MobilePASS+ push with number matching feature, which secures push authentications to protect against MFA fatigue or push bombing attacks.
Number matching gives control to the user for every login request, because they must select the number in the push notification on their MobilePASS+ application as is displayed on the Windows Logon Agent login screen.
Note
While accessing an application via Run as different user (in outgoing RDP or shared folder access use cases), the Windows Logon Agent-installed machine displays a different UI than the number matching UI displayed in all other use cases.
Kiosk support
The agent is now supported in Kiosk mode for Windows 10 and Windows 11 (64-bit) operating systems.
Resolved issues
| Severity | Issue | Synopsis |
|---|---|---|
| C | SASNOI-19577 | If interactive logon policy Display user information when the session is locked is set to Do not display user information and Skip OTP on Unlock is enabled, and the user provides an empty username and password during unlock, the user is blocked from accessing the machine as all subsequent authentication with the correct credentials fail. This issue is now fixed. |
Version 3.6.3
The SafeNet Agent for Windows Logon 3.6.3 resolves some customer-reported issues.
Resolved issues
| Severity | Issue | Synopsis |
|---|---|---|
| C | SASNOI-17859 | During logon or unlock, the user credential fields are displayed with a delay of a few (20-30) seconds, due to which a domain user is not able to login into the machine. This behavior is observed during network latency or when the domain controller is inaccessible and was reported in Windows Logon Agent 3.6.0. This issue is now fixed. |
| C | SASNOI-19195 | After upgrading the agent from version 3.5.x to 3.6.x, users are able to login in offline mode only after at least one successful online authentication. This issue is now fixed and the users can login in offline mode without the need of an online authentication. |
| C | SASNOI-19226 | Windows Logon Agent fails to authenticate a user whose username contains "$" and displays an error. After the fix, the username field supports "$" as a valid special character. |
| C | SASNOI-19578 | If Don't display username at sign-in interactive logon windows policy is enabled, and the user enters an incorrect username while unlocking the machine, the Username field is not displayed again to enter the correct credentials. In this case, the user is blocked from accessing the machine. After the fix, the login flow is working as expected. |
| H | SASNOI-18183 | If a user switches from online to offline mode and attempts to launch an application via "Run as administrator" that must use an OTP, then the user is not prompted for an OTP. After the fix, the authentication is working as expected in offline mode. |
| H | SASNOI-18237 | After changing the AD password, the users were not able to login with the changed password. This is now fixed and the users can successfully log in with the changed password. |
| H | SASNOI-13324 | During offline authentication, the agent did not accept emergency password for the user assigned with a GrIDsure token. This issue is fixed and the user with a GrIDsure token can use the emergency password for offline authentication. |
Version 3.6.2
The SafeNet Agent for Windows Logon 3.6.2 release resolves some customer-reported issues.
Resolved issues
| Severity | Issue | Synopsis |
|---|---|---|
| C | SASNOI-18390 | While unlocking or logging into a Windows Logon Agent 3.6.1 protected machine, the login screen flickers due to which a user is unable to access the machine. UI flickering is now fixed and the users are presented with the appropriate login screen. |
| H | SASNOI-17922 | During logon/unlock, OTP and password fields are simultaneously displayed for a few (10-20) seconds due to which a user is not able to login to the machine. This issue was reported in Windows Logon Agent 3.6.0. This is now fixed and appropriate user credential fields (OTP and password) are displayed during the logon/unlock. |
Version 3.6.1
The SafeNet Agent for Windows Logon 3.6.1 release introduces the following security fix and resolves some customer-reported issues.
Security fix
This release introduces a security fix for the most secure version of SafeNet Agent for Windows Logon.
