Apply MFA to Windows sessions

Follow this step-by-step guide to plan, deploy, and manage MFA with UserLock. Learn how to choose authentication methods, prepare users, and monitor your rollout effectively.

Published October 15, 2025

Introduction

This guide helps you plan and deploy Multi-Factor Authentication (MFA) with UserLock, focusing on the most common scenario: protecting workstation and server logons.
It also provides recommendations and best practices for a smooth rollout, user adoption, and long-term management.

Note

📘 Before you start:
We recommend reading the Multi-Factor Authentication (MFA) reference page to understand how MFA works in UserLock.

Prerequisites

Before enforcing MFA on workstation and server sessions, verify the following conditions:

  • ✅️ UserLock Desktop Agent installed
    It displays MFA dialogs and communicates with the UserLock service during logon and unlock events. It must be deployed on all workstations and servers you want to protect.

  • ✅️ Agent–Server communication working
    Ensure the required network protocols and ports are open, so agents can contact the UserLock server. See also Communication and required protocols and Enforce firewall requirements.

Note

📘 For a full list of UserLock prerequisites, read the Requirements page.

1. Prepare your deployment

Before activating MFA, check these essentials to ensure a smooth setup:

✅️ Choose the MFA methods to authorize

Define the allowed MFA methods (Push, Authenticator app, tokens, recovery codes) and choose only those that best fit your environment. Limiting the choices simplifies support and reduces user confusion.

✅️ Enable the Skip configuration option

Allow users to postpone their MFA enrollment for a few days. This flexibility prevents lockouts during phased deployments and gives IT time to assist users who are not immediately ready to enroll.

✅️ Enable the Ask for Help option

Let users contact IT directly from the MFA dialogs if they encounter setup or access issues. This reduces helpdesk delays and speeds up troubleshooting.

✅️ Start with a pilot group

Test the configuration with a controlled group (for example IT staff or trusted early adopters) before applying MFA organization-wide. This helps validate settings and avoid a surge in helpdesk requests.

✅️ Inform users before activation

Clear communication ensures better adoption and fewer support tickets. Make sure users understand:

  • Why MFA is being implemented and its security benefits.

  • When users will be prompted for enrollment.

  • How to proceed, linking to MFA enrollment guides.

  • Who to contact if setup fails or the phone is lost.

2. Create and apply an access policy

Once preparation is complete, create the MFA access policy that enforces authentication for your chosen users and session types.

  1. Open the UserLock Console and go to Access Policies ▸ Add Policy.

  2. Follow the general steps described in Configure an access policy until you reach the Policy type selection.

  3. Choose Multi-factor authentication to open the MFA policy form.

  4. Set MFA application to Enabled.

  5. Under Configuration mode, select Distinct setting per session type to define specific rules for Workstation and Server sessions.

  6. Set the Connection type for each relevant session.

  7. Define the frequency (every logon, every N days, only from new IPs, etc.).

  8. Optionally, activate Skip configuration for easier onboarding.

  9. Apply and test the policy with your pilot group.

Note

📘 See the Access Policies – MFA reference page for detailed parameter descriptions.

3. Monitor deployment and support adoption

After activating MFA, regularly monitor user enrollment and MFA activity from the UserLock Console.
Tracking adoption helps you identify issues early and support users effectively.

Find users with or without MFA enrolled

  1. Go to Environment ▸ Users and open the Audited by UserLock tab.

  2. Click Filters.

  3. Under Conditions, select MFA method.

    • To list users without an MFA method enrolled → choose None.

    • To list all users with an MFA method enrolled → choose Is not and then None.

  4. Add additional filters if needed, then click Apply.

  5. Review the MFA configuration column to see which methods each user has enrolled.

Note

💡 To check this regularly, save the filtered view and reopen it anytime.

Track MFA events

UserLock provides a dedicated report with predefined views listing all MFA-related actions, such as successful authentications, failed attempts, skipped enrollments, or help requests.

