Specops Authentication Client Release Notes - Specops Password Policy
The Specops Authentication Client (formerly known as the Specops uReset Client and the Specops Password Client) enhances functionality for Specops Password Policy, Specops Password Reset, and Specops uReset. The Client will only display features relevant to the implemented product.
- Support for Azure AD-joined computers. The Specops Authentication Client by default operates on on-prem Active Directory joined computers. For use on Azure AD joined computers, see Using the Specops Authentication Client for uReset on Azure AD-joined computers.
- Time of password expiration in Password expiration notifications could be inconsistent with reminders from Specops Password Policy.
- Updated CefSharp runtime to version 113. Before deploying the Specops Authentication Client, make sure to deploy the latest CefSharp runtime.
- Creating start menu shortcuts can now be done individually for enroll, change and reset shortcuts with new settings in ADMX templates, see Start menu shortcut creation in the latest ADMX templates on the Authentication Client page.
Released June 28, 2023
- If wrapping another credential provider, fallback to the Microsoft provider was not always done for scenarios not supported by the wrapped provider.
Released June 01, 2023
- Notifications about upcoming password change required could show wrong number of days until expiration.
Released March 21, 2023
- Improved support when username was in form domain\upn.
- Improved logging and stability.
- Restricted page navigation in secured browser to prevent going back to previous pages.
- Improved upgrade scenario where different computers might use different CefSharp runtime versions
- New CefSharp browser runtime version 105.3.390.0 required if Specops uReset/Specops Password Reset is used (Specops Password Policy only customers don't need the CefSharp browser runtime). It is recommended to deploy the CefSharp browser runtime before the Specops Authentication Client itself. Installation/upgrade behavior for CefSharp browser runtime has been changed. Installing a newer CefSharp runtime will no longer replace the older installed runtime. Instead, multiple CefSharp browser versions can co-exist. The intention is to be able to do a rollout in an organization, where the new CefSharp browser first is deployed. Once deployed, the Specops Authentication Client can be upgraded. This will make it easier to make sure that the Specops Authentication Client works on all computers during an upgrade, regardless of whether the latest CefSharp browser runtime has been deployed yet or not.
- Minimum .Net framework version is now 4.6.2. Most environments with regular Windows Updates configured should already have this or a more recent version. It's recommended to use the latest .Net Framework version.
Released November 10, 2022
- Added splash screen to indicate loading of secured browser after pressing the "Reset Password..." link.
- Credential provider: improvements when multiple credential providers were installed, for instance duplicate tiles could incorrectly be displayed.
- Secured Browser: fixed issue when using the CefSharp based secured browser on certain pages; Keyboard cursor was not always working.
Released June 29, 2022
- After pressing the "Reset password..." link, the language on the reset page could be incorrect if expecting language other than English.
Released April 20, 2022
- Added support to reset password using Azure SSPR. This applies to customers using Specops Password Policy, but no reset product from Specops. Enable the ADMX template setting "Use Azure SSPR for password resets" to "Enabled" to have the "Password Reset..." link from Windows logon screen launch Azure SSPR. Note that resets from Azure SSPR don't support VPN-less password reset with cached credential update.
- In some environments there could be a delay before showing the rules during password change.
- Default value for the ADMX template setting "Show Reset Password link even if connection to Active Directory can't be verified" has been changed; if the setting isn't configured, the password reset link will be display regardless if the network can be reached or not. It is recommended to not configure this value.
- Changed user account for secured browser: When clicking the "Reset password..." link from the logon screen, a temporary local user is created to run the secured browser, and that user is deleted after the reset has completed. This reduces the need for local permissions when running the secured browser.
- Updated requirements
- The Specops Authentication Client is supported on Windows 10/11 x64.
- Support for x86 platforms is discontinued.
- Support for operating systems older than Windows 10 is discontinued.
- Support for WebView2 as browser engine discontinued in favor of the CefSharp browser engine. The Specops WebView2 runtime MSI is no longer used. Instead, the Specops CefSharp browser runtime MSI should be used and installed on client computers in parallel with the Specops Authentication Client MSI.
- From this version, when clicking the "Reset password..." link from Windows logon screen, an error message will be displayed if the CefSharp browser runtime isn't installed. It is strongly recommended to deploy the CefSharp Browser runtime for password resets.
- Organizations using Specops Password Reset should upgrade to the most recent version of Specops Password Reset prior to rolling out this version of the Specops Authentication Client.