Resolved issues
| Severity | Issue | Synopsis |
|---|---|---|
| H | SASNOI-16785 | If "Microsoft Password Caching" is enabled and user enters incorrect password while executing an application with administrator privileges, then Windows Logon Agent caches the incorrect password. The user does not get the password prompt to provide the correct password anymore and hence is unable to execute the application. This is fixed now and Windows Logon Agent does not cache the password if incorrect. |
| H | SASNOI-16386 | Offline authentication does not work for domain users added in a local group after restart. This is now fixed by caching the users' appropriate group and the offline authentication works as expected. |
| H | SASNOI-17409 | If a user provides "*@domain" in the username field, and the log level is set to DEBUG, all the usernames of the domain are written in the agent's log file. This issue has been fixed by restricting the username field to only support valid username characters or formats. |
Version 3.6.0
The SafeNet Agent for Windows Logon 3.6.0 offers some improvements and introduces the following features.
Agent deployment via Microsoft Endpoint Configuration Manager
Along with the existing agent deployment methods, Group Policy Object (GPO) and Intune, the agent can now also be deployed via a Windows-centric endpoint management tool, Microsoft Endpoint Configuration Manager, formerly known as Microsoft System Center Configuration Manager (SCCM). It enables the admins to deploy the agent on the client machines within or outside the corporate network.
Enhancements
The Credential Provider in Policy tab of the SafeNet Windows Logon Agent Manager now defaults to Windows V2 Password Credential Provider. To wrap any other external (third-party) credential provider, for example, Microsoft Credential Provider V1, select Other Credential Provider, and enter its GUID in the subsequent text field.
Additionally, the WLAasV1Provider registry setting has been removed from the ADML and ADMX template.
The user messaging has been improved in the existing login UI/UX for near native Windows experience.
The Use GrIDsure Token link, displayed on the login screen is now renamed to Use a grid pattern.
A new parameter, AGENTSTATUS is added to enable or disable the agent while installing the agent silently.
Version 3.5.2
The SafeNet Agent for Windows Logon 3.5.2 release introduces an enhancement and resolves some customer-reported issues.
Enhanced data protection
The agent is now compatible with Microsoft Windows native FDE tool, BitLocker.
Extended operating system support
The SafeNet Agent for Windows Logon now adds support for Windows Server 2022.
Resolved issues
| Severity | Issue | Synopsis |
|---|---|---|
| M | SASNOI-8458 | The EmergencyPassword registry entry was missing in the Windows Logon Agent ADMX template. This registry entry has now been added in the ADML and ADMX template. |
| C | SASNOI-14179 | The More choices option was not visible while accessing an application with elevated privileges. This issue is fixed and the More choices option is now visible in the sign-in window for the user with elevated privileges. |
| H | SASNOI-16626 | In some rare scenarios, after restarting the machine, the end-users were not able to authenticate in offline mode. This is fixed and the Windows Logon Agent offline authentication is now working correctly. |
Version 3.5.1
The SafeNet Agent for Windows Logon 3.5.1 release introduces a security fix and the following security improvement.
Security improvement
A new registry setting, SetCachingToCurrentUser, is introduced to augment the secured storage of a user's cached Microsoft password.
Security fix
This release introduces a security fix for the most secure version of SafeNet Agent for Windows Logon.
Version 3.5.0
The SafeNet Agent for Windows Logon 3.5.0 release introduces the following new features and resolves some customer-reported issues.
Azure Active Directory (AD) support
SafeNet Agent for Windows Logon is now supported for pure and hybrid Azure AD joined machines.
Intune support for deployment of Windows Logon Agent is added.
Limitations
Following are the limitations of Windows Logon Agent for Azure AD joined machines:
- The Exempt Local/Domain Administrator strong authentication will not work with pure Azure AD joined machines for domain admins. However, this feature will work as expected for the local admins.
- The Group Filter feature will not work with pure Azure AD joined machines for domain groups. However, this feature will work as expected for the local groups.
- Third-party federation services with Azure AD joined machines are not supported.
