Introduction 

The purpose of the DualShield Domain Controller Agent is to enforce two-factor authentication on all domain member machines whether or not the DualShield Windows Logon client is installed on the machine. Without the DualShield Domain Control Agent, two-factor authentication is only enforceable on the machines on which the DualShield Windows Logon client is installed and operating. With the DualShield Domain Controller Agent installed on domain controllers, then the DualShield Logon client must be installed on all domain member machines except those in the exception list.

Furthermore, if you want to enforce two-factor authentication on non-interactive logons (such as network drive mapping, network resource access etc),  then you must install  the DualShield Domain Controller Agent.