Enforce Strong Authentication for Windows PCs & Servers — Online and Offline

Protect Windows logins on Microsoft Entra-joined PCs and servers with true multi-factor authentication (MFA), every time users sign in — even when devices are offline.

By default, Microsoft Entra requires MFA during device join, but not during everyday Windows logins. This leaves a critical security gap: once a device is joined, users can continue signing in with only a password — even offline.

Deepnet MFA for Computer Logon (Modern Authentication) closes that gap.

The Challenge with Entra-Joined Windows Devices

Microsoft Entra provides strong identity security in the cloud, but Windows sign-in behavior introduces limitations:

• MFA is enforced only during device join, not at subsequent logins
• Windows logins often rely solely on passwords
• Conditional Access policies do not apply when devices are offline
• Security teams lack granular control over how often MFA is required
• For organizations that need continuous authentication assurance, this creates unnecessary risk.

The Deepnet Solution

Deepnet MFA for Computer Logon is purpose-built to secure Windows PC and Server logins on Microsoft Entra-joined devices.

It enforces policy-driven MFA at Windows sign-in, regardless of network connectivity, while remaining fully compatible with modern identity platforms.

Key Capabilities

✔ Multiple Authentication Methods

Support a wide range of MFA technologies to suit different security needs:

• OATH OTP hardware tokens
• FIDO2 security keys
• RFID and smart cards
• Grid cards
• Device certificates
• Device fingerprinting
• And more

✔️ Flexible MFA Policies

Define MFA requirements per user or group, including:

• Allowed authentication methods
• Number of authentication steps
• Risk-based policy differentiation

Apply stronger controls where needed — without burdening low-risk users.

✔ Online and Offline MFA Enforcement

• Enforce MFA whether devices are:
• Connected to corporate networks
• On public Wi-Fi
• Completely offline

Users must authenticate securely before Windows access is granted, even without Internet connectivity.

✔ Granular Login Control

Balance security and usability with fine-grained policy options:

• Enforce MFA at every Windows login
• Require MFA once every N hours or days
• Remember trusted devices while maintaining strong protection

✔ Choice of MFA Service

Use the MFA provider that best fits your environment.

The solution supports any MFA service that implements OpenID Connect (OIDC), including:

• Microsoft Entra MFA
• Deepnet DualShield MFA
• Deepnet SafeID Token Service
• Third-party platforms such as Okta and Duo

No vendor lock-in. No architectural compromise.

How It Works

1. Primary Authentication
   Users sign in with their Microsoft Entra ID credentials at the Windows logon screen.
2. Secondary Authentication (MFA)
   Users are prompted for additional verification — such as OTP, FIDO key, or push approval — via the configured MFA service.
3. Secure Windows Access
   Access to the Windows PC or Server is granted only after all authentication requirements are satisfied.

Why Choose Deepnet MFA for Computer Logon?

• Designed specifically for Microsoft Entra-joined Windows environments
• Works seamlessly online and offline
• Supports modern authentication standards
• Integrates with existing MFA investments
• Delivers enterprise-grade security without sacrificing usability

Secure Every Windows Login — Without Exception

Whether your users are in the office, at home, or offline on the road, Deepnet MFA for Computer Logon ensures that every Windows sign-in is protected by strong, policy-driven multi-factor authentication.