Support of interactive logon Windows policies
SafeNet Agent for Windows Logon now supports the following interactive logon windows policies:
- Do not display last user name
- Display user information when the session is logged
Microsoft Credential Provider V1 support
The Microsoft Credential Provider V1 is now only supported for Windows Server 2012.
Resolved issues
| Severity | Issue | Synopsis |
|---|---|---|
| H | SASNOI-14865 | Windows Logon Agent did not retain existing users' cached password after an MFA exempted user logs in to the machine. Subsequently, user/s of the machine are prompted for password on their next login. This is now fixed and the password caching functionality is working as expected. |
| H | SASNOI-14887 | Windows Logon Agent failed to bypass the SafeNet OTP authentication on system unlock when the windows policy was set to hide the username at login/unlock screen. After adding the support for Interactive Logon Windows Policies, this issue is resolved. |
Note
If the windows policy is set to hide the username, the screen will display a generic message "If you normally use a Token, please enter your PIN + OTP otherwise your Windows Password in Password Field".
Compatibility and upgrade information
Prerequisites
Microsoft .NET 4.8 and above
Supported upgrade version
The SafeNet Agent for Windows Logon 4.1.3 supports upgrade from version 3.4.x and above.
Note
For consistent behavior, we highly recommend you to upgrade the agent in online mode or when STA is available.
Supported SAS/STA releases
- SAS PCE/SPE 3.9.1 and later
- SafeNet Trusted Access (STA) Edition
Note
Push Authentication is supported when working with STA Edition. For SAS PCE/SPE, Push Authentication is only supported with version 3.9.1 and onwards.
Supported operating systems
- Windows 11
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows Server 2025
Known issues
The following table provides a list of known issues as of the latest release.
| Severity | Issue | Synopsis |
|---|---|---|
| H | SASNOI-22272 | On uninstalling the agent via control panel, an intermittent Error 1306 is displayed. Workaround: Restart the machine. It will be fixed in a future release. |
| M | SASNOI-22305 | Modify option in the installer does not work as expected and authentication fails. Workaround: Either re-upload the bsid key file in the management console or uninstall and install the agent. |
| M | SASNOI-22357 | AD user authentication with the username format "Domain\username@domain" fails and an offline access error "For offline access, please contact your administrator. Ignore this message if offline access is not needed" displays. Workaround: None. It will be fixed in a future release. |
| M | SASNOI-22369 | On performing the credUI operations, such as, outgoing RDP or accessing an application as run as different user in offline mode, the remaining offline authentication count does not decrement on the login screen. Workaround: None. It will be fixed in a future release. |
| H | SASNOI-22331 | Windows Logon Agent fails to authenticate an AD user whose UPN username contains the special characters /, |, =, +, *, ?, <, > and displays an error. Workaround: None. It will be fixed in a future release. For now, the supported characters for UPN username are a-z, A-Z, 0-9, ., -, _, $, %, &, #, ~, `, !, ^, (, ), {, }, '. |
| M | SASNOI-21384 | The placeholder text for the Username and Passcode fields remains in English, despite the application being configured for a different language. Workaround: None. It will be fixed in a future release. |
| M | SASNOI-20077 | In Windows 11, if a user attempts to launch an application via "Run as different user", then the user is not prompted for 2FA. Workaround: None. It will be fixed in a future release. |
| H | SASNOI-19527 | Offline authentication does not work after the agent upgrade from version 3.4.x. Workaround: The end-users need to perform at least one successful online authentication for subsequent offline login attempts. |
| H | SASNOI-8630 | It is not possible to enforce SafeNet authentication on nested groups over an external domain. Workaround: None, will be fixed in a future release. |
| H | SASNOI-2825 | In Windows 8, 10, Server 2012 and Server 2012 R2, the Autoadminlogon feature does not function. Workaround: None, will be fixed in a future release. |
| M | SASNOI-3323 | Hybrid Mode is not supported when a Local User is included in a Domain Group. Workaround: None, will be fixed in a future release. |
