Windows Logon & RDP: Securing Access with Two-Factor Authentication
The Protectimus Windows logon & RDP 2FA solution adds two-factor authentication (2FA / MFA) to protect access to computers running:
Windows 8;
Windows 8.1;
Windows 10;
Windows 11;
Windows Server 2012;
Windows Server 2016;
Windows Server 2019;
Windows Server 2022.
It protects access to the Windows PCs with 2FA both locally (Windows logon) and via RDP (Remote Desctop Protocol).
The Windows 2FA solution will work even when the computer is offline due to a backup feature. When installing the 2FA component on a Windows computer, the administrator can generate and save a backup code. Then it’s possible to use it instead of a one-time password to log into the user accounts on this computer in offline mode.
You will see the list of access policies. Configure the solution according to your requirements.
We strongly recommend you enable Automatic Registration of Users and Tokens.
When this feature is activated, the first time your user logs into their account, they will need to enter their usual Windows login, password, and after that, they will have to enroll a token. To enable Automatic Registration of Users and Tokens, tick the next points:
Access for unregistered users;
User auto-registration;
Token auto-registration;
And choose the type of tokens your users can enroll (Protectimus Mail, Protectimus SMS, or Protectimus SMART OTP).
PLEASE NOTE! You may choose different settings for logging into your Windows account directly or via RDP.
Access accepted (activated by default)
Opens access to the computer. If this parameter is deactivated, access to the computer locally and/or over RDP will be completely disabled.
Apply 2FA (activated by default)
Activate this parameter to enable two-factor authentication when logging into your Windows account locally and/or over RDP. If this option is deactivated, a one-time password will not be requested.
Access for unregistered users
This parameter allows you to enable two-factor authentication only for selected users.
For example, one computer is used by 3 people – John, Adam, and Michael – but you want a one-time password to be requested only when logging in to Adam’s account. To do this, create only one user (Adam) in the Protectimus service and activate the “Access for unregistered users” parameter so that the other users (John and Michael) log in without two-factor authentication.
If this parameter is deactivated, the auto-registration of users and tokens is impossible.
If this parameter is deactivated, only users registered in the Protectimus service and assigned to your resource will be able to login to their accounts.
Single Factor Access
If this parameter is enabled, users without tokens assigned to the current resource can log in to their Windows accounts without one-time passwords.
User auto-registration
If this parameter is enabled, the first time the users log into their accounts, they will be automatically registered in the Protectimus service and will be assigned to the current resource.
Token auto-registration
If this parameter is enabled, the first time the users log into their accounts, they will need to enroll a token. The type of token that will be available to the users should be selected in the “Token Type” field.
Token Type
In this field, you must select the type of token that will be available to the users during token auto-registration.
Access by IP addresses
If you enable this option and add the list of allowed IP addresses below, then when logging in from trusted IP addresses, users will not be prompted for the one-time passwords.
Allowed IP addresses
If you have activated access by IP addresses, add a list of trusted IP addresses when entering from which a one-time password will not be requested.
PLEASE NOTE!
To use hardware OTP tokens or enable OTP delivery via chatbots in messaging apps:
ATTENTION! The user login in the Protectimus service must match the Windows username. Before creating a user, make sure that your Windows username contains only Latin characters, numbers and the following symbols: _-∽!#.$.. Spaces and any other symbols are not allowed.
When you add 2-factor authentication to your local user account in Windows, your user’s login in Protectimus service must be identical to your username in Windows. For example, if your Windows username is John-Doe, then in the Protectimus service, you need to add a user with the John-Doe login.
When you add users from Active Directory your users’ logins in Protectimus service must have the form login@domain, where login is the username in Active Directory, and domain is your corporate domain. For example, if the username in Active Directory is John-Doe and the corporate domain is google.com, then in the Protectimus service, you need to add a user with the John-Doe@google login.
You will see a welcome screen, click Next to continue.
Read the license agreement, tick I accept the license and click Next to continue.
4.2. Enter API URL, Login, API Key, then choose resource ID
Enter API URL, Login, and API Key and click LogIn.
