UserLock Documentation
UserLock Documentation
You are here: Use cases > Multi-Factor Authentication > How to apply MFA for RemoteApp

How to apply MFA for RemoteApp

From UserLock version 12.1, you can protect RemoteApp sessions with MFA with all available methods: push notifications, OTP codes and USB keys.


The UserLock desktop agent must be installed on the RD Host server.

How to

To enable MFA for these connections, first create a protected account for the user, group or OU that you wish to protect. Then, under multi-factor authentication, select "enable." RemoteApp sessions are considered as Terminal sessions, so under session type "Server", enable the connection types and frequency to prompt users for MFA.


  • In the case of concurrent RemoteApp sessions, only one will be visible in the UserLock console and the MFA will only be asked for the first connection, even if the MFA frequency is set to "At every logon."
  • Enabling MFA for server connections will apply this setting to all servers that have the UserLock desktop agent.
  • When a RemoteApp windows is closed, it can be reopened within 30s without prompt a password.


  • Users cannot enroll in MFA via a RemoteApp session. For general information about enrollment, see this page. For remote users, see this page for ways to enroll them in MFA.
  • It is not possible to use MFA for RemoteApp sessions that require privilege escalation (UAC).