Machine-based MFA

    Feature overview

    Machine-based MFA is a setting that protects business-critical machines in an organization by preventing them from being compromised. It enforces MFA on selected machines regardless of which user logs in. Every user who accesses a protected machine must verify their identity through MFA before logging in.

    Machine-based MFA remains enforced under all conditions. Even when a user is not enrolled for MFA or when the ADSelfService Plus server is unreachable, the protected machine continues to require MFA and blocks the login until the user verifies their identity. This makes it suitable for sensitive endpoints that must stay protected at all times.

    Machine-based MFA applies to machines joined to an AD domain, standalone (workgroup) machines, and machines managed through a Microsoft Entra ID tenant.

    How machine-based MFA works

    Machine-based MFA ties the MFA requirement to the machine rather than to a user policy. Each authentication prompt uses the authenticators configured for that user under MFA for Machine Login.

    It takes precedence over user-based Endpoint MFA. Even users who do not have user-based Endpoint MFA enabled are prompted for verification on a protected machine, and unenrolled users cannot bypass the prompt.

    If a user selects Trust this machine on the login screen, the user can log in without MFA for a set duration after the first successful verification. Once that duration expires, MFA is required again.

    Note: Because enforcement applies even when the server is unreachable, the type of authenticator matters. Server-dependent (online) authenticators cannot complete verification without a reachable server. Enroll at least one offline-capable authenticator for machines that operate off-network.

    When login is blocked

    When machine-based MFA is enforced, ADSelfService Plus blocks login to the protected machine in any of the following cases:

    • The ADSelfService Plus server is unreachable.
    • The user account is restricted in ADSelfService Plus.
    • The user does not belong to any policy with MFA for Machine Login configured.
    • The user has not enrolled for any of the authenticators configured in the MFA for Machine Login section, whether online or offline, regardless of whether the Force Enrollment option is enabled for the user policy.
    • The user has exceeded the license consumption limit, or Endpoint MFA has not been purchased. To purchase Endpoint MFA, click here.
    Note: Update the login agent to Windows 5.10, macOS 1.7, or Linux 2.4 or later so that MFA is enforced correctly. If a machine runs an older login agent and the server is unreachable, the user can still access the machine, but only when Skip MFA when the ADSelfService Plus server is down or unreachable is enabled in their policy.

    Supported MFA scenarios

    ADSelfService Plus supports MFA for interactive logins to machines running Windows, macOS, or Linux. Scenarios including User Account Control (UAC), Remote Desktop access, and machine unlocking are supported on Windows only.

    Within the Windows scenarios, support also differs between Active Directory and Microsoft Entra ID:

    MFA scenarioActive DirectoryMicrosoft Entra ID
    Interactive GUI loginSupportedSupported
    User Account Control (UAC)SupportedSupported
    RDP server authenticationSupportedSupported
    RDP client authenticationSupportedNot supported
    Unlocking Windows machinesSupportedSupported

    Prerequisites

    Ensure the following before you configure and enforce machine-based MFA in ADSelfService Plus:

    • Edition: The Professional edition of ADSelfService Plus with Endpoint MFA. Without the Professional edition and Endpoint MFA, ADSelfService Plus does not enforce machine-based MFA.
    • Login agent: Install the ADSelfService Plus login agent on each target machine.

    Limitations

    The following limitations apply to machine-based MFA in ADSelfService Plus:

    • You cannot install, update, or uninstall the login agent from ADSelfService Plus on Windows workgroup machines. Perform these actions manually, or use a tool such as Microsoft Configuration Manager or ManageEngine Endpoint Central.
    • RDP client authentication is not supported for local users on domain-joined or standalone (workgroup) machines, and for Microsoft Entra ID.
    • Actions performed through the Run as a different user option do not trigger the credential prompt that other UAC actions use, so MFA for UAC does not apply to that path.
    Note: On Microsoft Entra ID-joined machines, changing a user's user principal name (UPN) suffix after the user has logged in to the machine does not update the username cached on that machine. When the user logs in again through the cached user tile, the machine still presents the old username. Because of this mismatch, ADSelfService Plus may not identify the user correctly during the machine login MFA flow and bypasses MFA. The username syncs locally only after the user logs in once with the updated username from the Other User tile, after which MFA is enforced again. To keep these machines protected through a UPN change, enforce machine-based MFA to control MFA at the machine level rather than relying on username matching alone.

    Configuration instructions

    To configure machine-based MFA in ADSelfService Plus, enforce it on the required machines and, optionally, configure advanced settings for additional Windows scenarios. The procedures apply to both Active Directory domains and Microsoft Entra ID tenants, with differences called out where they occur.

    Enforce machine-based MFA

    To enforce machine-based MFA on one or more machines, follow these steps:

    1. Go to Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux Installation > Installed Machines.
    machine based mfa 1

    Fig.1: Installed Machines tab in ADSelfService Plus.