These parameters stand for:
API URL – an address of the API endpoint. If you use SAAS Service API URL is https://api.protectimus.com/. In the case of the on-premise Platform, API URL is a server address, where the Platform is running (for example, https://localhost:8443).
Login – the login of your account, the same as for signing in.
API Key – you’ll find it in your profile. To access a profile, click the user’s login in the top right corner of the interface, and choose the “Profile” entry from the drop-down list.
Resource ID. Choose the Resource you’ve created before the installation. After that click Next to continue.
If you haven’t added the resource yet, add it now. Click Add Resource and enter any Resource Name you wish.
4.3. Configure 2FA policy and save the backup code
Configure 2FA policy and save the backup code, if necessary. By default, two-factor authentication will be applied to all accounts on this computer except the Built-in Administrator and guest accounts.
You can enable 2FA for the Built-in Administrator or for a group of users.
You can configure additional settings like:
Require 2FA during login, not when unlocking (available only for the domain installation);
Require 2FA only for RDP logins;
Disable offline login.
You can also save the backup code. Your users will need this code to log into Windows accounts if there is no internet connection. The same backup code will work for all accounts on this computer.
ATTENTION! When the user logs in to the system with this backup code, a new code will be generated, which must be saved and used the next time the user will log into their account in offline mode. This backup code will also work for all accounts on this computer.
4.4. Choose domain installation options
If it is NOT a domain controller, just click Install.
If you install the Protectimus Winlogon & RDP 2FA component on the domain controller, you can configure GPO deployment settings on the Install Policy screen.
On this screen, you can:
select multiple groups to include in or exclude from GPO deployment;
specify a custom GPO name in the GPO Name field;
choose whether to link the GPO automatically using the Link GPO to checkbox.
If you select the Create GPO checkbox, the installer will create a GPO containing a script for automatic installation when the computer starts.
If the Create GPO checkbox is not selected, the GPO will not be created.
The GPO Name field defines the name under which this GPO will appear in Active Directory.
The group selection options let you define which groups should be affected by this GPO.
PLEASE NOTE!
The Link GPO to checkbox controls whether the newly created GPO will be automatically linked to the current domain.
For a GPO to work, it must not only be created, but also linked to a domain, site, or another Active Directory object.
If Link GPO to is enabled, the installer will automatically link the GPO to the current domain of the account running the installation.
If Link GPO to is disabled, the GPO will still be created and visible by name, but it will remain inactive until you link it manually using standard Active Directory tools such as Group Policy Management in MMC.
This option is useful in more complex environments where the administrator wants to link the GPO manually to another domain, site, or another Active Directory object.
ATTENTION!
If you later decide to uninstall the Protectimus Winlogon & RDP component on the domain controller, you may be prompted to create a GPO for automatic uninstallation of this software on other machines in the domain.
When you create a GPO to uninstall Protectimus Winlogon & RDP on all machines in your domain, delete this GPO manually after the uninstallation is complete.
If you do not delete the uninstall GPO manually, it may cause issues when you install the Protectimus Winlogon & RDP component again. In this case, the software may not be installed or removed automatically on Windows machines in the domain.
4.5. Choose the domain controller installation options
If you install the Protectimus Winlogon & RDP 2FA component on the domain controller, the final installation screen provides the following options:
Perform remote installation in the domain: displays a list of domain computers and allows you to install the component directly on selected machines without waiting for GPO processing and reboot. This option is useful when you want to deploy the component immediately on specific computers.
Install on current computer: deploys the component directly onto the current computer. For example, if the installation is performed on a domain controller and the current GPO settings do not include the domain controller itself, selecting this checkbox allows you to install the component on the current machine anyway.
Protect installation from deletion: safeguards the component from removal on workstations, ensuring that it can only be deleted through authorized actions on the Domain Controller. This option is enabled by default.
If you selected the Perform remote installation in the domain option in step 4.5, a screen will appear with a list of all computers in the domain, allowing you to install the component directly on any of them.
By default, all computers except the Domain Controller (DC) are selected. The installation process for each computer takes typically 1-2 seconds. We recommend using this feature for installing the component on a few computers, rather than a large number. For installations on a large scale, it’s better to use GPO.
To check the status of a computer, hover over its name, and a tooltip with a description will appear.
