Because the Server/workstation is not joined to the domain the type of logon will be 'local logon'  Therefore we need to make sure the local logons will be protected even if the machine is moved into a separate location and no longer connected to the network(offline logon). 

On the Administration Console go to Shortcuts>Check Policies

First, create a domain-held policy Logon Policy to ensure MFA is required for all users on the StandAlone machine

Click on  on the top right.

Set these Values in the Policy - New Window

OptionValue
Category:

Logon

Holder:

Domain

Domain:Enter the virtual domain name
Name:Enter a user-friendly name
Enabled:True

Expand Authentication and select  MFA is required for all users from the drop down,

Save the new Logon policy.

It is also recommended to exempt at least one local account from MFA (usually the local administrator account)  just in case there is an issue that prevents the end user from being able to log on, the administrator will still have access without being challenged.

Click on  on the top right.

Set these Values in the Policy - New Window

OptionValue
Category:

Logon

Holder:

User

Domain:Enter the virtual domain name
User:Enter the name of the account you wish to exempt (e.g Administrator) 
Name:Enter a user-friendly name
Enabled:True

Expand Authentication and select  MFA is not required for all users from the drop down,

Save the new Logon policy.

Now create the offline policies that will be needed once you remove the machine from the network.

Click on  on the top right.

Set these Values in the Policy - New Window

OptionValue
Category:

Computer Logon Client

Holder:

Domain

Domain:Enter the virtual domain name
Name:Enter a user-friendly name
Enabled:True

Expand General and check Enable MFA on local computer logon

Scroll down the policy and expand Offline Logon

Check Enforce MFA on Local Computer Logon and Download Offline Tokens Automatically

Save the new Computer Logon Client policy

Create an additional Computer Client Logon Policy which will exempt the Administrator account from MFA logon.

Click on  on the top right.

Set these Values in the Policy - New Window

OptionValue
Category:

Computer Logon Client

Holder:

User

Domain:Enter the virtual domain name
User:Enter the name of the account you wish to exempt (e.g Administrator)
Name:Enter a user-friendly name
Enabled:True

Expand General. Leave all checkboxes blank.

Scroll down the policy and expand Offline Logon

Leave all checkboxes blank.

Save the new Computer Logon Client policy

Click on  on the top right.

Set these Values in the Policy - New Window

OptionValue
Category:

Windows Offline

Holder:

Domain

Domain:Enter the virtual domain name
Name:Enter a user-friendly name
Enabled:True

Check Enforce MFA on Local Computer Logon and Download Offline Tokens Automatically

Save the new Windows Offline policy

Create an additional Windows Offline Policy which will exempt the Administrator account from MFA logon.

Click on  on the top right.

Set these Values in the Policy - New Window

OptionValue
Category:

Computer Logon Client

Holder:

User

Domain:Enter the virtual domain name
User:Enter the name of the account you wish to exempt (e.g Administrator)
Name:Enter a user-friendly name
Enabled:True

Leave all the enforce MFA checkboxes blank.

  • No labels