- CefSharp browser install folder cannot be other than default.
- When starting the secured browser as the temporary user, one or more entries with id 1022 from .Net Framework about "There was a failure initializing profiling API attach infrastructure" can be logged in the Windows Application Eventlog. This error can be ignored and does not cause any issues for the Secured Browser.
Released March 30, 2022
- Reading information from domain controller could in some environments take longer time than expected.
Released February 25, 2022
- New options to wrap third party credential providers for specific scenarios only (console or RDP mode). Can be configured in ADMX template settings.
- Improved compatibility with the Duo Security credential provider. Please refer to the Duo page for details.
- Improved LDAP search filter for user lookup.
Released February 14, 2022
- Disabling credential provider with ADMX template setting could fail.
- Logging improvments.
- Minor text updates.
Released December 15, 2021
- New SecuredBrowser, "SecuredBrowserDotNet.exe" based on Microsoft's WebView2. This requires at least Windows 10 and is supported on x64 platforms. When clicking "Reset password..." from Windows logon screen, "SecuredBrowserDotNet.exe" will be used automatically if pre-requisites are fulfilled, otherwise "SecuredBrowser.exe" using IE will be used. SecuredBrowserDotNet.exe requires a runtime to be installed, see New Requirements below.
- uReset 8: It is recommended to use SecuredBrowserDotNet.exe (make sure to install the required runtime).
- Specops Password Reset: It is recommended to use SecuredBrowserDotNet.exe (make sure to install the required runtime). This requires Specops Password Reset 6.9.21291.1 or newer.
- uReset 7: SecuredBrowserDotNet.exe is not supported. Do not install the runtime; this means "SecuredBrowser.exe" will be used, and the "SecuredBrowserDotNet.exe" will not be used.
- Improved support for password resets that occur off-VPN and out of sight from a domain controller. During a password reset from the "Reset password..." link on windows logon screen, the Windows credential cache is now updated to enable logging in with the new password despite lack of connection to a domain controller, for example when working remotely. Prior to this update, resets occurring off-VPN and off-network could break the Windows DPAPI masterkey generation. With this update, The Specops SecuredBrowser will generate new masterkeys, making it possible to access secrets stored with Windows DPAPI after a password reset.
- This requires uReset 8 with corresponding setting enabled. Client computers need "SecuredBrowserDotNet.exe" pre-requisites.
- DPAPI update is not supported for Specops Password Reset or uReset 7.
- New ADMX settings for configuring proxy (either direct proxy URL or PAC). This only applies to SecuredBrowserDotNet.exe.
- Users with "password never expires" incorrectly got password expiration reminders.
- Dynamic feedback during password change: Improved error message if the domain can't be reached.
- Dynamic feedback during password change: For SPP policies with both rules and phrases enabled, the tabs for rules and phrases will remain visible and no longer hide once the password requirement is fulfilled.
- Dynamic feedback during password change: the "Unicode" rule is now hidden by default. It can be enabled in ADMX template settings if needed.
- The new SecuredBrowser, "SecuredBrowserDotNet.exe" pre-requisite is "Specops.Authentication.Client.WebView2-x64.msi", to be installed on x64 computers, Windows 10 and newer.
Released November 02, 2021
- If user unlocking a computer was forced to change their password, the dynamic feedback screen was not displayed during password change.
Released September 02, 2021
- Added support for Ukranian language.
Released July 05, 2021
- Users affected by fine-grained password policy could get incorrect rules presented at password change.
Released June 08, 2021
- New “Dynamic Feedback UI” to provide real time feedback while user changes in Windows from “CTRL-ALT-DEL -> Change Password”.
If the user changing their password is affected by a fine-grained password policy (FGPP), the computer account needs read access to the FGPP object. More information about granting access on the Administration page in the section titled Granting Dynamic Feedback UI Access to read password policies.
- Default login tile could in some scenarios become another than the normal Windows login credential provider.
- Enrollment Reminder notification at intervals could fail.
- Clicking “Enroll” from start menu could result in an access denied message.
- If using only phrases, feedback could be misleading after rejected password change.
- Improved support in environments locked down with AppLocker.
- The “Dynamic Feedback UI” feature requires Windows 10, minimum .Net 4.6.2. Other platforms will fall back to current previous behaviour with feedback after rejected changes.
Released May 27, 2021
- If “GUID of credential provider to wrap” was configured in ADMX template in a policy affecting a computer, but the specified provider wasn’t installed on that computer, no reset link was displayed.
