Skip to content
English
  • There are no suggestions because the search field is empty.

SurePassID Windows Logon Manager (WLM) 2026.2 - Release Notes

Release Date: 06/15/2026
Release Type: Major Feature Release


Highlights

This release introduces Windows Event Log integration, FIDO2 offline authentication, and security event auditing across the credential provider.


New Features

Windows Event Log Integration

    • Structured event logging — Error and Warning messages from SPLog are now automatically forwarded to the Windows Application Event Log under the source SurePassID WLM.
    • Security event API — New SPLog::SecurityEvent() method writes security-relevant events (MFA bypass usage, authentication failures, offline cache exhaustion, etc.) with dedicated event IDs and categories.
    • Message catalog — Added SPEventMessages.mc with 10 defined event IDs across 4 categories (Authentication, Configuration, Security, Connectivity), compiled into a message resource for proper Event Viewer formatting.
    • Event source auto-registrationSPWindowsEventLog::EnsureEventSourceRegistered() lazily creates the required registry keys when running with sufficient privileges.
    • Registry-controlled forwarding — Event log forwarding can be enabled/disabled via the WriteToEventLog registry value. Error, Warning, and Info messages are forwarded by default. Trace messages are excluded unless WriteTraceToEventLog is set to 1 (to avoid flooding the event log during development).

FIDO2 Offline Authentication

    • Offline cache framework — New SPFido2OfflineCache class for storing and retrieving FIDO2 assertion data for offline use.
    • Assertion result model — New Fido2AssertionResult class to represent FIDO2 authentication results.
    • Server credential parsing — Enhanced ServerPublicKeyCredentialGetOptions with expanded parsing support for offline scenarios.
    • CBOR/JSON response handling — Improved SPWebAuthnJsonResponse with additional response parsing capabilities.

NFC APDU Chaining (CTAP 2.0 Compatibility)

    • APDU chaining for FIDO 2.0 NFC authenticators — Implemented ISO 7816-4 command chaining in ApduCommand::apdu_list() for CTAP payloads exceeding 255 bytes. FIDO 2.0 authenticators over NFC do not support extended-length APDUs; payloads are now split into 255-byte fragments (CLA=0x90 for intermediate, original CLA for final) per CTAP2 spec section 11.3.6.
    • Automatic APDU mode selection — The FIDO2 assertion command now checks the authenticator's reported versions (authenticatorGetInfo). FIDO 2.1 authenticators use extended-length APDUs; FIDO 2.0 authenticators use short APDUs with chaining. This resolves SW 0x6700 (Wrong Length) errors when multiple credentials are registered for a user.
    • Diagnostic logging — APDU mode selection (extended vs. chaining), CBOR payload size, and FIDO version are now logged at Trace level for troubleshooting.

Server Connectivity Status Indicator

    • Login screen status field — Added SFI_LOGONSTATUS_TEXT field to the credential provider tile showing "Server: Online" or offline status with available authentication methods (e.g., "Offline: Security key or passcode"). Positioned after the submit button for visibility in LogonUI.

Improvements

Security & Encryption

    • DPAPI encryption for offline cache — OTP offline cache now uses DPAPI-based encryption (EncryptForCache / DecryptFromCache) with automatic fallback to legacy Brownie/Enc256 for backward compatibility.
    • Security event logging for MFA bypass — Bypass code usage is now logged as a security event (MSG_MFA_BYPASS_CODE_USED) for audit trails.
    • Offline cache exhaustion alerts — When the offline OTP cache is depleted, a MSG_OFFLINE_CACHE_EXHAUSTED security event is written.
    • DPAPI failure auditing — If DPAPI encryption fails and falls back to legacy encryption, a MSG_DPAPI_ENCRYPTION_FAILED event is logged.
    • Offline cache invalidation on policy change — When AllowOfflineFido2 or AllowOffLineAuth is set to 0, any existing cached credentials (FIDO2 or OTP) are automatically cleared and a MSG_OFFLINE_CACHE_INVALIDATED security event is logged. This ensures stale caches cannot be used after an administrator disables offline authentication.

Logging

    • Thread ID in log entries — All log messages now include [TID:<id>] for easier multi-threaded debugging.
    • Thread-safe logging — Added std::mutex-based synchronization across all SPLog methods.
    • Default log level fix — Default log level (when no registry key is set) now correctly includes Error-level messages in addition to Warning.

