How to set up MFA for Windows login

Objective

By following this article, administrators can:

• Learn how to complete Windows multi-factor authentication (MFA) setup using ADSelfService Plus.
• Protect Active Directory- and Entra ID-joined Windows endpoints from credential-based attacks.
• Enforce strong identity verification during the Windows login process.
• Secure local, remote, and privileged Windows access with additional authentication factors.

Supported Windows login scenarios

Setting up MFA for Windows using ADSelfService Plus can secure the following scenarios:

• Interactive logins from the Windows GUI screen
• Windows lock screens during machine unlocks
• User Account Control (UAC) elevation prompts
• Remote Desktop Protocol (RDP) sessions
• Local and remote Windows domain logins

This ensures that users verify their identities before accessing enterprise resources, even if their passwords have been compromised.

Why enable Windows MFA?

The Windows login process traditionally relies on usernames and passwords to authenticate users against Active Directory. While passwords remain the primary authentication factor, they are vulnerable to phishing, password spraying, credential stuffing, and other attacks.

ADSelfService Plus' Windows MFA feature improves the security of Active Directory-, Entra-, and hybrid-joined Windows machines by requiring users to verify their identities using an additional authentication factor after entering their credentials.

Depending on your organization's configuration, users may authenticate using:

• Biometric authentication
• Duo Security
• Email and SMS verification
• TOTP authentication
• Push notifications
• QR code authentication
• RADIUS authentication
• FIDO2 passkeys
• YubiKey Authenticator
• RSA SecurID

Before users can authenticate using an authenticator application, they must complete enrollment, which often includes QR code enrollment to associate the application with their account securely.

Organizations can also combine Windows MFA with conditional access policies to strengthen identity security across environments without affecting user experience.

Prerequisites

System requirements for Windows MFA setup

The following Windows servers and client versions are supported for MFA with ADSelfService Plus.

Dependencies for Windows MFA setup in ADSelfService Plus

• Your ADSelfService Plus license must include Endpoint MFA
• SSL must be enabled: Log in to the ADSelfService Plus web console with admin credentials. Navigate to Admin > Product Settings > Connection. Select the ADSelfService Plus Port [https] option. Refer to this guide to learn how to apply a SSL certificate and enable HTTPS.
• The required authentication methods must be enabled before configuring Windows MFA.
• The ADSelfService Plus login agent must be installed on all protected machines.
• Offline MFA is supported only for Windows machines (except Windows 10, Version 1803) and macOS logins.
• For remote logins, Offline MFA is not supported for Windows RDP client authentication.
• Please make sure that the login agent installed on your machines meets the required version: Version 6.3 or above for Windows, and version 3.0 or above for macOS. If not, update the agent to the latest version by following these steps.

How to set up MFA for Windows login

Create a granular MFA policy

1. Log into ADSelfService Plus with admin credentials.
2. Select Microsoft Entra ID or Active Directory depending on the configured directory and the user accounts you want to enable Windows login MFA policy for. Go to Configuration > Self-Service > Policy Configuration. Click Add New Policy.
3. Select the required OUs and groups in the case of Active Directory. Select the required domains and groups in the case of Entra ID.
4. Select at least one of the self-service features listed.
5. Click Save to create a policy governing the users under the selected Active Directory OUs and domains or Entra ID groups and domains.

Configure MFA for Windows login

1. Log in to the ADSelfService Plus web console using admin credentials.
2. Navigate to Microsoft Entra ID or Active Directory. Go to Configuration > Self-Service > Multi-factor Authentication > Authenticators Setup.
3. In the Choose the Policy drop-down, choose the policy created previously. This will apply the chosen authenticators to users under the policy.
4. Go to the required authenticators and provide the necessary information to enable them.
5. Click Save.
6. Go to Configuration > Self-Service > Multi-factor Authentication > MFA for Endpoints.
7. Select the policy created to granularly enable Windows login MFA.
8. In the MFA for Machine Logins section, select Enable __ factor authentication and specify the number of authentication factors required for Windows logins.
9. Select the authenticators that users will use during Windows logins.

Configure offline MFA

Offline MFA allows users to complete authentication even when the machine cannot communicate with the ADSelfService Plus server. This is particularly important for organizations with mobile or field workers who operate in environments without reliable network access. To enable offline MFA:

1. Select Choose authenticators for Offline MFA.
2. Choose the authentication methods to be used offline.
3. Click Save Settings.