Released December 08, 2020
- Improved compatibility with McAfee endpoint encryption provider.
- If another credential provider without display name was installed, user could be prevented from logging in.
- RDP session could get duplicate login prompts, even though NLA was enabled.
- Description for the administrative template setting “Update credential cache after password reset” was misleading.
- Moved custom message, if defined, to be above rules/phrases.
Released October 23, 2020
- Duplicate logon tiles could incorrectly appear if used together with McAfee Drive Encryption.
Released November 28, 2019
- Secured browser was closed after 2 minutes of user inactivity on Windows 10, if ctrl-alt-del at logon was enforced.
- Windows 7: at first logon, the “Other user” tile could appear, requiring the user to click to get to username/password login tile.
Released September 19, 2019
- Support for length-based password aging. Specops Password Policy customers who have enabled length-based password will receive reminders when their passwords are approaching expiration.
- Support for Breached Password Protection Express. Support for a new Breached Password Protection Express rule in Specops Password Policy has been added to the Specops Authentication Client (when used with Specops uReset version 8.4 and later). Customers who have both Specops Password Policy and Specops uReset will need the latest version of the Gatekeeper (version 8.4 and later) to display the Breached Password Protection Express requirement to users during a password change.
Released May 15, 2019
- Parameters passed to the web page when clicking the start menu shortcuts for enroll, change or reset, were sometimes incorrect. This caused the web page to display incorrectly.
- The Password Reset tile was not displaying, even though it had been configured to.
- Various improvements to multi-domain support.
- Renamed the ADMX templates to Specops Authentication Client.
Released November 7, 2018
- Support for enrollment reminders in Specops Authentication for uReset.
- Improved support for multiple AD domains in Specops uReset.
- Support for Specops uReset installations using overridden settings container.
Released August 15, 2018
- Renamed the Specops uReset Client to Specops Authentication Client.
- If the Part of the new password setting in Specops Password Policy results in a failed password change attempt, the user will be displayed the disallowed word in the password dictionary. For example, if the custom dictionary contains the word “Password” and a user attempts a password change to “MyNewPasswordIsGood”, the user will receive a message that the word “Password” cannot appear in their password.
- Added support for the leetspeak rule in Specops Password Policy (version 6.8 and later).
- Added option to disable the Password Reset link from the Windows Logon screen by setting the ADMX template setting “Show the Password Reset link” to Disabled.
- User inactivity (user did not use mouse or keyboard) caused Windows to time out the selected logon tile causing the Secured Browser to close.
Released April 19, 2018
- In some scenarios, a “server busy” dialog could appear in the Secured Browser, affecting operating systems Windows 10 1607 and newer.
Released September 15, 2017
- Security updates related to the Secured Browser.
Released September 11, 2017
- The ADMX setting (“Reset Password web page URL from Internet”) did not correctly handle the offline URL when a password reset was initiated without a connection to a domain controller in the organization’s intranet.
- Uninstalling the uReset client did not remove the start menu links (Enroll/Reset/Change) if a non-administrative user initiated the uninstallation.
- The “Reset Password” start menu link resulted in an error if accessed by a user from a different domain than the computer’s domain.
- The Windows credentials cache did not update following a password reset from uReset.
- Enabled support for uReset secured browser authentication for Google accounts using 2-factor authentication.
- Removed the need for a reboot following uninstallation initiated by non-administrative user.
- Enabled the password reveal icon from the Windows logon screen on Windows 8 and newer operating systems.
- An error message guiding users to the Windows logon screen (by pressing ctrl-alt-del) if the reset/change start menu links are accessed when the user is not connected to the intranet.
Released February 7, 2017
- In some scenarios, the full screen uncloseable enrollment browser did not display the close button after a successful enrollment.
Released November 10, 2016
- When only using Specops Password Policy, the “Password about to expire” notification did not display when reminders were configured, and the user’s password was about to expire.
Released September 22, 2016
- Improved support on Windows 8, and 10 computers with McAfee Endpoint Protection.
- The credential provider caused duplicate logon tiles if McAfee Endpoint Protection was installed.
- The user could not toggle between password rules and passphrases if the Reset Password link was running on secured browser.
- If the ADMX setting “Create start menu shortcuts to password enroll/change/reset” was disabled after the client was rolled out, the shortcuts were not removed.
Released May 19, 2016