RSA® MFA Agent 2.

3 for Microsoft Windows Release

Notes
Release Notes

This document describes the RSA® MFA Agent 2.3 for Microsoft Windows release. It also includes workarounds for known
issues. Read this document before installing the software. This document contains the following sections:

l Product Overview
l What’s New
l Installing This Product
l Package Contents
l Documentation and Application Help
l Fixed Issues
l Known Issues
l Support and Service
l Upcoming End of Primary Support Details

These Release Notes may be updated. The most current version can be found on RSA Community on the RSA MFA Agent
for Microsoft Windows Documentation page.

Product Overview
RSA MFA Agent for Microsoft Windows works with the RSA Cloud Authentication Service and RSA Authentication Manager
to help secure sign-in to users Windows computers. You can configure the MFA Agent to challenge users either with or
without passwords.

Passwordless Authentication
Users can sign in to their computers without using a password. The MFA Agent uses Active Directory certificates to secure
passwordless authentication. Users need a registered FIDO2 security key and an Active Directory password for the first
authentication. Subsequent authentications require only a registered FIDO2 security key. The MFA Agent creates a
Microsoft Virtual Smart Card and enrolls it with a sign-in certificate to achieve passwordless authentication. Users can also
perform additional authentication when accessing Windows computers and User Account Control.

Note: Passwordless Authentication is applicable for domain users and is only supported when MFA Agent is connected
directly to the Cloud Authentication Service.
RSA® MFA Agent 2.3 for Microsoft Windows Release Notes Release Notes

Password Authentication
Users can sign in to their computers with Windows password and additional authentication. A user enters the
username and password and then can be prompted for additional authentication, for example, by approving a
request in the RSA Authenticator.

MFA Agent-Server Communication

The MFA Agent can connect directly to the Cloud Authentication Service or Authentication Manager, from v8.5
onwards. Authentication Manager can also act as a secure proxy server that sends authentication requests to
the Cloud Authentication Service.

RSA MFA Agent for Microsoft Windows is different from the RSA Authentication Agent for Microsoft Windows. For
more information on the differences, see the Installation and Administration Guide.

Terminology
RSA is gradually introducing a new consistent terminology across all products and platforms. The following table
describes this new terminology.

Old Term New Term

Company ID Organization ID

Account Credential

Depending on the use, will be replaced by one of the followings:

l OTP credential (generic description)

Token l SecurID OTP credential (full description)

l SecurID software OTP credential (full description for software)

l SecurID hardware OTP credential (full description for hardware)

Depending on the use, will be replaced by one of the followings:

l SecurID software OTP credential (Complete description)

Software Token l SecurID OTP credential (when already in the context of software
credentials)

l Software OTP credential (general category description)

Depending on the use, will be replaced by one of the followings:

View Tokencode l View SecurID OTP

l View Authenticate OTP

Authenticate Tokencode Authenticate OTP

Emergency Tokencode Emergency Access Code

SMS Tokencode SMS OTP

2
 RSA® MFA Agent 2.3 for Microsoft Windows Release Notes Release Notes

Old Term New Term

Voice Tokencode Voice OTP

What’s New
This section lists the new features and enhancements introduced in current and past versions of RSA MFA Agent
for Microsoft Windows.

Version 2.3, October 2023

RSA MFA Agent 2.3 includes the following key features:

l Integration with Trellix (McAfee) Drive Encryption Feature.

Version 2.2.1, June 2023

RSA MFA Agent 2.2.1 includes the following key features:

l Supports Windows Password Integration (WPI). Allows organizations to enable their users to sign in
without typing their Windows password.

Note: WPI support will require upgrading Authentication Manager to at least V8.7 SP1.

l RSA MFA Agent 2.2.1 comes with a new and intuitive user interface.

Version 2.1.5, March 2023

RSA MFA Agent 2.1.5 includes critical fixes that provide more stability, such as downloading offline day files
count. It includes the following key feature:

l Support for Authentication Manager version 8.5 to 8.7 P2.

Version 2.1.4, November 2022

RSA MFA Agent 2.1.4 includes the following key features:

l Microsoft Windows 2022 server is qualified.

l The 2.1.4 version that was released in July 2022, is tested/qualified to support computers that are both
members of a Workgroup and a Domain.

l Support for Authentication Manager version 8.5 to 8.7 P2.

3
RSA® MFA Agent 2.3 for Microsoft Windows Release Notes Release Notes

Version 2.1.3, February 2022

RSA MFA Agent 2.1.3 includes the following key features:

l Microsoft Windows 11 support.

l Support for computers that are both members of a Workgroup and a Domain.
l Easy upgrade from versions 1.2.1, 2.0.1, 2.0.2, 2.0.3, 2.1, and 2.1.1.

Version 2.1.1, June 2021

RSA MFA Agent 2.1.1 includes the following key features:

l Users can sign in online and offline using SID700 hardware token (managed in Cloud Authentication
Service) by selecting RSA SecurID Token authentication method.
l Easy upgrade from versions 1.2.1, 2.0.1, 2.0.2, 2.0.3, and 2.1.