   

   Note: If offline MFA is not configured or a user's machine is not enrolled for offline MFA, offline access is denied unless:

   • The Skip MFA when the ADSelfService Plus server is down or unreachable setting is enabled. This setting can be found under Configuration > Self-Service > Multi-factor Authentication > Advanced > Endpoint MFA > Machine Login MFA.
   • Machine-based MFA is not enforced for that machine. The Manage MFA setting under Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux Installation > Installed Machines is set to Exempt.
4. Changes to the offline MFA configuration, advanced settings, enrollment data, and disenrollment of the machine from offline MFA will be reflected only after the next successful online MFA attempt on that machine.

Secure ancillary Windows endpoints with MFA

Extend MFA protection beyond initial logins to User Account Control prompts, machine unlocks, and Remote Desktop Protocol sessions for comprehensive endpoint security.

Secure UAC prompts with MFA

User Account Control (UAC) helps prevent unauthorized privilege escalation. Applying MFA to UAC prompts ensures that users verify their identities before administrative permissions are granted.

To enable this feature:

1. Navigate to Advanced > Endpoint MFA.
2. Select User Account Control from the Enable MFA for drop-down.

Protect machine unlocks against unauthorized access

Machine unlock MFA protects devices that have been left unattended or temporarily locked.

To enable this feature:

1. Navigate to Advanced > Endpoint MFA.
2. Select Machine Unlocks from the Enable MFA for drop-down.

Safeguard RDP sessions

Remote Desktop Protocol (RDP) is frequently targeted by attackers seeking unauthorized access to enterprise systems. MFA helps ensure that only verified users can establish remote sessions.

To enable this feature:

1. Navigate to Advanced > Endpoint MFA.
2. Select Enable MFA for Remote Desktop access during.
3. Select RDP server authentication and RDP client authentication.

   

   Note: RDP client authentication is not supported for Microsoft Entra ID. For RDP access in Microsoft Entra ID, select the Enable Remote Desktop access during RDP server authentication checkbox.

   

Setup advanced Windows login MFA settings

To improve the Windows login MFA experience and security, the following advanced settings can also be enabled under Advanced > Endpoint MFA > Machine login MFA:

• Idle time limit: Specify how long users can remain idle during the MFA process.
• MFA server downtime: Configure behavior when the ADSelfService Plus server becomes unavailable. This setting is bypassed when:
  • Offline MFA is configured.
  • Machine-based MFA is enforced.
• Trusted devices: Allow users to skip MFA on trusted devices for a specified number of days.
• Unenrollment mitigation: Determine how users are handled when they have not enrolled in the required authenticators. Available actions include:
  • Allow logins
  • Deny logins
  • Force enrollment

When Force Enrollment is selected, users must enroll in online and offline MFA authenticators after successful primary authentication.

User enrollment requirements

Before users can complete MFA during Windows logins, they must enroll in at least one approved authentication method. ADSelfService Plus supports two types of enrollment scenarios:

• Enrollment by the user: The user is encouraged to enroll via email and push notifications or forced to log in using login scripts.
• Bulk enrollment by admin: The admin enrolls users via CSV files and database integrations.

The user-initiated enrollment process may include:

• Registering a third-party authenticator application such as Google Authenticator by completing the QR Code enrollment or OTP enrollment process.
• Registering biometric authentication methods or FIDO2 passkeys such as Windows Hello for Business by performing the authentication method supported.
• Registering the built-in push notification method in the ADSelfService Plus app by accepting the push notification.

Validate the Windows MFA setup

• Apply the policy to a test Active Directory OU or Entra ID group.
• Sign in to a protected Windows machine.
• Verify that the MFA prompt appears.
• Complete authentication using an enrolled authenticator application, verification code, biometric authenticator, or hardware token.
• Confirm successful login.
• Test Offline MFA by disconnecting the machine from the network.
• Review the MFA Enrolled Users Report to confirm enrollment status and backup code availability.

Tips

• Use phishing-resistant authenticators such as hardware security tokens, FIDO2 passkeys, or biometric authentication wherever possible.
• Enforce authenticator enrollment through login scripts to ensure that all users requiring Windows login MFA are enrolled.
• Configure backup codes to reduce the risk of user lockouts due to unavailability of enrolled authenticators.
• Combine Windows MFA with conditional access policies for stronger contextual security.
• Pair MFA with single sign-on (SSO) initiatives to improve security without increasing user friction.

Related resources

• Help guide
• How to harden endpoint security