How can I force Admins to use 2FA and not my end users?

There are times when you may want to force your Admins or Technicians to use 2FA, however you may want your End Users to have access to their systems as normal. We can configure this using the Windows Credential Provider and changing the Override behavior.

Note: Once the Windows Credential Provider is installed all users will see the prompt for an AuthAnvil Passcode on all local connections, even if they are not required to use 2FA to log in. This means that a user sitting down at their workstation will be prompted for 3 fields (Username, Password, AuthAnvil) instead of 2 (Username and Password).

The AuthAnvil Two Factor Auth Override Group

By default the Windows Logon Agent enforces strong authentication on all accounts. This means that every account that is presented with the Logon dialog box, where our agent is installed, must present their AuthAnvil Two Factor Auth passcode along with their Windows logon credentials.

There may be times when this isn’t desirable for all accounts. In such a case, it is possible to assign a user to a Local or Active Directory Security Group which our agent will honor. If someone is a member of that group, they will NOT be required to enter their AuthAnvil Two Factor Auth passcode. They can leave that field blank.

During installation the Active Directory Override Group is defined by the by the person running the installer. It is the responsibility of the Local or Domain administrator to create this Security Group and assign users as required by their corporate security policy if you wish to use this feature.


Changing Override Behavior

The Override Group behavior can be toggled between the default behavior of allowing the members of the Override Group to log on without a token, and allowing everybody to log on without a token *except* for the members of the Override Group.

To change this, set the key to 0 for the default behavior, or to 1 to force members of the Override Group to log on using a token.

  1. Start regedit
  2. Open the HKEY_LOCAL_MACHINE\SOFTWARE\Scorpion Software\AuthAnvilLogon\ hive.
  3. Edit the OverrideGroupRequires2FA value and change it to 1.
  4. Close regedit

Note: If the Override Group does not exist on the local computer or in Active Directory (if domain joined), toggling this function will have no effect.




If you have any questions or need some help, we would be happy to assist. Open a case at or send an email to


Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section