Rsa Mfa Agent Windows 2.3 Gpo Template Guide

RSA® MFA Agent 2.
3 for Microsoft Windows
Group Policy Object Template Guide
Version: 2.3
Date: October 2023
Knowledge Base
RSA Community at https://community.rsa.com contains a knowledge base that answers common questions and
provides solutions to known problems, product documentation, community discussions, and case management.
Trademarks
RSA Conference logo, RSA, and other trademarks are trademarks of RSA Security LLC or its affiliates ("RSA").
For a list of RSA trademarks, go to https://www.rsa.com/en-us/company/rsa-trademarks. Other trademarks
are trademarks of their respective owners.
License Agreement
© 2023 RSA Security LLC or its affiliates. All rights reserved. This document is for informational purposes only.
RSA MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. This information is provided to help
guide your authorized use of products you license; it is not your agreement. Your use of products licensed under
your license agreement is governed by the terms and conditions of that agreement. In the case of any conflict
between this information and your agreement, the terms and conditions of your agreement control.
Third-Party Licenses
This product may include software developed by parties other than RSA. The text of the license agreements
applicable to third-party software in this product may be viewed on the product documentation page on RSA
Community. By using this product, a user of this product agrees to be fully bound by the terms of the license
agreements.
Note on Encryption Technologies

This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of
encryption technologies, and current use, import, and export regulations should be followed when using,
importing, or exporting this product.
Distribution
Use, copying, and distribution of any RSA Security LLC or its affiliates ("RSA") software described in this
publication requires an applicable software license. RSA believes the information in this publication is accurate
as of its publication date. The information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." RSA MAKES NO REPRESENTATIONS OR
WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY
DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
October 2023
RSA® MFA Agent 2.3 for Microsoft Windows Group Policy Object Template Guide
Table of Contents
Preface 6
About This Guide 6
Terminology 6
MFA Agent Documentation 7
Related Documentation 7
Support and Service 8
Before You Call Customer Support 8
Chapter 1: Group Policy Object Template 9
RSA Group Policy Object Template 10
RSA Settings 10
Local Authentication Settings 11
Credential Provider Filter Settings 12
Understanding Co-Existence of RSA Windows Agents 12
Chapter 2: Installing Group Policy Object Template 13
Installing the RSA Group Policy Object Template 14
Install the Template on a Windows Computer 14
Install the Template on the Domain Controller 14
Chapter 3: Defining the Policy Settings 15
Accessing the Group Policy Object Template 16
Access the Template on a Domain Controller 16
Access the Template On a Windows Computer 16
Policy Settings 16
Defining RSA Settings 17
Specify the Retry Count 17
Specify the Server Refresh Interval 19
Specify the Authentication Manager Agent Name 20
Specify the RSA Authentication API Key 22
Specify the Cloud Authentication Service Access Policy 23
Specify RSA Timeout 25
3
Collect System Attributes for Cloud Authentication Service Access Policy 26
Disable RSA Authentication for Unknown User 28
Enable RSA Authentication 29
Enable Load Balancing 30
Set Computers to Unlock with Windows Password 32
Specify Location Collection Timeout 33
Specify the RSA Authentication API REST URL 35
Configure Primary Authentication 36
Defining the Local Authentication Settings 38
Specify Custom Logo to Replace RSA Logo 38
Specify Custom Text to Display Beneath RSA Fields 39
Specify Custom Tile Image to Replace RSA Image 40
Specify Custom Background Image Shown When Collecting RSA Credentials 42
Specify the Number of Offline Authentication Failures 44
Specify Number of Offline Days to Download 46
Specify When Message Displays to Users about Expiring Offline Days 48
Enable Streamlined Authentication from Remote Applications 49
Enable Offline Authentication 51
Prompt for Password After Multifactor Authentication 52
Specify Which Users to Challenge with Additional Authentication 54
Enable Retrieval of Locally Cached Challenge Settings for Additional Authentication 56
Enable Reserve Password 58
Generate Hash Value of Reserve Password 60
Specify Remote Desktop Applications that Do Not Require RSA Authentication 61
Specify Number of Days for Auto Renewal of Certificate 63
Specify Number of Days Before Which to Show Warning for Expiring Certificate 64
Specify Logging Options 66
Specify the User Name Format Sent to the Authentication Service 67
Synchronize User Passwords for Non-Challenged Users 69
Upload Offline Audit logs to Cloud Authentication Service 71
Defining the Passwordless Authentication Settings 73
Specify the Active Directory CA Name 73
4
Specify the Active Directory CA Hostname 75
Specify the Certificate Template 77
Specify the Certificate Key Length 79
Specify the Certificate Subject 81
Specify the FIDO Relying Party ID 83
Specify the FIDO Custom Help Text for Registration 85
Specify the FIDO Custom Help Text to Set the Security Key PIN 87
Specify the FIDO Custom Help Text to Reset the Blocked Security Key 88
Specify the FIDO Custom Help Text for Invalid Credentials 90
Specify the FIDO Custom Help Text When Passwordless Authentication Cannot be Configured 91
Specify the FIDO Custom Help Text for Registration of Passwordless Authentication 92
Signing In with Windows Password When Passwordless Authentication is Unavailable 94
Signing In with Windows Password When Passwordless Authentication is Not Supported 95
Enable Additional Authentication When Cloud Authentication Service is Unavailable 97
RSA Primary Authentication Challenge Group 99
RSA Primary Authentication Challenge Settings 100
Defining the RSA Credential Provider Filter Settings 102
5
Preface
About This Guide

®
This guide describes how to use Group Policy Object (GPO) templates to manage RSA MFA Agent 2.3 for Microsoft
Windows. It is intended for administrators and other trusted personnel. Do not make this guide available to the general
user population.
Terminology
For simplicity, in the rest of this document, RSA products will be generally referred to by their short names or their
product family name:
Full Product Name Short Product Name Family Name
RSA® MFA Agent for Microsoft Windows MFA Agent
RSA® Cloud Authentication service Cloud Authentication service Authentication service
RSA® Authentication Manager Authentication Manager
SecurID® Authenticate App for iOS and

Authenticate App
Android
SecurID® Authenticator for iOS and

Android
Authenticator App Software Authenticator
SecurID® Authenticator for Windows
SecurID® Authenticator for MacOS
RSA is gradually introducing a new consistent terminology across all products and platforms. The following table
describes this new terminology.
Old Term New Term
Company ID Organization ID
Account Credential
Depending on the use, will be replaced by one of the followings:
l OTP credential (generic description)
Token l SecurID OTP credential (full description)
l SecurID software OTP credential (full description for software)
l SecurID hardware OTP credential (full description for hardware)
Software Token Depending on the use, will be replaced by one of the followings:
6 Preface
Old Term New Term
l SecurID software OTP credential (Complete description)
l SecurID OTP credential (when already in the context of software credentials)
l Software OTP credential (general category description)
Depending on the use, will be replaced by one of the followings:
View Tokencode l View SecurID OTP
l View Authenticate OTP
Authenticate Tokencode Authenticate OTP
Emergency Tokencode Emergency Access Code
SMS Tokencode SMS OTP
Voice Tokencode Voice OTP
MFA Agent Documentation

Release Notes. Describes information what is new and changed in this release, as well as workarounds for known
issues.
Installation and Administration Guide. Describes how to install and configure MFA Agent.
Group Policy Object Template Guide. Describes how to use Group Policy Object templates to configure MFA Agent.
The latest version of all documentation is available on RSA Community

https://community.rsa.com/community/products/securid/mfa-agent-windows/.
Related Documentation
For more information about products related to MFA Agent, see the following:
l Authentication Manager documentation set. See RSA Authentication Manager Documentation on RSA
Community.
l Cloud Authentication Service documentation set. See Cloud Authentication Service Documentation on
RSA Community.
l RSA Ready Partner Program. This program provides information about third-party products that have been
certified to work with RSA products, such as virtual private network (VPN) and remote access servers (RAS). It
includes Implementation Guides with step-by-step instructions and other relevant information. For more
information, see securid-access-integrations.
Preface 7
Support and Service

You can access community and support information on RSA Community at https://community.rsa.com. RSA
Community contains a knowledgebase that answers common questions and provides solutions to known problems,
product documentation, community discussions, and case management.
The RSA Ready Partner Program website at www.rsaready.com provides information about third-party hardware and
software products that have been certified to work with RSA products. The website includes Implementation Guides
with step-by-step instructions and other information on how RSA products work with third-party products.
Before You Call Customer Support

Make sure that you have direct access to the computer running MFA Agent.
Please have the following information available when you call:
l The make and model of the machine on which the problem occurs.
l The name and version of the operating system.
l When you use the Cloud Authentication Service, RSA provides you with a unique identifier, called the Customer
Support ID, which is required when you register with RSA Customer Support. To see your Customer Support ID,
sign in to the Cloud Administration Console and click My Account > Company Settings.
l If you use the Authentication Manager, we may need the appliance software version. To find it, do the following:
In the RSA Security Console, click Help > About RSA Security Console > See Software Version
Information.
8 Preface
Chapter 1: Group Policy Object Template

RSA Group Policy Object Template 10
RSA Settings 10
Local Authentication Settings 11
Credential Provider Filter Settings 12
Understanding Co-Existence of RSA Windows Agents 12

