Offline policies determine if two-factor authentication (2FA) is required for users that are currently offline to the authentication server.

By default, 2FA is not enforced at offline logon. If 2FA is not enforced then two-factor authentication is not required at all at offline logon.

If 2FA is enforced, then those users who are required to logon with 2FA whilst online will also be required to logon with 2FA while offline, and those who are not required to logon with 2FA while online will also not be required to logon with 2FA while offline.

The offline policy is only applicable to Windows logon. The policy defines whether (or not) two-factor authentication is required when users attempt to login to their machines that are offline.

Offline logon enables users to protect their desktop and laptop computers with two-factor authentication while the computer is disconnected from their network.

The policy can be found by navigating to "Administration | Policies", then scrolling down to the policy "Offline system policies";


The offline system policy settings can be edited by using the context menu option "Edit";


A new window will now open titled "Policy - Edit" that can be used to view and edit the policy settings for this policy;




The category for this policy is "Windows Offline" (this property cannot be edited).

The holder of this policy is "System" (this property cannot be edited).

The name assigned to identify the lockout system policy by the System Administrator.

The System Administrator may use this field to annotate this policy.

This option allows the System Administrator to enable or disable this policy.


If this option is enabled then two-factor authentication is enforced on all domain users at offline logon.


If this option is enabled then two-factor authentication is enforced on all local users at offline logon.


If this option is enabled then offline tokens will be downloaded automatically to users' machines.

  • No labels