Version 2.1, April 2021

RSA MFA Agent 2.1 includes the following key features:

l Users can sign in to their computers without using a password. This update to the Agent enables
passwordless authentication to Windows 10 laptops and desktops using a FIDO2 security key with a USB
connector for both online and offline authentication. For more information, see this blog.
l Easy upgrade from versions 1.2, 1.2.1, 2.0.1, and 2.0.2.

4
 RSA® MFA Agent 2.3 for Microsoft Windows Release Notes Release Notes

Installing This Product

You can install RSA MFA Agent on a new machine or upgrade directly from any of the following versions:

l RSA MFA Agent 2.2.1

l RSA MFA Agent 2.1.4

l RSA MFA Agent 2.1.3

l RSA MFA Agent 2.1.1

l RSA MFA Agent 2.1

You can also install the RSA Authentication Agent 7.4.5 for Microsoft Windows and RSA MFA Agent 2.3 for
Microsoft Windows on the same computer. You can migrate GPO policy settings from RSA Authentication Agent
7.4.0 to 7.4.5 for Microsoft Windows to MFA Agent 2.3 .

For installation and upgrade instructions, see Chapter 3, "Installing RSA MFA Agent" in the Installation and
Administration Guide.

Package Contents
RSA MFA Agent is available on the RSA MFA Agent for Microsoft Windows Downloads page.

The RSA MFA Agent package contains the following:

l RSA_MFA_Agent_2.3_PolicyTemplates.zip

l RSA_MFA_Agent_2.3.zip

l RSA_MFA_Agent_Reserve_Password_Hash_Generator_2.2.1.zip

The following table describes each file.

File Description

Contains the Group Policy Object (GPO) administrative

templates for managing authentication settings.

The template files are automatically installed as part of

local installation. Only use the zip file if you delete the
RSA_MFA_Agent_2.3_PolicyTemplates.zip files and need to re-install them on a computer.

Contains the Migration Tool utility to automate the

process of migrating your GPO settings from
RSA Authentication Agent 7.4.0 to 7.4.5 for Microsoft
Windows to MFA Agent 2.3.

Contains the following folders:

RSA_MFA_Agent_2.3.zip
l x86 and x64: The Windows Installer Packages for

5
RSA® MFA Agent 2.3 for Microsoft Windows Release Notes Release Notes

File Description

local installation of RSA MFA Agent on 32-bit and

64-bit computers.
l Licenses: Contains the RSA License Agreement.

x86 and x64: The Windows Installer Packages for local

RSA_MFA_Agent_Reserve_Password_
installation of the RSA MFA Agent Reserve Password Hash
Hash_Generator_2.2.1.zip
Generator utility on 32-bit and 64-bit computers.

Documentation and Application Help

The following product documentation is available on RSA Community on the RSA MFA Agent for Microsoft
Windows Documentation page.

Title File Name

RSA MFA Agent 2.3 for Microsoft Windows RSA_MFA_Agent_Windows_2.3_Installation_

Installation and Administration Guide Administration_Guide.pdf

RSA MFA Agent2.3 for Microsoft Windows RSA_MFA_Agent_Windows_2.3_GPO_Ttemplate_

Group Policy Object Template Guide Guide.pdf

Test Authentication with MFA Agent for Test_Authentication_with_MFA_Agent_for_

Microsoft Windows Windows.pdf

6
 RSA® MFA Agent 2.3 for Microsoft Windows Release Notes Release Notes

Fixed Issues
RSA MFA Agent 2.3, October 2023
This release includes fixes for the following issues:

AAWIN-6693. Fixed the Specify the Retry Count GPO not honored in disabled state.

AAWIN-6737. Fixed the Upload Offline Audit logs.

AAWIN-6789. Fixed the sending wrong platform information to cloud when agent installed in Windows 11.

RSA MFA Agent 2.1.5, March 2023

This release includes fixes for the following issues:

AAWIN-6672. Improved the log messages and accuracy.

AAWIN-6671. Fixed a security issue inherited from the mainline branch.

AAWIN-6670. Added a one-second delay before the FIDO key touch request.

AAWIN-6669. Fixed the issue of offline authentication failure with FIDO YubiKey.

AAWIN-6667. Removed the dependency on Netlogon service (introduced in 2.1.3).

AAWIN-6607. Fix for the issue when user first inputs wrong SMS OTP and follows with correct one and the
authentication was failing.

AAWIN-6574. Fix for the issue when Approve method was locked at the server end and the Agent receives
Approve request.

AAWIN-6431. Fixed the default agent name if it is not configured in the GPO.

AAWIN-6362. Fixed the encoding bug during encryption/decryption in the passwordless flow.

AAWIN-6322. Updated the count of offline day files in the notification area when user locks/unlocks.

AAWIN-6321. Fixed the deadlock which occurs during download of offline day files using Refresh button on the
system tray.

AAWIN-6188. Fix for the issue when the agent cannot update the user attributes (e.g. email address) after
changing in the AD.

AAWIN-6058. Fix for the issue when multiple offline authentication attempts result in deadlock of service.