RSA Group Policy Object Template

The RSA Group Policy Object (GPO) template allows you to manage MFA Agent using RSA group policies. The template
is installed as part of the product installer, but it is also available separately as a zip (RSA_MFA_Agent_2.2_
PolicyTemplates.zip). The group policies defined in the template allow you to connect with the RSA Cloud
Authentication Service or Authentication Manager and control how users sign into their Windows computers.
RSA group policies allow you to apply policy settings to the appropriate computers. Typically, you copy the template into
the defined directory on your domain controller and then define the authentication policy settings in the templates. Each
computer within the domain automatically downloads the settings and loads them into the Microsoft Windows registry.
Windows stores them in the Registry Editor keys under
HKEY_LOCAL_MACHINE > Software > Policies > RSA.
Each Windows computer must be part of a domain.
If you change policy settings, the new settings override any previous settings. In domain environments, all computers
wait for specified refresh intervals before updating their settings. When the refresh process ends, the settings
associated with the templates are loaded into the Windows registry.
Note: To ensure that users cannot change the default (or another setting), you must install the template, make any
changes, and enforce the policy on the domain controller. For more information about enforcing a policy, see the
Windows Server documentation.
RSA Settings
The RSA Settings template contains policy settings to define how the MFA Agent connects to RSA, handles load
balancing and failover, and manages user sign-in.
The following policy settings are available:
l Specify the Active Directory certificate authority name.

l Specify server refresh interval for how long the MFA Agent waits between polling attempts.
l Specify the Authentication Manager agent name.
l Specify the RSA Authentication API key.
l Specify the Cloud Authentication Service access policy.
l Specify the RSA timeout period that the MFA Agent waits for a response before an additional authentication
request times out.
l Collect system attributes (location and IP address) from a computer to be used in a Cloud Authentication Service
access policy.
l Disable RSA authentication for a user that does not exist in an identity source that is synchronized to the Cloud
Authentication Service.
l Enable RSA authentication.
l Enable load balancing for authentication requests.
l Set computers to unlock with Windows password.
l Specify how long the Agent tries to collect location data before timing out.
10 Chapter 1: Group Policy Object Template

l Specify the RSA Authentication API REST URL.

l Configure primary authentication to challenge users with passwordless authentication.
For more information about configuring the RSA settings, see Defining RSA Settings on page 17.
Local Authentication Settings

The Local Authentication Settings template files allow you to control how the MFA Agent sign-in prompts appear to
users.
l Specify custom tile image, text, and logo.

l Specify custom background image.
l Specify number of offline authentication failures that are allowed before a user must authenticate online or use
emergency access.
l Allow the Agent to retrieve the user's challenge setting from a local cache if the agent cannot determine the
user's group membership from the domain controller.
l Define an RSA challenge group to include or exclude users from challenging for credentials.
l (Cloud Authentication Service) Specify number of offline days to download.
l (Cloud Authentication Service) Specify when message displays to users about expiring offline days.
l Enable streamlined authentication from remote applications (for example, Microsoft Remote Desktop
Connection), so that users do not need to enter credentials twice when using those applications, unless
additional authentication is required.
l Enable offline authentication.
l Specify if the Agent prompts users for password after prompting for multifactor authentication, instead of
prompting before multifactor authentication.
l Enable reserve password.
l Specify remote desktop applications that do not require RSA authentication.
l Specify the user name format Agent sends to the RSA authentication server.
l Specify Number of Days for Auto Renewal of Certificate.
l Specify Number of Days Before Which to Show Warning for Expiring Certificate
l Specify logging options.
For more information about configuring the Local Authentication settings, see Defining the Local Authentication Settings
on page 38.

Credential Provider Filter Settings

The RSA Credential Provider Filter contains policy settings to define how the MFA Agent responds when users sign into
Windows.
l Exclude the Microsoft Password Credential Provider

l Exclude the Microsoft Picture Password Credential Provider
l Exclude the Microsoft PIN Logon Credential Provider
l Exclude the Microsoft Smart Card Credential Provider
l Exclude the Microsoft WLID (Windows Live ID) Credential Provider
l Exclude the RSA Credential Provider
l Exclude all third-party Credential Providers
For more information about configuring the RSA Credential Provider Filter settings, see Defining the RSA Credential
Provider Filter Settings on page 102.
Understanding Co-Existence of RSA Windows Agents

If you plan on using RSA Authentication Agent 7.4.4 for Microsoft Windows and MFA Agent on the same computer, be
aware of the following:
l Both Agents can exist on the same computer. The order that you install and uninstall (if necessary) the Agents
does not matter.
l You can configure the GPO Credential Provider Filter settings to display the Agent credential provider tile used
for authentication. To limit user confusion with the authentication process, RSA recommends only displaying one
Agent credential provider tile at a time on users' computers.
For the Agent that you exclude, be sure to disable offline authentication. If you exclude an RSA Authentication
Agent 7.4.4 credential provider and disable offline authentication, instruct your users to restart their computers,
so that users do not see the Authentication Agent offline notifications.
An administrator might choose to display both credential provider tiles on a computer to simplify testing of both
Agents.
l If you use both Agents on the same computer, understand how the GPO settings are impacted by co-existence:
l The Agents share the same GPO Credential Provider Filter Settings. A change to the settings of one
Agent changes the same setting in the other Agent.
l Most GPO settings, such as local authentication settings, are not shared. Each version of the Agent uses
its own GPO settings. Some RSA Authentication Agent 7.4.4 features are GPO settings in MFA Agent 2.3.
For a comparison of the features and GPO settings for the two Agents, see "Comparing RSA Authentication and
MFA Agents for Microsoft Windows" in the Installation and Administration Guide.
12 Chapter 1: Group Policy Object Template

Chapter 2: Installing Group Policy Object

Template
Installing the RSA Group Policy Object Template 14
Install the Template on a Windows Computer 14
Install the Template on the Domain Controller 14
Chapter 2: Installing Group Policy Object Template 13

Installing the RSA Group Policy Object Template

Group Policy is a feature of Microsoft Windows. RSA recommends that before you deploy the RSA Group Policy Object
template, you become familiar with Microsoft Windows Group Policy concepts and best practices. For more information,
search the Microsoft Support website at https://support.microsoft.com/en-us.
The RSA GPO template comes with the agent. If you want to apply the policies' settings to multiple computers in a domain,
see Install the Template on the Domain Controller below.
If you do not want to apply the policies' settings to all of the computers in the domain, you can apply the policies to specific
computers. For more information about applying the settings to specific computers, see Install the Template on a Windows
Computer below.
Install the Template on a Windows Computer

If you install MFA Agent on the same computer you want to use to manage your template, you do not need to manually
install the template. The application automatically copies the template files to C:\Windows\PolicyDefinitions during
installation.
You may only need to install the template if you delete it. To install the template, copy the complete contents of the
RSA_MFA_Agent_2.2_PolicyTemplates.zip package, except for the Migration Tool folder, to
C:\Windows\PolicyDefinitions on the computer, preserving the existing subfolder structure.
Install the Template on the Domain Controller

Install the template by copying it to the appropriate local directory or shared network location.
Procedure
Do one of the following to install the template on a Windows Server domain controller:
l Copy the complete contents of the RSA_MFA_Agent_2.2_PolicyTemplates.zip package, except for the
Migration Tool folder, to C:\Windows\PolicyDefinitions on the domain controller, preserving the existing
subfolder structure.
l Copy the complete contents of the RSA_MFA_Agent_2.2_PolicyTemplates.zip package, except for the
Migration Tool folder, to the following shared network location on the domain controller, preserving the
existing subfolder structure:
\\domain_name\SYSVOL\domain_name\Policies\PolicyDefinitions
where domain_name is the name of the domain containing the servers where the policy settings will apply.
Create the PolicyDefinitions folder if it does not already exist.
The policies in the RSA GPO template are installed in the default Not Configured state, and additional steps are required
to configure the settings and apply them to a domain policy. For more information, see Defining the Policy Settings on
page 15.
14 Chapter 2: Installing Group Policy Object Template

Chapter 3: Defining the Policy Settings

Accessing the Group Policy Object Template 16
Policy Settings 16
Defining RSA Settings 17
Defining the Local Authentication Settings 38
Defining the Passwordless Authentication Settings 73
Defining the RSA Credential Provider Filter Settings 102

Accessing the Group Policy Object Template

This section describes how to access the template and define settings. It includes instructions for domain controllers and
Windows computers that are not subject to Group Policy. The example procedures include screens from a Windows
Server operating system.
Note: Make sure that you have installed the template. For more information, see Installing Group Policy Object
Template on page 13.
Access the Template on a Domain Controller

This section describes how to access the template to view and define settings.
Procedure
1. Click Start > Administrative Tools > Group Policy Management.
2. If necessary, double-click the domain name in the left-hand frame to expand it.
3. If necessary, double-click Group Policy Objects to expand it.
4. Right-click the policy with the template you need to edit, for example, Default Domain Policy, and click Edit.
5. Double-click Policies from Computer Configuration.
6. Double-click Administrative Templates: Policy definitions (ADMX files).
7. Double-click RSA Desktop.
Access the policy settings by double-clicking the folders.
Access the Template On a Windows Computer

This section describes how to access the template to view and define settings with the Local Group Policy Editor.
Procedure
1. Click Start > Run > gpedit.msc.
2. Double-click Administrative Templates.
3. Double-click RSA Desktop.
Access the policy settings by double-clicking the folders.
Policy Settings
You define the policy settings by selecting one of the following options:
l Not Configured. This is the default setting of an installed policy.

l Enabled. You activate a policy setting by enabling it.
l Disabled. When you select Disabled for a policy, you deactivate the setting that was previously enabled.
Disabled is not the same as Not Configured. Not Configured is the default setting of an installed policy. You must select
Enabled to activate a policy that is Not Configured. Review each policy setting carefully.
16 Chapter 3: Defining the Policy Settings

For more information on Microsoft Windows Group Policy concepts and best practices, search the Microsoft Support
website at https://support.microsoft.com/en-us.
Defining RSA Settings

The RSA Settings folder contains settings to connect the MFA Agent with RSA and select the access policy that
specifies how users sign into their Windows computers.
Specify the Retry Count

You can specify the number of times that the MFA Agent tries to contact the RSA server if the first attempt is
unsuccessful. If multiple servers are configured, the Agent attempts to contact the next server when the retry count is
reached.
Procedure
1. Make sure that you have installed the policies as described in Installing Group Policy Object Template on
page 13.
2. Access the templates as described in Accessing the Group Policy Object Template on the previous page.
3. Double-click the RSA Settings folder.
4. In the right pane of the dialog box, double-click Specify retry count. A dialog box similar to below opens with a
definition of the policy.

