How to enable MFA for Windows login

In this article:

• Objective
• Prerequisites
• Steps to follow
• Validation and confirmation
• Tips
• Related resources

Objective

By following this article, administrators can:

• Learn how to enable MFA for Windows login using ADSelfService Plus
• Protect domain-joined and remote Windows machines from credential-based attacks
• Enforce strong identity verification during Windows logins.

Enabling MFA for Windows using ADSelfService Plus can secure the following scenarios:

• Local and remote Windows domain login
• Windows lock screen during system unlock
• User Account Control elevation prompts

This ensures users verify their identity before accessing enterprise machines.

Prerequisites

System requirements for Windows MFA

The following Windows servers and client versions are supported for MFA with ADSelfService Plus.

Dependencies

1. Your ADSelfService Plus license must include Endpoint MFA. Visit the store to purchase Endpoint MFA.
2. SSL must be enabled: Log in to the ADSelfService Plus web console with admin credentials. Navigate to the Admin tab > Product Settings > Connection. Select the ADSelfService Plus Port [https] option. Refer to this guide to learn how to apply a SSL certificate and enable HTTPS.
3. Access URL must be set to HTTPS: Navigate to Admin > Product Settings > Connection > Connection Settings > Configure Access URL and set the Protocol option to HTTPS.
4. Enable the required authentication methods. For steps on enabling the authentication methods, refer to this page.
5. Install ADSelfService Plus login agent on the machines where you want to enable Windows login MFA. Click here for steps to install the ADSelfService Plus login agent.
6. Offline MFA is supported only for Windows machines (except Windows 10 version 1803) and macOS logins. For remote logins, offline MFA is not supported for Windows RDP-client authentication.
7. Please make sure that the login agent installed on your machines meets the required version: version 6.3 or above for Windows, and version 3.0 or above for macOS. If not, update the agent to the latest version by following these steps. If you have not installed the login agent yet, please configure offline MFA before doing so to ensure that the changes are updated.

Steps to setup MFA for Windows login

Configure MFA for Windows login

1. Log in to the ADSelfService Plus web console with admin credentials.
2. Navigate to Configuration > Self-Service > Multi-factor Authentication > MFA for Endpoints.
3. Select a policy from the Choose the Policy drop-down. This will determine which authentication methods are enabled for which sets of users.

   Note: ADSelfService Plus enables you to create OU and group-based policies. To create a policy, go to Configuration > Self-Service > Policy Configuration > Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.

4. In the MFA for Machine Login section, check the Enable __ factor authentication box, select the number of authentication methods, and specify which ones you'd like to use from the drop-down.
5. To enable Offline MFA: Check the Choose authenticators for Offline MFA box and select the authentication methods you prefer to use.
6. Click Save Settings.

   

   Image 1. MFA for Windows configuration

Secure ancillary Windows endpoints with MFA

Extend MFA protection beyond initial logins to User Account Control prompts, machine unlocks, and Remote Desktop sessions for comprehensive Windows endpoint security.

• Secure User Account Control prompts with MFA : Elevating privileges via UAC is a common attack vector; enforcing MFA here prevents unauthorized admin actions and strengthens least-privilege enforcement. To enable this feature go to Advanced > Endpoint MFA, then select User Account Control from the Enable MFA for _ drop-down.
• Protect machine unlocks against unauthorized access : Unlocked machines expose sensitive data to physical threats; MFA adds a vital second factor to thwart shoulder-surfing or stolen credentials.To enable this feature go to Advanced > Endpoint MFA, then select the Machine Unlocks from the Enable MFA for _ drop-down.
• Safeguard RDP sessions from lateral attacks : RDP is a top exploit target for ransomware; MFA ensures only verified users establish remote connections, blocking credential-stuffing attacks.

To enable, go to Advanced > Endpoint MFA, select the Enable MFA for Remote Desktop access during checkbox.

Image 2. Enable MFA for drop-down

Image 3. Enable MFA for Remote Desktop access during checkbox

Streamline Windows MFA policies for seamless machine logins

To enable create a holistic MFA policy, go to Advanced > Endpoint MFA, and configure advanced settings such as:

• Idle time limit: Set a time limit for users to complete the MFA process when logging into their machines using the The Machine login MFA process can be idle for __ min setting.
• MFA server downtime: Ensure users aren't left stranded on their machine login screens during the MFA process when the ADSelfService Plus server is down or unreachable using the Skip MFA when the ADSelfService Plus server is down or unreachable option. This setting is skipped when:
  • Offline MFA is configured and the user is enrolled with offline MFA on their device.
  • Machine-based MFA is enforced in the device.
• Trusted device: Enable users who have logged in once using MFA for Windows login to skip going through MFA authentication during subsequent logins using the Keep a machine trusted for _ days setting.
• Unenrollment mitigation: Determine the authentication flow for the user when they have not enrolled for any of the authenticators for Windows MFA using the _ if the user is not enrolled for MFA setting. One of the following actions can be enabled occur:
  • Allow logins: The user will be permitted to bypass machine login MFA and gain access to the machine.
  • Deny logins: The user will be restricted from access.
  • Force enrollment: The user will be required to enroll with the authenticators for online MFA and offline MFA only after successful primary authentication.

Validation and confirmation

• Apply a policy to a test OU or group and user.
• Log on to a target Windows machine with AD credentials; confirm the Windows authentication MFA prompt appears and succeeds with enrolled authenticator.
• Test offline MFA by disconnecting from the internet—verify enrollment and logon work.
• Review MFA Enrolled Users Report for status and backup codes.

Tips

• Use phishing-resistant authenticators like YubiKey or biometrics for high-security endpoints.
• Enforce authenticator enrollment via advanced settings to ensure compliance.
• Configure backup codes to prevent user lockouts if a primary authenticator is unavailable.

Related resources

• Help guide: https://www.manageengine.com/products/self-service-password/help/admin-guide/Configuration/Self-Service/mfa-for-windows-macos-linux.html
• Harden endpoint security: https://www.manageengine.com/products/self-service-password/kb/harden-security-for-windows.html