Windows Logon agent
Offers companies the ability to add two-factor authentication to Microsoft’s Windows client and server operating systems. It provides a simple logging in experience irrespective of whether the user logs into a local desktop or through a terminal session. It offers identity assurance by requiring users to provide their Passly 2FA passcode during the log-on process.
Supported Operating Systems
- Windows 10
- Windows 11
- Server 2016
-
Server 2019
- Server 2022
Notes:
-
This agent is installed on a per machine basis.
-
This agent requires that the Passly username and the Windows username should match.
-
This agent does not support any x86 versions of Windows.
- This agent does not support logins using U2F YubiKeys.
The Passly Windows Logon Agent has some unique policies that can be enabled. This article contains some working examples that will help you with your agents.
Note: For help deploying a Windows Logon agent please see this article.
Biometrics & Windows Hello
The Windows Logon Agent is not compatible with Biometrics or Windows Hello for Windows logins.
You will have to use one or the other it is not possible to use both a Windows Logon agent & Biometrics/Windows Hello. The features of Biometrics/Windows Hello are providing an alternate form of 2nd factor authentication. If Biometrics/Windows Hello remained enabled it would interrupt the Windows logon process by forcing multiple forms of 2FA to be applied, this is simply not a good user experience.
Terminology
Winlogon performs a variety of critical tasks related to the Windows sign-in process. For example, when you sign in, the winlogon.exe process is responsible for loading your user profile into the registry. Winlogon.exe has special hooks into the system and watches to see if you press Ctrl+Alt+Delete.
LogonUI - logonui.exe installs a process that is associated with Winlogon application. The file initiates the application’s User Interface and the process is known as Windows Logon UI. This is what you see when you are asked by the system to logon to your User Account before system files can be loaded with startup.
The Windows credential provider framework enables developers to create custom credential providers. When Winlogon wants to collect credentials, the Logon UI queries each credential provider for the number of credentials that it wishes to enumerate. After all providers have enumerated their tiles, the Logon UI displays them to the user. The user then interacts with a tile to supply the necessary credentials. The Logon UI submits these credentials for authentication.
Thanks to this system, it is much easier to create a credential provider than it was historically. Much of the work is handled by the combination of Winlogon, the Logon UI and the Credential UI.
Credential providers are registered on a Windows machine and are responsible for the following:
-
Describing the credential information required for authentication.
-
Handling the communication and logic with any external authentication authorities.
-
Packaging the credentials for interactive and network logon.
Prerequisite Software
To configure a Windows Logon agent please follow these steps
First create a Policy for this agent.
- Log into your tenant https://(your company).my.Passly.com
- Select Policy Manager.
- Select the Add icon (small blue + sign in the bottom right corner).
- Name the Policy
Example: Windows Logon Agent.
Set your Policy Elements & Actions.
Note: This policy must not allow for simple passwords. Require 2FA must be used.
- When you have your policy completed select Add Policy.
Creating the Windows Logon Agent
- Select Auth Manager.
- Select the Add icon (small blue + sign in the bottom right corner).
- Mouse over the add icon to launch the selector. Select Add New Agent.
- Select Windows Logon.
- Configure the agent.
Select Agent is enabled.
Select the policy you created in Step 4. - Select Windows Logon Configuration.
Note: 'Enforce 2FA on RDP Only' is not supported on versions of Windows earlier than Windows 8 and Windows Server 2012.
Note: It is recommend that you set an Override Password for all installs.
Note: You will need to manually create the Passly Override Group.
Domain Joined Machines. You will need to create an Active Directory Security group called "PasslyOverrideGroup".
Stand-alone Windows machines. You will need to create a local Security group called "PasslyOverrideGroup" on the specific machine.
Note: Enabling "Allow Offline Access" will allow the admit to setup the ability for the user to login with no internet connection. This setting must be enabled, as well the user needs to login once before the machine is taken offline. The maximum number of days is an arbitrary decision made by the admin deploying the agent.
Note: Offline access requires the user to login at least once with an internet connection to validate the first PUSH. From that point on the user can use OTP offline.
This only works with the Passly iOS & Android Authenticator apps.
Note: There is an option here to upload an an image file. This would be the icon for the Windows agent that is scene in the Auth Manager > Agents/Clients UI. Customers are not required to change this image.
- Select Add Agent.
- Select the Agent from the agent list in Auth Manager.
- Select Download Installer.
- Copy the installer AAWinLogonCP.msi file to the target x64 Windows Server/Desktop/Workstation.
Note: The installer must be on the local machine and not run from a shared drive like Lancache. - Run the MSI AAWinLogonCP.msi
Note: If installing on a DC or where there might be excessive UAC style controls enabled you can run the MSI from an elevated command. - Select Run if prompted.
- Select Next.
- Accept the Terms of Use. Select Next.
- Logon Agent configuration. Set the following.
Home Realm: (This your tenant (your company).my.Passly.com)
Note: Remove the HTTPS:// from the URL before entering the homerealm.
Note: If you are installing a Sub-Organisation's agent you will need to use the sub-Org URL,
For example my tenant is kaseya.my.passly.com and client org is acme. I use acme-kaseya.passly.com for my Acme agent Home Realm.
ID: (This will be provided on the agent information screen where you downloaded the agent).
Key: (This will be provided on the agent information screen where you downloaded the agent).
- Select Next.
- Select Install.
- Select Finish.
Test the agent
- Lock the desktop. Enter the user's Windows Password.
- You should receive a Push notification automatically.
Note: PUSH is only possible if the machine has an active internet connection.
Note: If the PUSH fails you will receive an 2FA prompt for the passcode. Open the Authenticator app. Tap your username. This will provide you with your one time password.
Windows Logon Agent Advanced Policies
We have published this article to help with more advanced settings for the Policy Manager.