Deploying a Windows Logon Agent

The Passly Windows logon Agent offers companies the ability to add strong multi-factor authentication to Microsoft’s Windows client and server operating systems. It provides a simple and consistent logon experience no matter if they logon at the local desktop or through a terminal session. And it offers identity assurance by requiring users to provide their Passly 2FA Passcode during the logon process.

Note: This agent is installed on a per machine basis. 

Note: This agent requires that the Passly username and the Windows username must be matching.

Supported Operating Systems

  • Windows 8
  • Windows 8.1
  • Windows 10
  • Server 2012
  • Server 2012r2
  • Server 2016
  • Server 2019

Note: This agent does not support any x86 versions of Windows. 

To configure a Windows Logon agent please follow these steps

First create a Policy for this agent.

  1. Log into your tenant https://(your company)
  2. Select Policy Manager.
  3. Select the Add icon (small green + sign in the bottom right corner). 
  4. Name the Policy
    Example: Windows Logon Agent.
    Set your Policy Elements & Actions.
    Note: This policy must not allow for simple passwords. Require 2FA must be used.
  5. When you have your policy completed select Save changes.


Creating the Windows Logon Agent

  1. Select Auth Manager.
  2. Select the Add icon (small green + sign in the bottom right corner). 
  3. Mouse over the add icon to launch the selector. Select Add New Agent.
  4. Select Windows Logon.
  5. Configure the agent.
    Select Agent is enabled.
    Select the policy you created in Step 4.
  6. Select Windows Logon Configuration.
    Note: 'Enforce 2FA on RDP Only' is not supported on versions of Windows earlier than Windows 8 and Windows Server 2012.
    Note: It is recommend that you set an Override Password for all installs.
    Note: You will need to manually create the Passly Override Group. This is local security group in the Directory Manager. This group allows users to be excluded from using 2FA when logging a machine using this configuration. 
    You can also Edit the Windows Logon section of the agent and select Allow Override Group choose the group you would to use.
    Note: Enabling "Allow Offline Access" will allow the admit to setup the ability for the user to login with no internet connection. This setting must be enabled, as well the user needs to login once before the machine is taken offline. The maximum number of days is an arbitrary decision made by the admin deploying the agent.
    Note: Offline access requires the user to login at least once with an internet connection to validate the first PUSH. From that point on the user can use OTP offline.
    Note:  There is an option here to upload an an image file. This would be the icon for the Windows agent that is scene in the Auth Manager > Agents/Clients UI. Customers are not requires to change this image.

  7. Select Add Agent.
  8. Select the Agent from the agent list in Auth Manager.
  9. Select Download Installer.
  10. Copy the installer AAWinLogonCP.msi file to the target x64 Windows Server/Desktop/Workstation.
    Note: The installer must be on the local machine and not run from a shared drive like Lancache.
  11. Run the MSI AAWinLogonCP.msi
    Note: If installing on a DC or where there might be excessive UAC style controls enabled you can run the MSI from an elevated command.
  12. Select Run if prompted.
  13. Select Next.
  14. Accept the Terms of Use. Select Next.

  15. Logon Agent configuration. Set the following.
    Home Realm: (This your tenant (your company)
    Note: Remove the HTTPS:// from the URL before entering the homerealm.
    Note: If you are installing a Sub-Organisation's agent you will need to use the sub-Org URL,
    For example my tenant is and client org is acme. I use for my Acme agent Home Realm. 
    ID: (This will be provided on the agent information screen where you downloaded the agent).
    Key: (This will be provided on the agent information screen where you downloaded the agent).

  16. Select Next.
  17. Select Install.
  18. Select Finish.


Test the agent

  1. Lock the desktop. Enter the user's Windows Password.
  2. You should receive a Push notification automatically.
    Note: PUSH is only possible if the machine has an active internet connection. 
    Note: If the PUSH fails you will receive an 2FA prompt for the passcode. Open the Authenticator app. Tap your username. This will provide you with your one time password.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us