Release v1.7.0 - What's New?

Updated
  • Updated on Dec 12, 2025
  • Published on Dec 9, 2025
  • 3 minute(s) read
Prev Next

Windows Authentication Client Release v1.7.0 - What's New?

  • Credential Provider Filter:

    • CP Filter changes are restricted to Admin users and are supported in both Connected and Disconnected operational modes.

    • Reference Document

  • CredUI Interface Support:

    • Authentication via all WAC methods in CredUI is permitted for Admins, excluding Pictograph, QR Code, and FIDO.

    • The CredUI feature enables Admin login for users with Tenant Admin and System Admin roles on RI, along with local machine admin rights.

    • The CredUI feature have not provided support of Accessibility Enhancement (Narrator/JAWS).

    • Reference Document

  • Accessibility Support in Authentication:

    • The eye icon/button on password fields does not respond to the Enter key, unlike typical browser behavior.

    • Password visibility via the eye icon/button is only supported through mouse clicks.

    • In WAC, Narrator may skip certain labels when navigating manually using the Tab key.

    • Narrator behavior may vary across different versions of Windows 10 and Windows 11.

    • When a user navigates between pages using Narrator in Windows, the focus indicator may briefly remain on form fields, appearing as a square outline.

    • Reference Document

  • Password Expire & Password Change Support:

    • Password Expiry

      • Any AD or non-AD user can update the machine password when it has expired. This operation is supported only in Connected mode, provided that Active Directory is online and the user has network access.

      • When an AD user's password is updated, it does not immediately sync with RI. To enable this synchronization, a Password Filter must be properly set up and configured on AD. The filter triggers the password update event to push changes to RI. A supported Custom Action and a corresponding Job to execute that action set are required on RI to perform AD–RI password synchronization within a defined time frame.

      • After the user logs into the machine post password update, the auto-launch browser will log in to the user’s RI profile using the existing token.

      • The protocol handler or shortcut for accessing the RI profile will only succeed if the password has been updated on RI; otherwise, it will return an “Invalid Token” error.

    • Password Change

      • In a domain-joined environment if the Minimum Password Age property in Group Policy is configured to a value greater than 0, users will not be able to change their password more than once from the same machine within that time frame. This property will take the int values in days, and attempting to change the password within that time frame will result in a Password Policy Violation error from AD.

      • Any AD or non-AD user can change the machine password if they are logged in with the same account they intend to update, or if they initiate a forced password change via Ctrl+Alt+Delete from an active session. This functionality is also limited to Connected mode, with Active Directory online and network connectivity available.

      • All Active Directory and local machine password policies should align with the RI password policy to prevent errors related to password constraints when setting a new password.

    • Reference Document

  • Multiple Username Cache Support in Disconnected Mode:

    • This feature enhances the existing disconnected mode authentication by allowing users to authenticate using any RI username, provided they have previously logged in at least once in connected mode with the latest WAC installer.

    • Reference Document

  • Password Sync Support:

    • The initial requirement for this feature is to enable immediate password update/sync from RI to AD. This functionality is only available when the WAC user operates within the IDHub environment.

    • To ensure proper synchronization, users may experience a short delay. Administrators should configure a cookie-based job to run at a defined schedule. This job executes at regular intervals, efficiently syncing bulk user details including password updates from RI to AD in a single batch operation.

    • Please note that WAC is not responsible for handling password sync, whether it's from AD to RI or RI to AD.

  • Enhancement in Disconnected Mode:

    • Initially, WAC users could authenticate in disconnected mode using only the Password Authentication method. With this enhancement, users who have network access—but are either not domain-joined or unable to reach Active Directory—can now authenticate using all available methods.

    • This feature does not support password update operations in disconnected mode.

    • Reference Document

  • Disabled/Locked User Able to Login in Disconnected Mode:

    • Initially, WAC could detect and enforce a user's locked or disabled state during login in connected mode, preventing access accordingly. However, this behavior was not applied in disconnected mode. This issue has now been resolved—disconnected mode authentication is based on the user's last known state from their previous connected session.

  • Windows Has Not Installed the Proper Package During WAC Installation:

    • Attempted to login through the WAC with correct credentials, but still couldn't login.
      Affected version: 1.3.0  to 1.5.0.
      Fixed version : 1.7.0 and above.

    • This issue has been addressed in the current release. The WAC installer no longer depends on Microsoft Visual C++ redistributable (x64 and x86), and functions correctly regardless of their presence.