Ask the Community
Groups
Deploying a Windows Logon Agent - Connect IT Community | Kaseya
<main> <article class="userContent"> <p>The <em>Passly Windows logon Agent </em>offers companies the ability to add strong multi-factor authentication to Microsoft’s Windows client and server operating systems. It provides a simple and consistent logon experience no matter if they logon at the local desktop or through a terminal session. And it offers identity assurance by requiring users to provide their Passly 2FA Passcode during the logon process.</p> <p><strong>Note</strong>: This agent is installed on a per machine basis. </p> <p><strong>Note: </strong>This agent requires that the Passly username and the Windows username must be matching.<strong><br><br>Supported Operating Systems</strong></p> <ul><li>Windows 8</li> <li>Windows 8.1</li> <li>Windows 10</li> <li>Server 2012</li> <li>Server 2012r2</li> <li>Server 2016</li> <li>Server 2019</li> </ul><p><strong>Note</strong>: This agent does not support any x86 versions of Windows. </p> <p><strong><br></strong><strong>To configure a Windows Logon agent please follow these steps<br><br></strong></p> <p><strong>First create a Policy for this agent.</strong></p> <article><div> <ol><li>Log into your tenant <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2F%28your">https://(your</a> company).my.Passly.com</li> <li>Select <strong>Policy Manager</strong>.</li> <li>Select the Add icon (small green + sign in the bottom right corner). <br><img src="https://us.v-cdn.net/6032361/uploads/migrated/MBDSQFQI1MZP/blue-png.png" alt="blue.PNG" width="53" height="50" class="embedImage-img importedEmbed-img"></img></li> <li>Name the <strong>Policy</strong><br>Example: Windows Logon Agent.<br>Set your Policy Elements & Actions.<br><strong>Note</strong>: This policy must not allow for simple passwords. Require 2FA must be used.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/N0KFN6BMSU7X/capture-png.png" alt="Capture.PNG" class="embedImage-img importedEmbed-img"></img><br></li> <li>When you have your policy completed select Save changes.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/XMYG3SQP72WX/policynew2.png" alt="policynew2.png" class="embedImage-img importedEmbed-img"></img></li> </ol><p> </p> <h2 data-id="creating-the-windows-logon-agent"><strong>Creating the Windows Logon Agent</strong></h2> <ol><li>Select <strong>Auth Manager</strong>.</li> <li>Select the Add icon (small green + sign in the bottom right corner). <br><img src="https://us.v-cdn.net/6032361/uploads/migrated/MBDSQFQI1MZP/blue-png.png" alt="blue.PNG" width="51" height="48" class="embedImage-img importedEmbed-img"></img></li> <li>Mouse over the add icon to launch the selector. Select <strong>Add New Agent</strong>.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/T1W2PS2UITH0/mceclip0.png" alt="mceclip0.png" width="132" height="110" class="embedImage-img importedEmbed-img"></img></li> <li>Select Windows Logon.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/8R7HL6KJ441X/mceclip0.png" alt="mceclip0.png" class="embedImage-img importedEmbed-img"></img></li> <li>Configure the agent.<br>Select <strong>Agent is enabled</strong>.<br>Select the policy you created in Step 4.</li> <li>Select <strong>Windows Logon Configuration</strong>.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/1KN8WY2KO053/mceclip0.png" alt="mceclip0.png" width="210" height="169" class="embedImage-img importedEmbed-img"></img><br><strong>Note</strong>: 'Enforce 2FA on RDP Only' is not supported on versions of Windows earlier than Windows 8 and Windows Server 2012.<br><strong>Note</strong>: It is recommend that you set an Override Password for all installs.<br><strong>Note</strong>: You will need to manually create the Passly Override Group. This is local security group in the Directory Manager. This group allows users to be excluded from using 2FA when logging a machine using this configuration. <br>You can also Edit the Windows Logon section of the agent and select Allow Override Group choose the group you would to use. <br><strong>Note</strong>: Enabling "Allow Offline Access" will allow the admit to setup the ability for the user to login with no internet connection. This setting must be enabled, as well the user needs to login once before the machine is taken offline. The maximum number of days is an arbitrary decision made by the admin deploying the agent.