5. Select one of the following:
l Not Configured: In this state, the Agent tries to contact an RSA server twice before attempting to
contact the next server.
l Enabled: In this state, you can specify the number of retry attempts.
l Disabled: In this state, the Agent does not try to contact the server again if the first attempt is
unsuccessful. If multiple servers are configured, the Agent attempts to contact the next server.
6. If enabled, specify a number from 1 to 5. The default value is 2.

7. Click Apply, and then click OK to return to the RSA Settings folder.
8. Close the Group Policy Management Editor.
If the policy was modified on the domain controller, the settings load into the Windows registry after the refresh interval
ends in the domain.

Specify the Server Refresh Interval

You can specify the number of minutes that MFA Agent waits between polling attempts to determine whether the MFA
Agent server is available.
The default value is 30 and the minimum value is 5.
Procedure
page 13.
2. Access the templates as described in Accessing the Group Policy Object Template on page 16.
4. In the right pane of the dialog box, double-click Specify server refresh interval. A dialog box similar to below
opens with a definition of the policy.
l Not Configured: In this state, the Agent waits 30 minutes before trying to determine whether a server
is available.
l Enabled: In this state, you can specify how long the Agent waits.

l Disabled:In this state, the Agent waits 30 minutes before trying to determine whether a server is
available.
6. If enabled, specify the number of minutes that the Agent waits between polling attempts.
ends in the domain.
Specify the Authentication Manager Agent Name

If you are using the Agent in Authentication Manager REST mode, specify the hostname used to register the Agent with
Authentication Manager. The name is specified in the Security Console Access > Authentication Agents page. For
more information, see Add an Authentication Agent.
The Cloud Authentication Service uses the agent name for Approve and Device Biometric notifications that are sent to
user authenticators. If the policy is Disabled or Not Configured, the notiifications display the hostname of the agent
machine.
This policy must be enabled and configured for the Agent to work with Authentication Manager. This policy is optional for
the Cloud Authentication Service.
Procedure
page 13.
4. In the right pane of the dialog box, double-click RSA Authentication Manager Agent Name. A dialog box
similar to below opens with a definition of the policy.

l Not Configured. In this state, no users can sign in with the Agent.
l Enabled. This state allows you to specify the Agent hostname and allows users to sign in with RSA. See
the next step.
l Disabled. In this state, no users can sign in with the Agent.
6. If you selected Enabled, enter the Agent hostname exactly as specified in the Security Console.
ends in the domain.

Specify the RSA Authentication API Key

You must specify the RSA Authentication API Key that the Agent sends to the RSA Authentication API to securely
identify authentication requests.
This policy must be enabled and configured for the Agent to work.
Procedure
page 13.
4. In the right pane of the dialog box, double-click RSA Authentication API Key. A dialog box similar to below
l Enabled. This state allows you to specify the RSA Authentication API Key and allows users to sign in with
RSA. See the next step.
6. If you selected Enabled, enter the RSA Authentication API Key.
If you are using the Agent to connect to the Cloud Authentication Service, the key is available in the Cloud

Administration Console My Account > Company Settings page. For more information, see Add an RSA
Authentication API Key.
If you are using the Agent to connect to Authentication Manager, the key is available in the Security Console
Setup > System Settings > RSA Authentication API page. For instructions, see Configure the RSA
Authentication API for Authentication Agents.
ends in the domain.
Specify the Cloud Authentication Service Access Policy

The Cloud Authentication Service access policy controls which users can sign in with the MFA Agent and how those users
must sign in. The available access policies are displayed in the Cloud Administration Console in the Access > Policies
page. For more information, see Add an Access Policy.
This policy must be enabled and configured for the Agent to work with the Cloud Authentication Service.
Authentication Manager does not use this policy, unless the Cloud Authentication Service is used for authentication.
When Authentication Manager acts as a proxy server to the Cloud Authentication Service,if an access policy is defined
for the MFA Agent:
l Cloud Authentication Service methods are supported.

l Users are prompted for Authenticate OTP if the Cloud Authentication Service or the connection between
Authentication Manager and the Cloud Authentication Service is temporarily unavailable or too slow.
In this scenario, if an access policy is not defined for the MFA Agent, you can use any authentication method supported
by Authentication Manager, for example, RSA hardware and software OTPs and on-demand authentication.
Procedure
page 13.
4. In the right pane of the dialog box, double-click Cloud Authentication Service Access Policy. A dialog box
similar to below opens with a definition of the policy.

l Enabled. This state allows you to specify the Cloud Authentication Service access policy to control user
sign-ins. See the next step.
6. If you selected Enabled, enter the exact name (including case sensitivity) of the access policy as specified in the
Cloud Administration Console.

ends in the domain.
Specify RSA Timeout

You can specify the number of seconds that the MFA Agent waits for a response from RSA before an additional
authentication request times out.
The default value is 15 seconds. You can adjust this value, from 1-180 seconds, based on your company requirements.
If the authentication request times out, the user is prompted for offline authentication (if available) or the
authentication request is unsuccessful.
Procedure
page 13.
4. In the right pane of the dialog box, double-click Specify RSA timeout. A dialog box similar to below opens with
a definition of the policy.
l Not Configured. In this state, the Agent waits for a response from RSA for 15 seconds before timing
out.
l Enabled. In this state, the Agent waits for a response from RSA for the specified number of seconds

before timing out.

l Disabled. In this state, the Agent waits for a response from RSA for 15 seconds before timing out.
6. If enabled, specify the timeout in the Seconds field.

ends in the domain.
Collect System Attributes for Cloud Authentication Service Access

Policy
You can specify if the Agent collects and sends the following system attributes to the Cloud Authentication Service to
use for conditional authentication as specified in the access policy:
l IP address using the IPv4 standard

l Location (latitude and longitude)
If the access policy contains condition attributes, when a user tries to sign into the computer, the Cloud Authentication
Service can restrict access based on these attributes.
Be aware of the following if you want to collect system attributes:
l If you are collecting the IP address on a computer with multiple IP addresses (for example, the computer has
two NICs), the MFA Agent only collects the first IP address.
l The MFA Agent cannot collect location attributes on a computer that is not capable of providing location or has
location collection disabled.
Procedure
page 13.
4. In the right pane of the dialog box, double-click Collect system attributes for Cloud Authentication
Service access policy. A dialog box similar to below opens with a definition of the policy.

l Not Configured. In this state, the Agent collects and sends system attributes to the Cloud
l Enabled. In this state, the Agent collects and sends system attributes to the Cloud Authentication
Service.
If you enable this setting, confirm that Windows location service is also enabled.
l Disabled. In this state, the Agent does not collect and send system attributes to the Cloud

ends in the domain.
Disable RSA Authentication for Unknown User

If you are using the Cloud Authentication Service during Windows authentication, you can specify if the Agent allows a
user unknown to RSA to sign in with only a Windows password.
Users are unknown to the Cloud Authentication Service when they do not exist in identity source that is synchronized to
Procedure
page 13.
4. In the right pane of the dialog box, double-click Disable RSA authentication for unknown user. A dialog
box similar to below opens with a definition of the policy.
l Not Configured. MFA Agent does not allow unknown users to sign into their computers.
l Enabled. MFA Agent allows a user unknown to the Cloud Authentication Service to sign in with only a
Windows password.
l Disabled. MFA Agent does not allow unknown users to sign into their computers.

6. Click Apply, and then click OK to return to RSA Settings folder.

ends in the domain.
Enable RSA Authentication

You can specify if the Agent requires RSA additional authentication during Windows authentication.
This policy must be enabled for MFA Agent to work.
Procedure
page 13.
4. In the right pane of the dialog box, double-click Enable RSA authentication. A dialog box similar to below
l Not Configured. In this state, RSA is not used during Windows authentication.
l Enabled. In this state, RSA is used during Windows authentication.
l Disabled. In this state, RSA is not used during Windows authentication.

ends in the domain.
Enable Load Balancing

The MFA Agent automatically balances authentication request loads that are sent to Authentication Manager. Load
balancing and failover settings apply to your connections to Authentication Manager.
If load balancing is not configured, then the MFA Agent uses round robin. The agent uses round robin to send
authentication requests to each server in the sequence, in the order the servers were added in the comma separated
list.
Procedure
page 13.
4. In the right pane of the dialog box, double-click Enable Load Balancing. A dialog box similar to below open.

l Not Configured. In this state, the Agent uses round robin for load balancing and failover.
l Enabled. In this state, you can choose between weighted round robin and round robin. Weighted round
robin periodically measures the time taken by each server to process an authentication request ,and
distributes more requests to faster servers and fewer requests to slower servers.
l Disabled. In this state, the Agent does not use load balancing, but instead sends all authentication
requests to the first available server in the list.
6. If enabled, select "Weighted round robin" or "Round robin" in the Select the load balancing scheme drop-
down list.

ends in the domain.
Set Computers to Unlock with Windows Password

You can allow the user to unlock the computer with only a Windows password during the time-out period. The time-out
period starts when a user completes RSA Access authentication. You might do this to allow a simpler authentication flow
for users for a certain amount of time.
Procedure
1. Make sure that you have installed the templates. For more information, see Installing Group Policy Object
Templates.
2. Access the templates. For more information, see Accessing the Group Policy Object Template on page 16.
3. Double-click the RSA Settings.
4. In the right pane, double-click Unlock with Windows Password. A dialog box opens with a definition of the
setting.
5. Do one of the following:
l Not Configured. Users must enter a Windows password and additional authentication to unlock their
computers.
l Enabled. Users can unlock their computer with a Windows password during the time-out period. See the
next step.
l Disabled. Users must enter a Windows password and additional authentication to unlock their
computers.
6. If you select Enabled, do the following:
a. Specify the number of times users can enter incorrect passwords (defaults to three) before they are
prompted for RSA Access authentication. The maximum number of attempts is 10.

b. Specify the number of minutes (defaults to 75 minutes) when users can unlock their computers by
entering Windows passwords. The maximum time-out period is 720 minutes.
If the policy was modified on the domain controller, the settings load into the Windows registry once the refresh interval
ends in the domain.
Specify Location Collection Timeout

You can specify the number of seconds that the Agent tries to collect the computer location (latitude and longitude)
before timing out. The default value is five seconds.
If the location collection times out and the Trusted Location attribute is required in the Cloud Authentication Service
access policy, then the user cannot sign into the computer.
Before you begin

Ensure that the policy Collect system attributes for Cloud Authentication Service access policy is enabled. This
policy must be enabled in order for a new timeout value to take effect.
Procedure
page 13.
4. In the right pane of the dialog box, double-click Specify location collection timeout. A dialog box similar to
below opens with a definition of the policy.

l Not Configured. In this state, the Agent tries to collect the location for five seconds before timing out.
l Enabled. In this state, the Agent tries to collect the location for the specified number of seconds before
timing out.
l Disabled. In this state, the Agent tries to collect the location for five seconds before timing out.
ends in the domain.