  1. Go to Reporting ▸ MFA events.

  2. Select the time period (last 7 days by default).

  3. Choose a predefined view to quickly refine the results.

  4. Add additional Filters if needed.

View name

Description

MFA configuration skipped

The user was prompted to enroll in MFA but clicked the Skip button (if enabled in MFA settings).
Useful for identifying users who postponed enrollment during rollout.

MFA help requests

The user clicked the Ask for Help button while enrolling or validating MFA (if enabled in MFA settings).
Helps IT teams quickly identify who needs assistance.

MFA cancelled

The user canceled the MFA challenge before validation. This can indicate confusion, technical problems, or aborted logon attempts.

MFA successful

The MFA challenge was successfully validated. Can be used to confirm adoption progress and user compliance.

MFA failed

The user failed to validate MFA and could not log in. Critical for detecting authentication issues or suspicious behavior.

Assisting stuck users

Some users will inevitably get stuck — for example, if they can’t enroll, lose their device, or replace it.

When Ask for Help is enabled, administrators are instantly notified (popup, email or inside the console) and can view all requests under Activity ▸ MFA help requests.

From this view and all user-related views, they can:

  • Temporarily disable MFA to restore access if the user forgot their device (use the shortest duration possible).

  • Reset MFA configuration if the user must re-enroll on a new device.

These options let IT respond quickly and securely to user issues.

Note

💡 If users struggle to enroll, share the appropriate enrollment guides based on their chosen MFA method.

Recommended configurations and security practices

Follow these recommendations to strengthen your MFA rollout and ensure consistent protection across all environments.

Protect privileged accounts first

Administrator and service accounts have elevated rights and represent the highest security risk if compromised.

  1. Create a dedicated MFA policy for privileged users (by group, OU, or individual account).

  2. Set MFA to be required for every login across all session types.

Note

💡 To avoid being locked out if a policy misconfiguration occurs, create an emergency account (e.g., ULadmin) with full UserLock console permissions and MFA disabled.

Require MFA for remote or external connections

Network intrusions often start with stolen credentials used from outside the organization.
Requiring MFA for all external connections significantly reduces this risk.

  1. Create a permanent MFA policy targeting the Everyone group.

  2. In the Connection type, select From outside.

  3. Define the MFA frequency:

    • Workstation sessions: Every logon

    • Other sessions: Once per IP address (first logon of the day)

This ensures that any attempt to log in from outside the network will always require MFA verification.

Apply MFA to logons without Userlock connection

Modern users often work remotely, at home, on the road, or in public spaces.
Even when disconnected from the corporate network, their devices may still contain sensitive data that must remain protected.

⚠️ By default, if the Desktop Agent cannot contact the UserLock service, no access policy (including MFA) is applied.

To maintain protection in every situation:

  • Configure UserLock Anywhere to let agents securely reach the UserLock service over the Internet when no LAN or VPN connection is available.

  • If possible, allow VPN connection directly from the Windows logon screen so the agent can reconnect before authentication (see help here).

  • For cases where no network connection is available, configure the agent to require MFA:

    1. Go to ⚙️ Server settings ▸ General.

    2. Locate Logons without UserLock connection.

    3. Set it to Ask for MFA or Force MFA, depending on your security needs.

Once enabled, any user already enrolled in MFA and who has logged in at least once while connected to the corporate network will be prompted for MFA even when offline.

Extending MFA protection to other session types

UserLock can also enforce MFA on other types of connections beyond standard workstation and server logons.
Each scenario has its own configuration specifics and requirements:

  • VPN connections — Require MFA for remote VPN connections via the UserLock NPS Agent.

  • Single Sign-On (SSO) — Enforce MFA during federated logins to SaaS and web apps.

  • IIS Applications — Protect web-based logins (e.g., Outlook Web Access, RD Web, etc.).

  • UAC elevation prompts — Request MFA when users perform privileged actions requiring administrator consent.

  • RemoteApp — Apply MFA when users launch or reconnect to published applications.

  • RD Gateway — Secure remote desktop access through gateway servers.