Because the Server/workstation is not joined to the domain the type of logon will be 'local logon' Therefore we need to make sure the local logons will be protected even if the machine is moved into a separate location and no longer connected to the network(offline logon).
First, create a domain-held policy Logon Policy to ensure MFA is required for all users on the StandAlone machine
| Section |
|---|
|
| Column |
|---|
Click on  Image Added on the top right. Set these Values in the Policy - New Window | Option | Value |
|---|
| Category: | | | Holder: | | | Domain: | Enter the virtual domain name | | Name: | Enter a user-friendly name | | Enabled: | True |
|
| Column |
|---|
|
| Panel |
|---|
| borderColor | #9EBEE5 |
|---|
| bgColor | #f0f0f0 |
|---|
| borderWidth | 1px |
|---|
|  Image Added
|
|
|
| Section |
|---|
|
| Column |
|---|
On the Administration Console go to Shortcuts>Check PoliciesExpand Authentication and select MFA is required for all users from the drop down, |
| Column |
|---|
|
| Panel |
|---|
| borderColor | #9EBEE5 |
|---|
| bgColor | #f0f0f0 |
|---|
| borderWidth | 1px |
|---|
|  Image Removed  Image Added
|
|
|
Save the new Logon policy.
It is also recommended to exempt at least one local account from MFA (usually the local administrator account) just in case there is an issue that prevents the end user from being able to log on, the administrator will still have access without being challenged.
| Section |
|---|
|
| Column |
|---|
Click on on the top right. Set these Values in the Policy - New Window | Option | Value |
|---|
| Category: | | | Holder: | | | Domain: | Enter the virtual domain name | | User: | Enter the name of the account you wish to exempt (e.g Administrator) | | Name: | Enter a user-friendly name | | Enabled: | True |
|
| Column |
|---|
|
| Panel |
|---|
| borderColor | #9EBEE5 |
|---|
| bgColor | #f0f0f0 |
|---|
| borderWidth | 1px |
|---|
|  Image Removed Image Added
|
|
|
| Section |
|---|
|
| Column |
|---|
Expand General Authentication and check Enable MFA on local computer logonselect MFA is not required for all users from the drop down, |
| Column |
|---|
|
| Panel |
|---|
| borderColor | #9EBEE5 |
|---|
| bgColor | #f0f0f0 |
|---|
| borderWidth | 1px |
|---|
|  Image Removed |  Image Added
|
|
|
Save the new Logon policy.
| Section |
|---|
|
| Column |
|---|
Scroll down the policy and expand Offline Logon Check Enforce MFA on Local Computer Logon and Download Offline Tokens Automatically | On the Administration Console go to Shortcuts>Check Policies |
| Column |
|---|
|
| Panel |
|---|
| borderColor | #9EBEE5 |
|---|
| bgColor | #f0f0f0 |
|---|
| borderWidth | 1px |
|---|
|  Image Removed
|
|
|
...
Image Added |
|
|
| Section |
|---|
|
| Column |
|---|
Click on on the top right. Set these Values in the Policy - New Window | Option | Value |
|---|
| Category: | Windows OfflineComputer Logon Client | | Holder: | | | Domain: | Enter the virtual domain name | | Name: | Enter a user-friendly name | | Enabled: | True |
|
| Column |
|---|
|
| Panel |
|---|
| borderColor | #9EBEE5 |
|---|
| bgColor | #f0f0f0 |
|---|
| borderWidth | 1px |
|---|
| Image Added |
|
|
| Section |
|---|
|
| Column |
|---|
Expand General and check Enable MFA on local computer logon |
| Column |
|---|
|
| Panel |
|---|
| borderColor | #9EBEE5 |
|---|
| bgColor | #f0f0f0 |
|---|
| borderWidth | 1px |
|---|
| Image Added |
|
|
| Section |
|---|
|
| Column |
|---|
Scroll down the policy and expand Offline Logon Check Enforce MFA on Local Computer Logon and Download Offline Tokens Automatically |
| Column |
|---|
|
| Panel |
|---|
| borderColor | #9EBEE5 |
|---|
| bgColor | #f0f0f0 |
|---|
| borderWidth | 1px |
|---|
|  Image RemovedImage Added
|
|
|
Save the new Windows Offline policyIt is also recommended to exempt at least one local account from MFA (usually the local administrator account) just in case there is an issue that prevents the end user from being able to log on, the administrator will still have access without being challenged.Computer Logon Client policy
| Section |
|---|
|
| Column |
|---|
| Column |
|---|
Click on on the top right. Set these Values in the Policy - New Window | Option | Value |
|---|
| Category: | | | Holder: | | | Domain: | Enter the virtual domain nameUser: | Enter the name of the account you wish to exempt (e.g Administrator) | | Name: | Enter a user-friendly name | | Enabled: | True |
| | Column |
|---|
| | Panel |
|---|
| borderColor | #9EBEE5 |
|---|
| bgColor | #f0f0f0 |
|---|
| borderWidth | 1px |
|---|
| Image Removed |
|
| Section |
|---|
|
Expand Authentication and select MFA is not required for all users from the drop down,Check Enforce MFA on Local Computer Logon and Download Offline Tokens Automatically
|
| Column |
|---|
|
| Panel |
|---|
| borderColor | #9EBEE5 |
|---|
| bgColor | #f0f0f0 |
|---|
| borderWidth | 1px |
|---|
| Image RemovedImage Added |
|
|
Save the new Logon Windows Offline policy.