Specify the RSA Authentication API REST URL

The MFA Agent uses the RSA Authentication REST URL for load balancing. This URL connects the MFA Agent with RSA.
You can specify one URL for the Cloud Authentication Service or up to 15 URLs for Authentication Manager.
Procedure
page 13.
4. In the right pane of the dialog box, double-click RSA Authentication API REST URL. A dialog box similar to
below opens with a definition of the policy.
l Enabled. This state allows you to specify the RSA Authentication API REST URL. See the next step.
6. If you selected Enabled, specify the RSA Authentication API REST URL with the following format:
https://hostname:port/
l If you are connecting to the Cloud Authentication Service, the hostname is the Authentication Service
Domain specified in the Cloud Administration Console.
To view the hostname:

a. In the Cloud Administration Console, click Platform > Identity Routers.

b. Click Edit next to one of the identity routers.
c. Click Registration.
The Authentication Service Domain field is displayed. The default port is 443.
l If you are connecting to Authentication Manager, the host name is the Fully Qualified Domain Name
specified in the Operations Console Administration > Network > Appliance Network Settings
page. The default port is 5555. You can enter up to 15 comma-separated URLs.
ends in the domain.
Configure Primary Authentication

You can configure the MFA Agent to use FIDO or Windows password for primary authentication.
Procedure
1. Make sure you have installed the templates. For instructions, see Installing the RSA Group Policy Object
2. Access the templates. For instructions, see Accessing the Group Policy Object Template on page 16.
3. Double-click Passwordless Authentication Settings.
4. In the right pane, double-click Configure Primary Authentication. A dialog box opens with a definition of the
setting.

l Not Configured. Users can sign in using Windows password for primary authentication.
l Enabled. Users can sign in using FIDO for primary authentication.
l Disabled. Users can sign in using Windows password for primary authentication.
6. Click Apply, and then click OK to return to the Passwordless Authentication Settings folder.
ends in the domain.

Defining the Local Authentication Settings

The Local Authentication Settings folder contains settings that allow you to control how users interact with the
MFA Agent.
Specify Custom Logo to Replace RSA Logo

Specify a custom logo to replace the RSA logo when the user is prompted to enter RSA credentials.
Ensure that the custom image directory and custom image file have proper file-permissions. The recommended image
size is 220 x 80 pixels.
Procedure
1. Make sure you have installed the templates. For instructions, see Chapter 2: Installing Group Policy Object
Templates.
3. Double-click Local Authentication Settings.
4. In the right pane, double-click Specify custom logo shown when collecting RSA credentials. A dialog box
opens with a definition of the setting.

l Not Configured: The RSA Credential Provider does not display a custom logo.
l Enabled: The RSA Credential Provider replaces the RSA logo with the custom logo. If the custom logo is
not specified, the RSA logo is displayed.
l Disabled: The RSA Credential Provider does not display a custom logo.
6. If you selected Enabled in step 5, enter the fully-qualified path to the logo file, for example, C:\Program
Files\Common Files\RSA Shared\RSA Credential Provider\myCustomlogo.bmp.
7. Click Apply, and then click OK to return to the Local Authentication Settings folder.
ends in the domain.
Specify Custom Text to Display Beneath RSA Fields

Specify additional text to display beneath the RSA credential fields.
Procedure
Templates.
4. In the right pane, double-click Specify custom text shown when collecting RSA credentials. A dialog box

l Not Configured: The RSA Credential Provider does not display custom text.
l Enabled: The RSA Credential Provider displays the custom text (if specified) beneath the RSA credential
fields. If custom text is not specified, the RSA Credential Provider does not display custom text.
l Disabled: The RSA Credential Provider does not display custom text.
6. If you selected Enabled in step 5, enter the text in the Text field.
You can enter up to 128 characters. To have the text display on one line, enter no more than 55 characters. Do
not enter text beyond 128 characters because it will not display.
ends in the domain.
Specify Custom Tile Image to Replace RSA Image

You can specify a custom image rather than the RSA image in the RSA Credential Provider tile displayed. The Agent uses
the RSA image by default.
Ensure that the custom image directory and custom image file have proper file permissions. The recommended size of
the custom image is 72x72 pixels.

Procedure
4. In the right pane, double-click Specify custom tile image for RSA Credential Provider. A dialog box opens
with a definition of the setting.
l Not Configured. The RSA Credential Provider uses the RSA image.
l Enabled. The RSA Credential Provider uses the custom image if specified or the RSA image if a custom
image is not specified.
l Disabled. The RSA Credential Provider uses the RSA image.
6. If you selected Enabled in step 5, enter the fully-qualified path to the bitmap file, for example, C:\Program
Files\Common Files\RSA Shared\RSA Credential Provider\myCustomBitmap.bmp.

ends in the domain.
Specify Custom Background Image Shown When Collecting RSA

Credentials
You can specify a custom image to show instead of the default RSA Authentication blue color (RGB color code 43, 87,
151) when a user authenticates with RSA Authentication credentials.
Ensure that the custom image directory and custom image file have proper file-permissions.
Make sure your users' registered RSA Authenticator devices correctly display your custom image. Be careful about using
logos or pictures. You can configure your custom image, like the default image that RSA provides, as a background
image that stretches across the entire screen on any device.
Procedure
4. In the right pane, double-click Specify custom background image shown when collecting RSA
credentials. A dialog box opens with a definition of the setting.

l Not Configured. The Agent uses the default RSA Authentication blue color.
l Enabled. The Agent uses the custom image if specified or the default RSA Authentication color if a
custom image is not specified.
l Disabled. The Agent uses the default RSA Authentication blue color.
6. If you selected Enabled in step 5, enter the fully-qualified path to the image file, for example, C:\Program
Files\Common Files\RSA Shared\RSA Credential Provider\myCustomBackgroundImage.png.
ends in the domain.

Specify the Number of Offline Authentication Failures

If the MFA Agent connects to the Cloud Authentication Service, you can specify the number of unsuccessful offline
authentication attempts allowed with Authenticate OTP or RSA OTP (hardware OTP credentials managed in the Cloud
Authentication Service) before the method used is locked. By default, this value is 20.
This policy does not apply to Authentication Manager.
After the user has exceeded the maximum number of unsuccessful offline authentication attempts, users must
authenticate online to sign in to their computers. Users can also use the offline Emergency Access Code to sign in to
their computers.
The lockout counter is reset when user enters the correct PIN plus OTP of the hardware OTP credentials or the correct
Authenticate OTP within the permitted number of attempts. For example, if an offline user enters Authenticate OTP
incorrectly three times and correctly on the fourth attempt, the lockout counter is reset to 0.
The offline authentication lockout counter is separate from the online lockout counter. Consider the following examples:
l A user enters an incorrect Authenticate OTP when online. That attempt does not count towards the 20 attempts
for locking offline authentication.
l Both offline authentication in the Agent and Authenticate OTP for the user in the Cloud Authentication Service
are locked. An administrator unlocks the user's OTPs in the Cloud Administration Console. Offline authentication
remains locked until the user successfully authenticates online or uses Emergency Access Code.
Procedure
page 13.
3. Double-click the Local Authentication Settings folder.
4. In the right pane of the dialog box, double-click Specify number of offline authentication failures. A dialog
box similar to below opens with a definition of the policy.

l Not Configured. In this state, the Agent locks the offline authentication method used after 20
unsuccessful attempts.
l Enabled. In this state, you can specify the number of unsuccessful offline authentication attempts
allowed with Authenticate OTP or RSA OTP (hardware OTP managed in the Cloud Authentication Service)
before the method used is locked.
l Disabled. In this state, the Agent locks the offline authentication method used after 20 unsuccessful
attempts.
6. If enabled, specify a number from 1 to 20. The default value is 20.

ends in the domain.

Specify Number of Offline Days to Download

If the MFA Agent connects to the Cloud Authentication Service, you can specify the number of offline days that the
Agent downloads for users to perform offline authentication.
This policy is not used when the Agent is connected to Authentication Manager. Instead, the number of offline days is
determined by the Authentication Manager offline authentication policy assigned to the user.
Procedure
Templates.
2. Access the templates. For more information, see Accessing the Group Policy Object Template on page 16
4. In the right pane, double-click Specify number of offline days. A dialog box similar to below opens with a
definition of the setting.

l Not Configured. The Agent downloads the default number of offline days.
l Enabled. The Agent downloads the specified number of offline days.
l Disabled. The Agent downloads the default number of offline days.
6. If you selected Enabled, specify the number of offline days that the Agent downloads. The Agent downloads the
number of days that you specify and the current day. The number must be between 1-14.
By default, the Agent downloads 14 days plus the current day of offline data (also called offline days) to the
computer.
Note: If you have enabled "Specify when message displays to users about expiring offline days," ensure that
the number of downloaded days is more than the number of days that displays a warning message.

