Because the Server/workstation is not joined to the domain the type of logon will be 'local logon' Therefore we need to make sure the local logons will be protected even if the machine is moved into a separate location and no longer connected to the network(offline logon).
On the Administration Console go to Shortcuts>Check Policies |
|
Click on  on the top right. Set these Values in the Policy - New Window | Option | Value |
|---|
| Category: | | | Holder: | | | Domain: | Enter the virtual domain name | | Name: | Enter a user-friendly name | | Enabled: | True |
|
|
Expand General and check Enable MFA on local computer logon |
|
Scroll down the policy and expand Offline Logon Check Enforce MFA on Local Computer Logon and Download Offline Tokens Automatically |
|
Save the new Computer Logon Client policy
Click on on the top right. Set these Values in the Policy - New Window | Option | Value |
|---|
| Category: | | | Holder: | | | Domain: | Enter the virtual domain name | | Name: | Enter a user-friendly name | | Enabled: | True |
Check Enforce MFA on Local Computer Logon and Download Offline Tokens Automatically
|
|
Save the new Windows Offline policy
It is also recommended to exempt at least one local account from MFA (usually the local administrator account) just in case there is an issue that prevents the end user from being able to log on, the administrator will still have access without being challenged.
Click on on the top right. Set these Values in the Policy - New Window | Option | Value |
|---|
| Category: | | | Holder: | | | Domain: | Enter the virtual domain name | | User: | Enter the name of the account you wish to exempt (e.g Administrator) | | Name: | Enter a user-friendly name | | Enabled: | True |
|
|
Expand Authentication and select MFA is not required for all users from the drop down, |
|
Save the new Logon policy.