Component Version column displays the version if the component is installed.
G1/G2 button selects computers according to the settings on the Install Policy screen (Step 8).
Clear All button clears all checkboxes.
And Ping target before install checkbox enables the sending of an ICMP request (ping) to the selected machine before the installation itself.
4.7. Finish the installation
After the installation is completed, click OK. The next time you start the computer, the two-factor authentication will be on.
5. How to Enable Access Over RDP
PLEASE NOTE! Until you do the following, access to the computer via RDP will be denied.
Go to the Resources page, click on the name of your Resource and move to the Winlogon tab.
Activate the parameter Access accepted for RDP. Activating this parameter allows access to the computer via RDP without two-factor authentication.
To enable two-factor authentication when requesting access via RDP, additionally, activate the Apply 2FA parameter for RDP.
6. Backup codes for offline access
For the Protectimus two-factor authentication system to work normally, the computer must be connected to the Internet.
For emergencies, when the user is unable to connect to the Internet, it is possible to log into the account using a backup code instead of a one-time password.
The first backup code is issued when installing the component. Please, note that this code is valid for all accounts registered on this computer. It can be used one time, then a new code will be generated and shown to the user. A new backup code will also be valid for all user accounts registered on this computer.
ATTENTION! When the user logs in to the system with the backup code, a new code will be generated, which must be saved and used the next time the user will log into their account in offline mode. This backup code will also work for all accounts on this computer.
6.1. How to Reissue a Backup Code
If the users lose the backup code for some reason, they can release a new backup code when they are online. This requires a special utility software, which your chief Protectimus account administrator should request at support@protectimus.com.
To use the utility software:
Sign in to your Windows account.
Download and run the utility software.
Press CTRL + ALT + DEL
Save your new backup code.
7. Logs and Errors
In case of some errors, you have several points to check what’s going on. First of all, you can check System’s logs on Windows (Event Viewer -> Windows Logs -> Application).
The Protectimus On-Premise Platform logs could be found in the PLATFORM_DIR and TOMCAT_HOME/logs directories (for example C:\Windows\Temp\Protectimus.log).
Also, visit the Events page in the Protectimus Platform and you will see related information.
8. Uninstalling
If there is no access to your Windows user account, you can disable the Protectimus Winlogon application in Safe Mode.
The uninstallation process may include one or both of the following steps, depending on your environment:
Domain-wide uninstallation via GPO (if the component is deployed in a domain environment);
Direct uninstallation using the installer interface.
If the component is not installed in a domain environment, only direct uninstallation will be performed.
Go to the Windows Uninstall or Change a Program menu, locate Protectimus Winlogon, and click Uninstall.
If the component was installed in a domain environment, the uninstallation process will start with the Uninstall Policy screen.
On this screen, you can optionally configure a GPO for automatic uninstallation across the domain:
Select multiple groups to include in or exclude from uninstallation.
Specify a custom GPO name for the uninstallation policy in the GPO Name field.
Choose whether to link the GPO automatically using the Link GPO to checkbox.
If the Create GPO checkbox is enabled, the installer will create a GPO for automatic uninstallation of the component on the selected machines.
If Link GPO to is enabled, the GPO will be automatically linked to the current domain. Otherwise, it will remain inactive until it is linked manually using standard Active Directory tools.
After configuring (or skipping) the GPO step, the Start uninstallation setup window will be displayed.
This step allows you to perform direct uninstallation using the installer interface.
Here, you can select the computers where the component should be removed or proceed with uninstalling it only on the current machine.
After closing the previous window, the Complete/Keep Uninstall screen will be displayed with a single option:
Keep the installation on this computer to allow remote uninstallation later — if enabled, the component will remain on the current machine for future remote removal.
If the checkbox is not selected, the component will be removed from the current computer immediately.
ATTENTION!
When you create a GPO to uninstall Protectimus Winlogon & RDP on all machines in your domain, delete this GPO manually after the uninstallation is complete.
If you do not delete the uninstall GPO manually, it may cause issues when reinstalling the Protectimus Winlogon & RDP component. In this case, the software may not be installed or removed automatically on domain machines.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