If the policy was modified on the domain controller, the settings are loaded into the Windows registry after the refresh
interval ends in the domain.
Specify When Message Displays to Users about Expiring Offline

Days
If the MFA Agent connects to the Cloud Authentication Service, you can specify when a message displays to warn users
that offline days are about to expire. This settings applies to the Cloud Authentication Service.
This policy does not apply to Authentication Manager.
Procedure
Templates.
4. In the right pane, double-click Specify when message displays to users about expiring offline days. A
dialog box similar to below opens with a definition of the setting.

l Not Configured. The Agent does not warn users before offline days expire.
l Enabled. The Agent displays a warning message to users.
l Disabled. The Agent does not warn users before offline days expire.
6. If you selected Enabled, specify the number of remaining offline days when the Agent displays a warning
message to users to download more offline days. If the Agent has sufficient offline days, a blue icon displays in
the tray.
If the policy was modified on the domain controller, the settings are loaded into the Windows registry after the refresh
Enable Streamlined Authentication from Remote Applications

This setting specifies if the Agent accepts credentials received from remote applications (for example, Microsoft Remote
Desktop Connection). If the Agent accepts credentials from remote applications, users do not need to enter credentials
twice when using those applications, unless additional authentication is required.
Procedure
Templates.
3. Double-click the Local Authentication Settings.
4. In the right pane, double-click Sign-on with credentials from remote applications. A dialog box opens with
a definition of the setting.

l Not Configured. The Agent accepts credentials from all remote applications, such as Windows Remote
Desktop Connection.
l Enabled. The Agent accepts credentials from all remote applications, such as Windows Remote Desktop
Connection.
l Disabled. The Agent does not accept credentials from any remote applications.
ends in the domain.

Enable Offline Authentication

You can specify if the Agent allows offline authentication on Windows computers. Offline authentication allows users to
complete authentication when their computers are not connected to the authentication service.
Procedure
Templates.
4. In the right pane, double-click Enable offline authentication. A dialog box similar to below opens with a

l Not Configured. In this state, offline authentication is turned on.

l Enabled. In this state, offline authentication is turned on.
l Disabled. In this state, offline authentication is turned off. During the next authentication attempt,
users' day files are deleted and they cannot complete offline authentication.
If the policy was modified on the domain controller, the settings are loaded into the Windows registry once the refresh
Prompt for Password After Multifactor Authentication

You can specify if the Agent prompts users for a Windows password after successful multifactor authentication, instead
of prompting before multifactor authentication. With either order, users are required to successfully authenticate with
both their Windows password and an additional authentication method.
This setting can be used with the Cloud Authentication Service and Authentication Manager. This setting applies
whenever the Agent prompts for multifactor authentication, for example, in User Account Control screens and when
accessing remote desktop applications (if configured).
Note: The GPO policy "Prompt for Password after Multifactor Authentication" is not supported for Windows Server Core
2016 and Windows Server Core 2019.
Procedure
Templates.
4. In the right pane, double-click Prompt for Password After Multifactor Authentication. A dialog box opens

l Not Configured. The Agent prompts users for password and then multifactor authentication.
l Enabled. The Agent prompts users for multifactor authentication and then password.
l Disabled. The Agent prompts users for password and then multifactor authentication.
ends in the domain.

Specify Which Users to Challenge with Additional Authentication

The MFA Agent protects resources by challenging users for RSA credentials. You determine the degree of protection by
specifying which users you want the agent to challenge (A group of users, all users except a certain group of users, or all
users except local users). If this policy is disabled or not configured (but the GPO settings "Enable RSA Access
authentication" is enabled), all users are challenged.
You create a challenge group using the Microsoft Windows interface. For information about creating a Windows group,
see your Windows documentation. If you do not want to create a new group through the Microsoft Windows options, use
one of the default Windows groups.
If you create a challenge group for users' domain accounts, local authentication protects access to your company’s
domain in addition to protecting access to the local Windows desktop on users’ computers. You can create a challenge
group locally, or you can create a challenge group on the domain server.
After you create a challenge group, you specify how the Agent addresses the group during authentication.
Procedure
1. Make sure that you have installed the templates as described in Installing Group Policy Object Templates.
2. Access the templates as described in Accessing the Group Policy Object Template on page 16
4. In the right pane of the dialog box, double-click RSA Challenge Group. A dialog box similar to below opens
with a definition of the policy.

l Not Configured. In this state, all users are challenged.

l Enabled. This state allows you to challenge members of a particular group, everyone except members
of a particular group, or no local users. See the next step.
l Disabled. In this state, all users are challenged.
6. If you select Enabled, select which users you want to challenge.
Which Users to Challenge How to Configure
a. From the Challenge drop-down list, select Users

in a group.
b. In the Group name field, enter the name of the

group that you want to challenge in the format
<domain name or machine name>\<group
Members of a particular group
name>, or for the current machine, enter
.\<group name>.
You must enter a valid group name. If the group

name is invalid or does not exist, the Agent
challenges all users.

Which Users to Challenge How to Configure
a. From the Challenge drop-down list, select Users

except a group.
b. In the Group name field, enter the name of the

group that you want to exclude in the format
Anyone except members of a particular <domain name or machine name>\<group
group name>, or for the current machine, enter
.\<group name>.
You must enter a valid group name. If the group

name is invalid or does not exist, the Agent
challenges all users.
From the Challenge drop-down list, select Users Except
No local users (Challenge only domain all local users
users) The Group name field is ignored, and local users are not
challenged.
ends in the domain.
Enable Retrieval of Locally Cached Challenge Settings for Additional

Authentication
You specify challenge status by using the Microsoft Windows interface to create a challenge group. You can create a
group locally or on your company's domain server. For more information, see Specify Which Users to Challenge with
Additional Authentication on page 54.
When a user attempts to log on to a local Windows desktop using a domain account, the MFA Agent contacts the domain
controller to determine the user's challenge status. If the Agent cannot determine the challenge status (for example, if
the connection to the domain server fails), the Agent challenges the user for RSA credentials. Users who have RSA
credentials can authenticate successfully, but users who are not required to authenticate using RSA are locked out of
their computers.
You can configure the Agent so that when the challenge status is not available from the domain server, the Agent
searches for a cached challenge setting on the user's local computer.
If a locally cached policy setting exists, the Agent uses it to determine whether or not to challenge the user for
RSA Access credentials. If a locally cached setting does not exist, then you can set one of the following:
l Challenge the user for RSA credentials

l Do not challenge the user (allow Windows password)
If this policy is not configured or is disabled, the Agent does not use the local cache to determine group membership. If
the Agent cannot determine group membership, then the user is challenged for RSA credentials.

Procedure
Templates
4. In the right pane, double-click Cache Challenge Settings. A dialog box similar to below opens with a definition
of the setting.
l Not Configured. This state challenges users for their RSA credentials if a user’s group membership
cannot be determined. The Agent does not use the local cache to determine group membership.

l Enabled. This state enables the Agent to use the local cache to determine group membership if the
domain controller is unavailable. See the next step.
l Disabled. This state challenges users for their RSA credentials if the user's group membership cannot be
determined. The Agent does not use the local cache to determine group membership.
6. If you select Enabled, do one of the following:

l To require RSA credentials when group membership cannot be determined, select Challenge users.
l To not require RSA credentials, but instead allow the Windows password when group membership cannot
be determined, select Do not challenge user.
ends in the domain.
Enable Reserve Password

A reserve password is an emergency access method that allows an administrator to assist a user who is unable to sign
in, for example, because the user has run out of offline day files. If you set the reserve password option, the user is
prompted to enter a reserve password to sign in if the computer cannot connect to RSA and one of the following applies:
l Offline authentication is not running on the local computer or is disabled.

l Offline authentication is running, but there are no offline days on the local computer.
Only an administrator knows the reserve password. If a user is prompted for a reserve password, the user must contact
the IT help desk for assistance. After the user enters the Windows password, the administrator must enter the reserve
password on the user's computer. If approved, the user can access the computer.
Procedure
Templates.
4. In the right pane, double-click Enable reserve password. A dialog box similar to below opens with a definition
of the setting.

l Not Configured. With this setting, authorized users cannot sign in with a reserve password.
l Enabled. With this setting, authorized users can sign in with a reserve password.
l Disabled. With this setting, authorized users cannot sign in with a reserve password.
6. If you select Enabled, generate a hash value of the reserve password using the RSA MFA Agent Reserve
Password Hash Generation utility, and enter the hash value of the reserve password in the Enter the
generated hash value field.
For instructions on generating the hash value, see Generate Hash Value of Reserve Password on the next page.
7. Click Apply. Click OK to return to the Local Authentication Settings folder.


ends in the domain.
Generate Hash Value of Reserve Password

You can generate a hash value of the reserve password using a command line interface in interactive or non-interactive
mode.
Before you begin

Download the RSA MFA Agent Reserve Password Hash Generator utility from RSA MFA Agent for Microsoft Windows
Downloads on RSA Community.
Procedure
1. Install the utility:
a. Log on to the computer as an administrator (or a user with administrator privileges).

b. Double-click RSA MFA Agent Reserve Password Hash Generator x64.msi or RSA MFA Agent
Reserve Password Hash Generator x86.msi to start the installation wizard.
c. Click Next.
d. Read the License Agreement or click Print to print it. When ready, select I accept the terms in the
license agreement and click Next.
e. Click Install.
The reserve password utility installs on the local computer. Windows prompts you to allow account
control privileges if you set up account control privileges. Click Allow.
f. Click Finish.
2. To generate the hash value, do one of the following:
l To use interactive mode:

a. In the Start menu, select RSA > RSA MFA Agent Reserve Password Hash Generator.
b. Review the password requirements, then enter the password to hash.
l To use non-interactive mode:
a. Open a command prompt as an administrator.
b. Browse to C:\Program Files\RSA\RSA MFA Agent Reserve Password Hash Generator\
c. Enter the following command:
RSA_MFA_Agent_Reserve_Password_Hash_Generator -p
For example:
echo [reserve password]| RSA_MFA_Agent_Reserve_Password_Hash_