    1. For an Active Directory domain, select the required domain from the drop-down list. For a Microsoft Entra ID tenant, select the required tenant from the Select Tenant drop-down list.
    2. Select the machines on which you want to enforce machine-based MFA.
    3. Click Manage MFA, and then select Enforce.
    machine based mfa 2

    Fig.2: Enforcing machine-based MFA using ADSelfService Plus.

    Exempt a machine from machine-based MFA

    To remove machine-based MFA enforcement from one or more machines, follow these steps:

    1. Go to Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux Installation > Installed Machines.
    2. For an Active Directory domain, select the required domain from the drop-down list. For a Microsoft Entra ID tenant, select the required tenant from the Select Tenant drop-down list.
    3. Select the machines you want to exempt from machine-based MFA.
    4. Click Manage MFA, and then select Exempt.
    machine based mfa 3

    Fig.3: Removing machine-based enforcement using ADSelfService Plus.

    Advanced Machine MFA settings

    The advanced settings extend MFA to specific Windows scenarios. On the GINA/Mac/Linux Installation screen, click Advanced Machine MFA Settings. These settings apply to every Windows machine that has the ADSelfService Plus login agent installed.

    machine based mfa 4

    Fig.4: Configuring Advanced Machine MFA Settings in ADSelfService Plus

    Enable MFA during interactive GUI logins to Windows machines

    When you enable this setting, ADSelfService Plus requires MFA during interactive (GUI-based) logins on Windows machines. Users can perform subsequent actions only after they verify their identity.

    Enable MFA for User Account Control (UAC)

    This setting requires MFA for every UAC credential prompt. The user can perform the requested action only after verifying their identity. MFA can intercept the elevation prompt only when it runs on the secure desktop, so you must apply the following Group Policy settings first.

    1. Log in to a domain controller with Domain Admin privileges, then apply these Group Policy settings to the target computers:
      • Open the Group Policy Management Editor (GPMC) and go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
      • Set User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode to Prompt for credentials on the secure desktop.
      • Set User Account Control: Switch to the secure desktop when prompting for elevation to Enabled.
    2. Switch to ADSelfService Plus and check Enable MFA for User Account Control.
    Note: This setting works on Windows 7 or later and Windows Server 2008 or later. It is supported from version 5.10 or later of the ADSelfService Plus Windows login agent. Actions performed through the Run as a different user option do not trigger the credential prompt that other UAC actions use, so MFA for UAC does not apply to that path.

    Enable MFA for Remote Desktop (RDP) access

    You can require MFA for Remote Desktop Protocol (RDP) connections, which adds a layer of authentication to those connections. RDP authentication works in two directions:

    • RDP server authentication protects incoming connections to a protected machine.
    • RDP client authentication protects outgoing connections from a protected machine.
    Note: Enabling both RDP server and RDP client authentication can cause double verification if the login agent is installed on both the server and the client machine. For example, with Google Authenticator configured and both settings enabled, the user enters a code twice — once before the connection and once after.

    RDP server authentication

    When you enable this setting, ADSelfService Plus protects every incoming Remote Desktop connection with MFA on any Windows machine that has the login agent installed.

    To enable MFA for RDP server authentication, log in to a domain controller with Domain Admin privileges, then apply the following Group Policy settings to the target computers:

    1. Open the Group Policy Management Editor and go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.
    2. Double-click Require user authentication for remote connections by using Network Level Authentication, and check Enabled.
    3. Click Apply, and then OK.
    4. Switch to the ADSelfService Plus console, select Enable MFA for Remote Desktop access on Windows machines during and check RDP server authentication.

    To require MFA for Remote Desktop connections in a multi-forest AD environment, a trust relationship must exist between the two domains. You can add domain trusts between forests through a forest trust (at the forest level) or an external trust (at the domain level). For the steps, click here.

    Note: RDP client authentication also covers users who connect over the internet or other public IP addresses through Remote Desktop Gateway (RD Gateway). To protect these connections, configure a conditional access rule with IP restrictions. For more details, see conditional access.

    RDP client authentication

    This setting requires MFA for all outgoing Remote Desktop connections from domain-joined machines. It applies to connections made through the Windows Remote Desktop app (mstsc.exe) on machines that have the login agent installed.

    Note: RDP client authentication is not supported for local users on domain-joined or standalone (workgroup) machines, or for Microsoft Entra ID.

    Before configuring RDP client authentication, log in to a domain controller with Domain Admin privileges and apply these settings:

    1. Open the Group Policy Management Editor (GPMC) and go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.
    2. Double-click Require user authentication for remote connections by using Network Level Authentication and check Enabled.
    3. Click Apply, and then OK.
    4. Switch to the ADSelfService Plus console, select Enable MFA for Remote Desktop access on Windows machines during and check RDP client authentication.
    Note: This setting is supported from version 5.10 or later of the ADSelfService Plus Windows login agent and works on Windows 7 or later and Windows Server 2008 R2 or later.

    Enable MFA when unlocking Windows machines: When you enable this setting, ADSelfService Plus requires MFA when a user unlocks a Windows machine.

    machine based mfa 5

    Fig.5: Advanced Machine MFA Settings dialog in ADSelfService Plus