4.2 Configuring to Prevent Login Without the Windows Client Installed

If you want to prevent users to log in on all the workstations that do not have the Advanced Authentication Windows Client installed, configure the Microsoft policy Allow log on locally in the default Domain Policy or a custom GPO. This allows login for only the MFA logon group.

The following procedure helps you to achieve this:

  1. On a Domain Controller, open the Group Policy Management Editor by specifying gpmc.msc in the search box.

  2. Double-click the name of the forest, double-click Domains, and double-click the name of the domain in which you want to join a group.

  3. Right-click Default Domain Policy and click Edit.

  4. In the console tree, expand and navigate to Computer Configuration > Policies > WindowsSettings >Security Settings > Local Policies > User Rights Assignment.

  5. In the right pane, double-click Allow Log on Locally.

  6. Click Add User or Group.

  7. Specify a group which is pointed in the MFA logon tag.

  8. Click OK.

  9. Click OK in the Allow log on locally > Properties dialog box.