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/YIAUC8TC1OQJ/mceclip1.png" alt="mceclip1.png" width="332" height="129" class="embedImage-img importedEmbed-img"></img><br><strong>Note</strong>: Offline access requires the user to login at least once with an internet connection to validate the first PUSH. From that point on the user can use OTP offline.<br><strong>Note</strong>: There is an option here to upload an an image file. This would be the icon for the Windows agent that is scene in the Auth Manager > Agents/Clients UI. <strong>Customers are not requires to change this image.</strong><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/AB5AOQ2WBHEN/capture2-png.png" alt="Capture2.PNG" width="265" height="155" class="embedImage-img importedEmbed-img"></img><br><br></li> <li>Select Add Agent.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/L4ZM555P6C77/3-png.png" alt="3.PNG" class="embedImage-img importedEmbed-img"></img></li> <li>Select the Agent from the agent list in Auth Manager.</li> <li>Select <strong>Download Installer</strong>.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/91PAXK07DUT4/4-png.png" alt="4.PNG" class="embedImage-img importedEmbed-img"></img></li> <li>Copy the installer AAWinLogonCP.msi file to the target x64 Windows Server/Desktop/Workstation.<br><strong>Note</strong>: The installer must be on the local machine and not run from a shared drive like Lancache. </li> <li>Run the MSI AAWinLogonCP.msi<br><strong>Note</strong>: If installing on a DC or where there might be excessive UAC style controls enabled you can run the MSI from an elevated command. </li> <li>Select <strong>Run</strong> if prompted.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/ZIBJAXG6Z2RP/5-png.png" alt="5.PNG" class="embedImage-img importedEmbed-img"></img></li> <li>Select <strong>Next</strong>.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/F03GOCMFDQ6M/6-png.png" alt="6.PNG" class="embedImage-img importedEmbed-img"></img></li> <li>Accept the Terms of Use. Select Next.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/2AEUFWA2ZVDI/7-png.png" alt="7.PNG" class="embedImage-img importedEmbed-img"></img><br><br></li> <li>Logon Agent configuration. Set the following.<br><strong>Home Realm</strong>: (This your tenant (your company).my.Passly.com)<br>Note: Remove the HTTPS:// from the URL before entering the homerealm.<br><strong>Note</strong>: If you are installing a Sub-Organisation's agent you will need to use the sub-Org URL, <br>For example my tenant is kaseya.my.passly.com and client org is acme. I use acme-kaseya.passly.com for my Acme agent Home Realm. <br><strong>ID</strong>: (This will be provided on the agent information screen where you downloaded the agent).<br><strong>Key</strong>: (This will be provided on the agent information screen where you downloaded the agent).<br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/2GLUNS1RYPPE/8-png.png" alt="8.PNG" class="embedImage-img importedEmbed-img"></img></li> <li>Select <strong>Next</strong>.</li> <li>Select <strong>Install</strong>.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/DEZ9TSUPB7QQ/9-png.png" alt="9.PNG" width="424" height="328" class="embedImage-img importedEmbed-img"></img></li> <li>Select <strong>Finish</strong>.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/RSE4JQD2DKI9/10-png.png" alt="10.PNG" width="415" height="328" class="embedImage-img importedEmbed-img"></img></li> </ol><p> </p> <p><strong>Test the agent</strong></p> <ol><li>Lock the desktop. Enter the user's Windows Password.</li> <li>You should receive a Push notification automatically. <br><strong>Note</strong>: PUSH is only possible if the machine has an active internet connection. <br><strong>Note</strong>: If the PUSH fails you will receive an 2FA prompt for the passcode. Open the Authenticator app. Tap your username. This will provide you with your one time password.</li> </ol></div> </article> </article> </main>