Generator -p
The password must meet the following requirements:
l Between 8 - 128 characters
l At least 1 uppercase alphabetic character
l At least 1 lowercase alphabetic character

l At least 1 numeric character
l 1 special character
To view help, enter the following command:
RSA_MFA_Agent_Reserve_Password_Hash_Generator -h
Specify Remote Desktop Applications that Do Not Require RSA

Authentication
You can define a set of one or more remote desktop applications that do not require RSA authentication.
If you disable or do not configure this policy, the Agent excludes Microsoft Remote Desktop Connection (mstsc.exe or
CredentialUIBroker.exe, depending on the Windows version).
Procedure
1. Confirm that you installed the templates. For instructions, see Chapter 2: Installing Group Policy Object
Templates.
2. Access the templates. For instructions, see Accessing the Group Policy Object Template on page 16
4. In the right pane, double-click Specify remote desktop applications that do not require RSA
authentication. A dialog box opens with a definition of the setting.

l Not Configured. The Agent excludes applications defined in the default list.
l Enabled. The Agent excludes remote desktop applications defined in Fully-qualified path .
l Disabled. The Agent excludes applications defined in the default list.
6. If you selected Enabled in step 5, enter the remote desktop application(s) you want to exclude from RSA
authentication in Fully-qualified path
a. Enter the fully-qualified path to the application executable. Do not include extra characters such as
quotation marks or periods.
If you leave this field empty when this policy is enabled, the default list takes effect.
b. Separate multiple applications by commas.

For example, to continue to exclude RDC (the default behavior) and add an exclusion for Microsoft
Remote Desktop Connection Manager, enter the following string:
C:\windows\system32\mstsc.exe,
C:\windows\system32\CredentialUIBroker.exe,C:\Program Files
(x86)\Microsoft\Remote Desktop Connection Manager\rdcman.exe

ends in the domain.
Specify Number of Days for Auto Renewal of Certificate

If the Windows Password Integration feature is enabled inAuthentication Manager, this setting controls the auto renewal
of certificate which is required for Windows Password Integration to work.
Agent tries to renew the certificate before it expires, and it must be connected to Authentication Managerfor renewal to
work.
Procedure
1. Confirm that you installed the templates. For instructions, see Chapter: Installing Group Policy Object
Templates.
2. Access the templates. For instructions, see Accessing the Group Policy Object Template.
4. In the right pane, double-click Specify number of days for auto renewal of certificate. A dialog box opens


l Not Configured: The Agent tries to renew the certificate 14 days before certificate expiry.
l Enabled: The Agent tries to renew the certificate before selected number of days.
l Disabled: The Agent does not renew the certificate.
6. If you selected Enabled, specify the number of days when the Agent tries to renew the certificate, before
certificate expiry.
If the policy was modified on the domain controller, the settings are loaded into the Windows registry after the
refresh interval ends in the domain.
Specify Number of Days Before Which to Show Warning for Expir-

ing Certificate
If the Windows Password Integration feature is enabled in Authentication Manager, this setting controls the display of
warning shown when certificate is about to expire.
User must be connect toAuthentication Manager and do one authentication for certificate to be renewed before expiry.
Procedure
1. Confirm that you installed the templates. For instructions, Chapter: Installing Group Policy Object Templates.
2. Access the templates. For instructions, see Accessing the Group Policy Object Template.
4. In the right pane, double-click Specify number of days before which to show warning for expiring
certificate. A dialog box opens with a definition of the setting.

l Not Configured: The Agent shows starts showing warning 7 days before certificate expiry.
l Enabled: The Agent starts showing warning selected number of days before certificate expiry
l Disabled: The Agent does not show any warning.
6. If you selected Enabled, specify the number of days before certificate expiry when the Agent starts showing
warning.
8. Close the Group Policy Management Editor. If the policy was modified on the domain controller, the settings are
loaded into the Windows registry after the refresh interval ends in the domain.

Specify Logging Options

You can specify the logging options for each computer that the Agent is installed on.
Procedure
4. In the right pane, double-click Specify logging options. A dialog box opens with a definition of the setting.
l Not Configured. The Agent does not generate log files.
l Enabled. The Agent generates log files.
l Disabled. The Agent does not generate log files.
6. If you selected Enabled in step 5, specify the following:
a. Log Level. Select Info, Warning, Error, or Verbose. The default level is Info.
b. Number of Log Files. Specify the number of log files that the Agent creates before it overwrites the
oldest log file. The default is 5.
c. Size of Log Files. The size of each log file in MB before the Agent creates a new log file. The default is 2.
d. Location. Enter the fully-qualified path where the log files are stored. The default is

C:\ProgramData\Log Files.
Note: The directory path must not exceed 200 characters. If the path is empty, invalid, or too long, the
Agent uses the default path.
e. Components to Log. Select the components to log.
ends in the domain.
Specify the User Name Format Sent to the Authentication Service

You can specify the format of the user name that the Agent sends to the authentication service during an
authentication. You enable this policy if the user accounts on the authentication service use a name format other than a
user’s sAMAccountName.
This policy applies to all authentications sent to either Authentication Manager or the Cloud Authentication Service.

If the policy is not enabled or the user is not a member of a domain, the Agent sends a user’s sAMAccountName. If the
policy is enabled, the Agent can send names in the following formats:
l Windows NTLM
l User Principal Name
l Email Address
You can also define a set of domains to which the policy is not applied. For users in these domains, the Agent sends the
sAMAccountName.
Procedure
page 13.
4. In the right pane of the dialog box, double-click Specify the user name format sent to the
RSA authentication server. A dialog box similar to below opens with a definition of the policy.
l Not Configured. In this state, the Agent sends only the user name.
l Enabled. In this state, the Agent sends the domain and user name.

l Disabled. In this state, the Agent sends only the user name.
6. If the policy is enabled, select one of the following formats:
l Windows NTLM
l User Principal Name
l Email Address
Note: The Cloud Authentication Service does not support the Windows NTLM user name format.
7. (Optional) If the policy is enabled, you can define a set of domains to which the policy is not applied. For users in
these domains, the Agent sends the sAMAccountName. RSA recommends entering the domain name using both
a DNS- and Windows NTLM-style name.
ends in the domain.
Synchronize User Passwords for Non-Challenged Users

Specifies the non-challenged users for whom the domain account password changes are automatically synchronized in
matching accounts in the RSA Authentication Manager database.
You can create a user group using the Microsoft Windows interface. For information about creating a Windows group,
see your Windows documentation. If you do not want to create a new group through the Microsoft Windows options, use
one of the default Windows groups.
You can synchronize password changes for all non-challenged users, all non-challenged users except those in a
specified group, or only non-challenged users in a specified group.
If you do not configure or disable this policy, then only the RSA MFA Challenged Users domain account password
changes are synchronized with matching accounts in the RSA Authentication Manager database.
Note: This GPO must be Enabled only if Agent is installed in Domain Controller.
Non-Challenged Users are those users who are NOT enabled for RSA MFA Challenge. (Using RSA Challenge Group GPO,
these users are excluded from RSA MFA Challenge).
Procedure
4. In the right pane, double-click Synchronize User Passwords for Non-Challenged Users. A dialog box

l Not Configured - The Agent does not synchronize Non-Challenged Users domain account password
changes.
l Enabled - The Agent synchronize password changes the password for all non-challenged users, all non-
challenged users except those in a specified group, or only non-challenged users in a specified group.
l Disabled - The Agent does not synchronize Non-Challenged Users domain account password changes.
6. If you select Enabled, select which users you want to challenge.

Which Non-
Challenged
How to Configure
Users to
Synchronize
1. From the Synchronize drop-down list, select Users in a group.
2. In the Group name field, enter the name of the group that you want to challenge
Members of a
in the format <domain name or machine name>\<group name>, or for the current
particular group
machine, enter .\<group name>. You must enter a valid group name. If the group
name is invalid or does not exist, the Agent will synchronize only RSA MFA
Challenged Users.
1. From the Synchronize drop-down list, select Users except a group.
Anyone except 2. In the Group name field, enter the name of the group that you want to exclude in
members of a the format <domain name or machine name>\<group name>, or for the current
particular group machine, enter .\<group name>. You must enter a valid group name. If the group
name is invalid or does not exist, the Agent will synchronize only RSA MFA
Challenged Users.
From the Synchronize drop-down list, select Users Except all local users.
No local users The Group name field is ignored, and all local non-challenged users password changes are
synchronized.
7. Click Apply and then click OK to return to the Local Authentication Settings folder.
ends in the domain.
Upload Offline Audit logs to Cloud Authentication Service

You can configure MFA Agent to upload offline audit logs to RSA Cloud Authentication Service.
Note: This GPO works only when MFA Agent is connected to RSA Cloud Authentication Service directly or through
Authentication Manager as proxy.
Procedure
4. In the right pane, double-click Upload Offline Audit logs to Cloud Authentication Service. A dialog box

l Not Configured - The Agent does not upload the offline audit logs to RSA Cloud Authentication Service.
l Enabled - The Agent tries to upload the offline audit logs to RSA Cloud Authentication Service.
l Disabled - The Agent does not upload the offline audit logs to RSA Cloud Authentication Service.
6. Click Apply and then click OK to return to the Local Authentication Settings folder.
ends in the domain.

