Because the Server/workstation is not joined to the domain the type of logon will be 'local logon' Therefore we need to make sure the local logons will be protected even if the machine is moved into a separate location and no longer connected to the network(offline logon).
On the Administration Console go to Shortcuts>Check Policies
First, create a domain-held policy Logon Policy to ensure MFA is required for all users on the StandAlone machine
Click on on the top right.
Set these Values in the Policy - New Window
Option | Value |
---|---|
Category: | Logon |
Holder: | Domain |
Domain: | Enter the virtual domain name |
Name: | Enter a user-friendly name |
Enabled: | True |
Expand Authentication and select MFA is required for all users from the drop down,
Save the new Logon policy.
It is also recommended to exempt at least one local account from MFA (usually the local administrator account) just in case there is an issue that prevents the end user from being able to log on, the administrator will still have access without being challenged.
Click on on the top right.
Set these Values in the Policy - New Window
Option | Value |
---|---|
Category: | Logon |
Holder: | User |
Domain: | Enter the virtual domain name |
User: | Enter the name of the account you wish to exempt (e.g Administrator) |
Name: | Enter a user-friendly name |
Enabled: | True |
Expand Authentication and select MFA is not required for all users from the drop down,
Save the new Logon policy.
Now create the offline policies that will be needed once you remove the machine from the network.
Click on on the top right.
Set these Values in the Policy - New Window
Option | Value |
---|---|
Category: | Computer Logon Client |
Holder: | Domain |
Domain: | Enter the virtual domain name |
Name: | Enter a user-friendly name |
Enabled: | True |
Expand General and check Enable MFA on local computer logon
Scroll down the policy and expand Offline Logon
Check Enforce MFA on Local Computer Logon and Download Offline Tokens Automatically
Save the new Computer Logon Client policy
Create an additional Computer Client Logon Policy which will exempt the Administrator account from MFA logon.
Click on on the top right.
Set these Values in the Policy - New Window
Option | Value |
---|---|
Category: | Computer Logon Client |
Holder: | User |
Domain: | Enter the virtual domain name |
User: | Enter the name of the account you wish to exempt (e.g Administrator) |
Name: | Enter a user-friendly name |
Enabled: | True |
Expand General. Leave all checkboxes blank.
Scroll down the policy and expand Offline Logon
Leave all checkboxes blank.
Save the new Computer Logon Client policy
Click on on the top right.
Set these Values in the Policy - New Window
Option | Value |
---|---|
Category: | Windows Offline |
Holder: | Domain |
Domain: | Enter the virtual domain name |
Name: | Enter a user-friendly name |
Enabled: | True |
Check Enforce MFA on Local Computer Logon and Download Offline Tokens Automatically
Save the new Windows Offline policy
Create an additional Windows Offline Policy which will exempt the Administrator account from MFA logon.
Click on on the top right.
Set these Values in the Policy - New Window
Option | Value |
---|---|
Category: | Computer Logon Client |
Holder: | User |
Domain: | Enter the virtual domain name |
User: | Enter the name of the account you wish to exempt (e.g Administrator) |
Name: | Enter a user-friendly name |
Enabled: | True |
Leave all the enforce MFA checkboxes blank.