RSA MFA Agent 2.1.4, November 2022

This release includes fixes for the following issues:

AAWIN-6111. When the software OTP was redistributed, offline authentication failed because the cached
offline data was not updated.

AAWIN-6132. MFA Agent offline authentication failed when it was connected to AM and when the OTP PIN had
an upper-case character.

7
RSA® MFA Agent 2.3 for Microsoft Windows Release Notes Release Notes

AAWIN-6138. In some environments, the MFA Agent intermittently performed an offline authentication after a
network state change when the system was actually online.

AAWIN-6153. Offline authentication failed when the PIN was changed.

RSA MFA Agent 2.1.3, February 2022

This release includes fixes for the following issues:

AAWIN-6109. Added the system local time to the trace logs. UTC time was already used in the logs.

AAWIN-6090. Resolved an issue in which the Windows calendar configuration prevented offline data
downloads.

AAWIN-6066. The Agent was not able to retrieve certain user attributes (alternate usernames) in some multi-
forest environments, which caused authentication to fail. This has been fixed.

AAWIN-6054. In some cases, passwordless authentication provisioning required Azure to be available. This
issue has been resolved.

AAWIN-6048. The Agent was not able to retrieve certain user attributes (such as the SID and alternate
usernames) in some environments, which caused authentication (both online and offline) to fail. This has been
fixed.

AAWIN-5964. Added a Windows Event Viewer entry for users who are not in a challenge group and who did not
require additional authentication.

AAWIN-5323.The RSA MFA Agent no longer excludes the RSA Windows Agent's Credential Provider when the
'Exclude Third-Party Credential Providers' policy is enabled.

RSA MFA Agent 2.1.1, June 2021

This release includes fix for the following issue:

AAWIN-6000. Resolved an issue with authenticating an RDP logon for a user in a remote trusted forest.

RSA MFA Agent 2.1, April 2021

This release includes fixes for the following issues:

AAWIN-5678. Resolved offline authentication issues on the German version of Microsoft Windows.

AAWIN-5525. Resolved issues with the RSA Notification icon on Windows 10 systems.

AAWIN-5360. Trace logging partially captured credentials before they were submitted for authentication.

AAWIN-5215. Resolved an issue sending a username in UPN format to RSA Authentication Manager.

AAWIN-5184. The MFA Agent no longer installs the PowerShell script MFAAuthProviderACLSettings.ps1.

AAWIN-4612. In some customer environments, after the laptop on which the MFA Agent was installed woke
from sleep, the MFA Agent authenticated offline.

8
 RSA® MFA Agent 2.3 for Microsoft Windows Release Notes Release Notes

Known Issues
This section describes known issues and workarounds.

Keyboard operation became unavailable after OTP by SecurID.

Tracking Number: AAWIN-6050

Problem: When the following steps are performed, input to the keyboard is disabled.

1. Connecting the target PC by RDP, then fill in the credential for NLA.

2. Enter the user name.

3. Enter the OTP for SecurID.

4. Enter the password for Windows.

l At this point, any operation by keyboard is unavailable.

Workaround: By clicking once with the mouse on any of the links displayed in the logon screen, the keyboard
operation is restored to a valid state.

On slow networks, the offline day files count on the RSA System tray icon is not accurate.

Tracking Number:AAWIN-6333

Problem: On slow networks, it is observed that the MFA agent is not showing the correct offline day files count
when a customer hovers the mouse over the RSA MFA System tray icon.

Workaround: Currently, there are no possible workarounds.

9
RSA® MFA Agent 2.3 for Microsoft Windows Release Notes Release Notes

Support and Service

You can access community and support information at https://community.rsa.com. It contains a knowledgebase
that answers common questions and provides solutions to known problems, product documentation, community
discussions, and case management.

The RSA Ready Partner Program website at https://community.securid.com/t5/securid-integrations/tkb-

p/securid-access-integrations provides information about third-party hardware and software products that have
been certified to work with RSA products. The website includes Implementation Guides with step-by-step
instructions and other information on how RSA products work with third-party products.

Upcoming End of Primary Support Details

The following table provides the upcoming End of Primary Support (EOPS) details:

Product Version EOPS Date

2.1.x June 2024

RSA MFA Agent for Microsoft Windows
2.0.x July 2023

RSA Authentication Agent for Microsoft

7.4.x June 2024
Windows

© 2006-2023 RSA Security LLC or its affiliates. All Rights Reserved. RSA, and other trademarks are trademarks
of RSA Security LLC or its affiliates ("RSA"). Other trademarks are trademarks of their respective owners.

Intellectual Property Notice

This software contains the intellectual property of RSA or is licensed to RSA from third parties. Use of this
software and the intellectual property contained therein is expressly limited to the terms and conditions of the
License Agreement under which it is provided by or on behalf of RSA.

Open Source License

This product may be distributed with open source code, licensed to you in accordance with the applicable open
source license. If you would like a copy of any such source code, RSA or its affiliates will provide a digital copy of
the source code that is required to be made available in accordance with the applicable open source license.
Please direct requests in via email to RSA Legal, legalnotices@rsa.com.

10