Defining the Passwordless Authentication Settings

The Passwordless Authentication Settings folder specifies how users sign into their Windows computers by
performing primary authentication.
Specify the Active Directory CA Name

Specify the Active Directory Certificate Authority (CA) name. You can view the CA name in the system where the CA is
configured and in the same domain where the Agent is connected.
Procedure
3. Double-click Passwordless Authentication Settings folder.
4. In the right pane, double-click Active Directory CA Name. A dialog box opens with a definition of the setting.

l Not Configured. Users cannot sign in with the Passwordless Credential Provider.
l Enabled. Allows you to specify the CA name to control users sign-ins with Passwordless Credential
Provider.
l Disabled. Users cannot sign in with the Passwordless Credential Provider.
6. If you select Enabled, enter the exact name of the Active Directory CA.
Note: The Active Directory CA name is case-sensitive.

ends in the domain.
Specify the Active Directory CA Hostname

Specify the Active Directory Certificate Authority (CA) hostname. You can view the CA name in the system where the CA
is configured and in the same domain where the Agent is connected.
Procedure
4. In the right pane, double-click Active Directory CA Hostname. A dialog box opens with a definition of the
setting.

l Enabled. Allows you to specify the CA hostname to control users sign-ins with Passwordless Credential
Provider.
6. If you select Enabled, enter the exact hostname of the Active Directory CA.

ends in the domain.
Specify the Certificate Template

You can specify the Smartcard Logon certificate template as specified in the Certificate Authority (CA). You must deploy
enterprise CA to have the certificate template.
Procedure
4. In the right pane, double-click Certificate Template. A dialog box opens with a definition of the setting.

l Enabled. Allows you to specify the certificate template to control users sign-ins with Passwordless
Credential Provider.
6. If you select Enabled, enter the Smartcard Logon certificate template as specified in the Certificate Authority.

ends in the domain.
Specify the Certificate Key Length

You can specify the certificate key length to request a new certificate. Certificate key length defines the length of the
public and the private key. The key length has an impact on the security of the certificate.
Procedure
4. In the right pane, double-click Certificate Key Length. A dialog box opens with a definition of the setting.

l Enabled. Allows you to select either 1024 or 2048 Certificate Key Length.
6. If you select Enabled, click the drop-down menu from the Key Length field and select 1024 or 2048 as the
Certificate Key Length.
1024 and 2048 are the supported certificate key length. Greater key length provides higher security of the
certificate.

ends in the domain.
Specify the Certificate Subject

You can specify the certificate subject using the format CN=Common Name, OU=Organizational Unit, DC=Domain
Component, DC=Domain Component.
You need to configure the certificate subject name if the Subject Name is set to Supply in the request in the
certificate template.
Procedure
4. In the right pane, double-click Certificate Subject. A dialog box opens with a definition of the setting.

l Not Configured. Users cannot sign in with the Passwordless Credential provider if the Subject Name is
set to Supply in the request in the certificate template.
l Enabled. Allows you to specify the certificate subject to control users sign-in with Passwordless
l Disabled. Users cannot sign in with the Passwordless Credential provider if the Subject Name is set to
Supply in the request in the certificate template.
6. If you select Enabled, enter the certificate subject using the following format:
CN=Common Name, OU=Organizational Unit, DC=Domain Component, DC=Domain Component

ends in the domain.
Specify the FIDO Relying Party ID

You can specify the FIDO Relying Party ID configured in the Cloud Administration Console.
Procedure
4. In the right pane, double-click FIDO Relying Party ID. A dialog box opens with a definition of the setting.

l Enabled. Allows you to specify the FIDO Relying Party ID to control users sign-ins with Passwordless
6. If you select Enabled, enter the FIDO Relying Party ID obtained from the Cloud Administration Console. In the
console, click Platform > Identity Router, select an identity router, click the Registration tab, and copy the
Authentication Service Domain.

ends in the domain.
Specify the FIDO Custom Help Text for Registration

You can specify custom help text to help users register their security key in the Cloud Administration Console.
Procedure
4. In the right pane, double-click Specify the FIDO Custom Help Text for Registration. A dialog box opens

l Not Configured. Users get a generic message to register the security key in My Page in the Cloud
l Enabled. Allows you to set a custom message describing how to register the security key in My Page in
l Disabled. Users get a generic message to register the security key in My Page in the Cloud
6. If you select Enabled, enter a custom message that does not exceed 180 characters. If the custom message
exceeds the character limit, users get a generic message to register the security key in My Page in the Cloud

ends in the domain.
Specify the FIDO Custom Help Text to Set the Security Key PIN
You can specify custom help text to help users to set their security key PIN.
Procedure
4. In the right pane, double-click Specify the FIDO Custom Help Text to Set the Security Key PIN. A dialog
box opens with a definition of the setting.

l Not Configured. Users get a generic message to set their security key PIN.
l Enabled. Allows you to set a custom message describing how to set their security key PIN.
l Disabled. Users get a generic message to set their security key PIN.
exceeds the character limit, users get a generic message to set the security key PIN.
ends in the domain.
Specify the FIDO Custom Help Text to Reset the Blocked Security
Key
You can specify the custom help text to help users reset and re-register their security keys that have been blocked
because of too many unsuccessful sign-in attempts.
Procedure
4. In the right pane, double-click Specify the FIDO Custom Help Text to Reset the Blocked Security Key. A
dialog box opens with a definition of the setting.

l Not Configured. Users get a generic message notifying them that the security key is blocked due to too
many unsuccessful sign-in attempts. They must first reset the security key then re-register the security
key in My Page in the Cloud Authentication Service.
l Enabled. Allows you to set a custom message notifying users that the security key is blocked due to too
many unsuccessful sign-in attempts. The message can describe how to reset the security key, then how
to re-register the security key in My Page in the Cloud Authentication Service.
l Disabled. Users get a generic message notifying them that the security key is blocked due to too many
unsuccessful sign-in attempts. They must first reset the security key, then re-register the security key in
My Page in the Cloud Authentication Service.
Users can reset their security keys using one of the following:
l RSA Key Utility. For more information, see Create or Change PIN.
l The key management utility provided by the security key manufacturer.
l Security key settings in Microsoft Windows Settings application.
l Google Chrome browser.
exceeds the character limit, users get a generic message notifying them that the security key is blocked due to
too many unsuccessful sign-in attempts.

ends in the domain.
Specify the FIDO Custom Help Text for Invalid Credentials

You can specify the custom help text to help users re-register the security key that contains invalid credentials.
Procedure
4. In the right pane, double-click Specify the FIDO Custom Help Text for Invalid Credentials. A dialog box
l Not Configured. Users get a generic message notifying them that the security key contains invalid
credentials. They must re-register the security key in My Page in the Cloud Authentication Service.
l Enabled. Allows you to set a custom message notifying users that the security key contains invalid
credentials. The message can describe how to re-register the security key in My Page in the Cloud

l Disabled. Users get a generic message notifying them that the security key contains invalid credentials.
They must re-register the security key in My Page in the Cloud Authentication Service.
exceeds the character limit, users get a generic message notifying them that the security key contains invalid
credentials.
ends in the domain.
Specify the FIDO Custom Help Text When Passwordless Authentic-

ation Cannot be Configured
You can specify the custom help text to notify users that passwordless authentication cannot be configured and helping
users to take appropriate actions.
Procedure
4. In the right pane, double-click Specify the FIDO Custom Help Text When Passwordless Authentication
Cannot be Configured. A dialog box opens with a definition of the setting.

l Not Configured. Users get a generic message notifying them that passwordless authentication cannot
be configured.
l Enabled. Allows you to set a custom message notifying users that passwordless authentication cannot
be configured and describing the appropriate actions users can take.
l Disabled. Users get a generic message notifying them that passwordless authentication cannot be
configured.
exceeds the character limit, users get a generic message notifying them that passwordless authentication
cannot be configured.
ends in the domain.
Specify the FIDO Custom Help Text for Registration of Pass-

wordless Authentication
You can specify the custom help text to inform users that registration of passwordless authentication may take few

minutes.
Procedure
4. In the right pane, double-click Specify the FIDO Custom Help Text for Registration of Passwordless
Authentication. A dialog box opens with a definition of the setting.

l Not Configured. Users get a generic message notifying them that registration of passwordless
authentication may take few minutes.
l Enabled. Allows you to set a custom message notifying users that registration of passwordless
authentication may take few minutes.
l Disabled. Users get a generic message notifying them that registration of passwordless authentication
may take few minutes.
exceeds the character limit, users get a generic message notifying them that registration of passwordless
authentication may take 1-2 minutes.
ends in the domain.
Signing In with Windows Password When Passwordless Authentic-

ation is Unavailable
You can specify if MFA Agent can use Windows password to allow users to sign in when network or hardware issues
prevent MFA Agent from setting up passwordless authentication.
Procedure
4. In the right pane, double-click Signing In with Windows Password When Passwordless Authentication
is Unavailable. A dialog box opens with a definition of the setting.

l Not Configured. Users can sign in using Windows password and additional authentication, if
configured, when network or hardware issues prevent MFA Agent from setting up passwordless
authentication.
l Enabled. Users can sign in using Windows password and additional authentication, if configured, when
network or hardware issues prevent MFA Agent from setting up passwordless authentication.
l Disabled. Users cannot sign in when network or hardware issues prevent MFA Agent from setting up
passwordless authentication.
ends in the domain.
Signing In with Windows Password When Passwordless Authentic-

ation is Not Supported
Windows computers where MFA Agent are installed do not support passwordless authentication if the computers do not
have Trusted Platform Module (TPM) 2.0 chips.
You can specify if MFA Agent can use Windows password to allow users to sign in when passwordless authentication is
not supported.
Procedure

4. In the right pane, double-click Signing In with Windows Password When Passwordless Authentication
is Not Supported. A dialog box opens with a definition of the setting.
l Not Configured. Users can sign in using Windows password and additional authentication, if
configured, when passwordless authentication is not supported.
l Enabled. Users can sign in using Windows password and additional authentication, if configured, when
passwordless authentication is not supported.
l Disabled. Users cannot sign in when passwordless authentication is not supported.
ends in the domain.