Credential Provider

    • Credential provider filter whitelistingSurePassIdProviderFilter now supports GUID-based whitelisting of credential provider tiles.
    • CredUI fixes — Additional fixes for Credential UI (UAC prompt) processing.

Configuration

New Registry Values

Value Name

Type

Default

Description

AllowOfflineFido2

REG_SZ

0 (disabled)

Enable/disable FIDO2 offline authentication

ConnectionAllowHttp

REG_SZ

0 (disabled)

Allow HTTP (non-TLS) connections to MFA server (testing/development only)

WriteToEventLog

REG_SZ

1 (enabled)

Enable/disable forwarding of Error/Warning to Windows Event Log

WriteTraceToEventLog

REG_SZ

0 (disabled)

When enabled (and LogLevel is Trace), also forward Trace entries to Windows Event Log

LogLevel

REG_SZ

W

Log level: Error, Warning, Info, Trace

Event Log Setup

The event source is registered automatically when running with admin privileges. For test environments, run once as Administrator:

powershell -ExecutionPolicy Bypass -File SurePassIdLibGoogleTests\RegisterEventSource.ps1

Event IDs Reference

Event ID

Symbolic Name

Severity

Category

1000

MSG_GENERAL_ERROR

Error

1001

MSG_GENERAL_WARNING

Warning

1002

MSG_GENERAL_INFO

Informational

2000

MSG_MFA_BYPASS_CODE_USED

Warning

Security

2001

MSG_OFFLINE_AUTH_ATTEMPTED

Informational

Security

2002

MSG_OFFLINE_CACHE_EXHAUSTED

Warning

Security

2003

MSG_MFA_SERVER_UNREACHABLE

Warning

Connectivity

2004

MSG_MFA_CONNECTIVITY_CHECK_DISABLED

Warning

Security

2005

MSG_AUTHENTICATION_FAILED

Error

Authentication

2006

MSG_AUTHENTICATION_SUCCEEDED

Informational

Authentication

2007

MSG_DECRYPTION_FAILED

Error

Security

2008

MSG_DPAPI_ENCRYPTION_FAILED

Warning

Security

2009

MSG_SESSION_EXPIRED

Informational

Authentication

2010

MSG_OFFLINE_CACHE_INVALIDATED

Warning

Security


Verifying the Installed Version

After installing or updating the DLL, verify you are running release 26.2:

  1. Open File Explorer and navigate to the installed DLL location (typically C:\Windows\System32\WindowsLoginManager.dll).
  2. Right-click the file ? Properties ? Details tab.
  3. Confirm the following values:
    • File version: 26.2.0.0
    • Product version: 26.2.0.0
    • Product name: SurePassID Windows Login Manager

    Alternatively, from an elevated PowerShell prompt:

    (Get-Item "C:\Windows\System32\WindowsLoginManager.dll").VersionInfo | Select-Object FileVersion, ProductVersion

    Expected output:

    FileVersion ProductVersion
    ----------- --------------
    26.2.0.0    26.2.0.0

    New Installations

    For new installations download the distribution, unzip the file, and run the distribution.  

    Click below to download the full product install exe.
    https://downloads.surepassid.com/CP_V2/SurePassIDWindowsLogonMFA_V2.zip

    Click below to download the full product install msi.
    https://downloads.surepassid.com/CP_V2/SurePassIDWindowsLogonMFA_V2_MSI.zip

    Click below for the installation guide.
    https://docs.surepassid.com/SurePassID_Windows_Logon_MFA_Guide.pdf

    Large scale deployment KB Article:
    https://support.surepassid.com/deploy-surepassid-windows-login-manager-wlm-via-script-or-windows-active-directory-group-policy-object

    Updating Existing Installations

    For updating your existing installations, download the distribution and unzip the file.

    Click below to download the product update distribution.
    https://downloads.surepassid.com/CP_V2/patches/SP_PATCH_WLM_26_2_06242026.zip

    After unzip file you will find two folders: Agent Folder and Configuration Manager folder. The Agent folder contains the SurePassID WLM dll that is copied into system32 on all machines that are configured for WLM MFA. The Configuration Manager is the UI tool that can be used to update the system configuration options on the local machine before large scale deployment. 

    Click below for the installation guide.
    https://docs.surepassid.com/SurePassID_Windows_Logon_MFA_Guide.pdf

    Large scale deployment KB Article:
    https://support.surepassid.com/deploy-surepassid-windows-login-manager-wlm-via-script-or-windows-active-directory-group-policy-object

     

    Support

    Getting Help

    © 2011-2026 SurePassID. All rights reserved.