Enable Additional Authentication When Cloud Authentication Ser-

vice is Unavailable
You can specify if MFA Agent prompts users for additional authentication after successful offline primary authentication.
When users do not have offline day files on the local computers, they can use the reserve password option if it is
enabled. Users cannot successfully authenticate offline when both offline day files are absent and reserve password
option is disabled.
Procedure
4. In the right pane, double-click Enable Additional Authentication When Cloud Authentication Service is
Unavailable. A dialog box opens with a definition of the setting.

l Not Configured. MFA Agent does not prompt users for additional authentication after successful offline
primary authentication.
l Enabled. MFA Agent prompts users for additional authentication after successful offline primary
authentication.
l Disabled. MFA Agent does not prompt users for additional authentication after successful offline primary
authentication.

ends in the domain.
RSA Primary Authentication Challenge Group

You can configure MFA Agent to challenge all users or a specific group of users with passwordless authentication. All
other users are challenged with Windows password and additional authentication according to your configuration.
Procedure
4. In the right pane, double-click RSA Primary Authentication Challenge Group. A dialog box opens with a

l Not Configured. All users are challenged with passwordless authentication.
l Enabled. Allows you to challenge one of the following with passwordless authentication:
n A group of users.
n All users except a specified group of users.
n Include only domain users; exclude local users.
l Disabled. All users are challenged with passwordless authentication.
6. If you select Enabled, choose which users you want to challenge with passwordless authentication.
Users to Challenge Configuration
1. From the Challenge drop-down list, select Users in a group.
2. In Group Name enter the name of the group that you want to challenge with passwordless
authentication in the following format:
Users in a group
<domain name or machine name>\<group name>. For example: CORP\RSA Users
Note: If the group name is invalid or does not exist, the Agent challenges all users.
1. From the Challenge drop-down list, select Users except a group.
2. In Group Name enter the name of the group that you want to exclude from passwordless
Users except a authentication in the following format:
group
<domain name or machine name>\<group name>. For example: CORP\RSA Users
Note: If the group name is invalid or does not exist, the Agent challenges all users.
Users except all From the Challenge drop-down list, select Users except all local users. You can ignore the group name
local users as local users are not challenged.
ends in the domain.
RSA Primary Authentication Challenge Settings

You can configure MFA Agent to challenge all users or a specific group of users with passwordless authentication. See
RSA Primary Authentication Challenge Group on the previous page. When users sign in, the MFA Agent contacts the
domain controller to determine the users' challenge group. If the Agent cannot determine users’ challenge group from
the domain controller, the Agent challenges users with passwordless authentication. Users with passwordless
credentials can authenticate successfully, while other users are locked out of their computers.
You can allow MFA Agent to retrieve users’ challenge settings from the local cache on users' computer if the Agent
cannot determine users’ challenge group from the domain controller. If the Agent cannot retrieve the users’ challenge
setting from the local cache, you can set one of the following:

l Challenge the user with passwordless authentication.

l Challenge the user with Windows password and additional authentication.
Procedure
4. In the right pane, double-click RSA Primary Authentication Challenge Settings. A dialog box opens with a
l Not Configured. Users are challenged with passwordless authentication if the Agent cannot determine
users’ challenge group from the domain controller. The Agent does not use the local cache.
l Enabled. MFA Agent retrieves users’ challenge settings from the local cache on users' computer if the
Agent cannot determine users’ challenge group from the domain controller.

l Disabled. Users are challenged with passwordless authentication if the Agent cannot determine users’
challenge group from the domain controller. The Agent does not use the local cache.
6. If you select Enabled, select an option to use when the Agent cannot determine the users' challenge group from
the domain controller and also from the local cache:
l Challenge the user with passwordless authentication

l Challenge the user with Windows password and additional authentication
ends in the domain.
Defining the RSA Credential Provider Filter Settings

The Credential Provider Filter Options folder contains settings to define how MFA Agent responds when users sign
into Windows.
The credential provider filter settings are part of the RSA_MFA_Agent.admx policy template. With this template, RSA
MFA Agent allows users to sign in by default through the RSA Credential Provider or another third-party credential
providers that you install and configure.
Procedure
1. Make sure that you have installed the template. For instructions, see Installing Group Policy Object Templates.
2. Access the template. For instructions, see Accessing the Group Policy Object Template on page 16
3. In the policy editor, navigate to Administrative Templates\RSA Desktop\Credential Provider Filter
Settings, and locate the settings in the right pane of the dialog box.
4. Double-click one of the following settings to exclude (hide) the associated Credential Provider tile from users:
l Exclude the Microsoft Password Credential Provider. Hides the Microsoft Credential Provider tiles
that allow users to sign in with their Windows accounts. If this policy is disabled, the Microsoft Password
Credential Provider is presented at sign-in and in the User Account Control (UAC) dialog.
l Exclude the Microsoft Smart Card Credential Provider. Hides the Credential Provider tiles that
allow users to sign in with their logon certificates on their smart cards.
If this policy is not configured or disabled, the Microsoft Smart Card Credential Provider is presented at
sign-in and in the User Account Control (UAC) dialog.
l Exclude the Microsoft Picture Password Credential Provider. Hides the Credential Provider tiles
that allow users to sign in through the Microsoft Picture Password Credential Provider tile (picture with
patterns). If this policy is disabled, the Picture Password Credential Provider is not excluded. The users
can create pictures to use as their sign-in credentials.
l Exclude the Microsoft PIN Logon Credential Provider. Hides Credential Provider tiles that allow
users to sign in through the Microsoft PIN Credential Provider tile. This is the PIN connected to the local
or Windows Live ID account logon. If this policy is disabled, the Microsoft PIN Credential Provider tile is
not excluded. If users have Windows Live ID accounts, they can create PINs for those accounts.

l Exclude the Microsoft WLID (Windows Live ID) Credential Provider. Hides Credential Provider
tiles that allow users to sign in through the Microsoft Windows Live ID Credential Provider tile used for
Live ID accounts (e-mail addresses and passwords). If this policy is disabled, the Microsoft Windows Live
ID Credential Provider tile is not excluded. Users can create and sign in with Windows Live ID accounts.
l Exclude the RSA Credential Provider. Hides the RSA Credential Provider tile, which allows users to
sign in with RSA. If this policy is disabled or not configured, the RSA Credential Provider tile displays.
l Exclude all Third-Party Credential Providers. Hides any third-party Credential Provider tiles that
allow users to sign in with other sign-in methods. If this policy is not configured or is disabled, no third-
party credential providers are excluded.
5. For each Credential Provider setting, select one of the following:
l Not Configured. The following Microsoft credential providers are unavailable for users at sign-in:
Microsoft Password Credential Provider, Microsoft Picture Password Credential Provider, Microsoft PIN
Credential Provider, and Microsoft Windows Live ID Credential Provider.
l Enabled. The associated Credential Provider tile or tiles are unavailable for users at sign-in.
l Disabled. This deactivates the setting.
6. Click Apply.
l To access the next Credential Provider setting, click Next Setting. Then repeat steps 4 and 5. (If
necessary, click Previous Setting.)
l Click OK to return to the Credential Provider Filter Settings folder.
If the policy was modified on the domain controller, the settings are loaded into the Windows registry once the refresh

Rsa Mfa Agent Windows 2.3 Gpo Template Guide

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Rsa Mfa Agent Windows 2.3 Gpo Template Guide

Uploaded by

Copyright:

Available Formats

RSA® MFA Agent 2.

3 for Microsoft Windows

Group Policy Object Template Guide

Note on Encryption Technologies

About This Guide 6

MFA Agent Documentation 7

Support and Service 8

Before You Call Customer Support 8

Chapter 1: Group Policy Object Template 9

RSA Group Policy Object Template 10

Local Authentication Settings 11

Credential Provider Filter Settings 12

Understanding Co-Existence of RSA Windows Agents 12

Chapter 2: Installing Group Policy Object Template 13

Installing the RSA Group Policy Object Template 14

Install the Template on a Windows Computer 14

Install the Template on the Domain Controller 14

Chapter 3: Defining the Policy Settings 15

Accessing the Group Policy Object Template 16

Access the Template on a Domain Controller 16

Access the Template On a Windows Computer 16

Defining RSA Settings 17

Specify the Retry Count 17

Specify the Server Refresh Interval 19

Specify the Authentication Manager Agent Name 20

Specify the RSA Authentication API Key 22

Specify the Cloud Authentication Service Access Policy 23

Specify RSA Timeout 25

Collect System Attributes for Cloud Authentication Service Access Policy 26

Disable RSA Authentication for Unknown User 28

Enable RSA Authentication 29

Enable Load Balancing 30

Set Computers to Unlock with Windows Password 32

Specify Location Collection Timeout 33

Specify the RSA Authentication API REST URL 35

Configure Primary Authentication 36

Defining the Local Authentication Settings 38

Specify Custom Logo to Replace RSA Logo 38

Specify Custom Text to Display Beneath RSA Fields 39

Specify Custom Tile Image to Replace RSA Image 40

Specify Custom Background Image Shown When Collecting RSA Credentials 42

Specify the Number of Offline Authentication Failures 44

Specify Number of Offline Days to Download 46

Specify When Message Displays to Users about Expiring Offline Days 48

Enable Streamlined Authentication from Remote Applications 49

Enable Offline Authentication 51

Prompt for Password After Multifactor Authentication 52

Specify Which Users to Challenge with Additional Authentication 54

Enable Retrieval of Locally Cached Challenge Settings for Additional Authentication 56

Enable Reserve Password 58

Generate Hash Value of Reserve Password 60

Specify Remote Desktop Applications that Do Not Require RSA Authentication 61

Specify Number of Days for Auto Renewal of Certificate 63

Specify Logging Options 66

Specify the User Name Format Sent to the Authentication Service 67

Synchronize User Passwords for Non-Challenged Users 69

Upload Offline Audit logs to Cloud Authentication Service 71

Defining the Passwordless Authentication Settings 73

Specify the Active Directory CA Name 73

Specify the Active Directory CA Hostname 75

Specify the Certificate Template 77

Specify the Certificate Key Length 79

Specify the Certificate Subject 81