product icon

Deploy Workstation MFA for Windows across multiple workstations

    You can deploy the installer via command line or using your organization's preferred deployment methods (e.g., SCCM, InTune, CLI, etc.) either with default configurations intact or with custom configurations using the MSI installer.

    Tip: You can deploy your configured installer package to an unlimited number of Windows machines. If desired, you can create separate installer packages for specific groups within your organization (e.g., offices, locations, departments, etc.).

      Review the available properties for custom configuration.

      1. Optional: If you are using an MSI editor (e.g., Windows Orca), review the properties below which you can configure for installing the MSI for Workstation MFA.
        Note: You must enter two values for each property that you customize – one for the changed value and the other for the original value with _OLD added to it.
        Name Description Optional? Default Value
        INTEGRATION_KEY Captured in the new Admin Console – see instructions in previous Step #4 article No n/a
        INTEGRATION_SECRET Captured in the new Admin Console – see instructions in previous Step #4 article No n/a
        PREVENT_OFFLINE_LOGIN Indicates whether the LastPass Authenticator app should report a failed authentication when the device is offline. Values are True/False. Yes True
        CP_FILTER_ENABLED Indicates whether MFA usage is required. When set, all other credential providers are disabled, except for the allowlisted ones. Values are True/False. Yes False

        A list of CLSIDs (Class IDs of credential providers) that should be allowed to be loaded on the Windows login screen (along with LastPass). The CLSIDs should be in a format that can be parsed with this function. Use a comma (,) to separate values.

        Explicit empty list value is not an empty string, but 'empty' as a string value, because of WiX limitations/upgrade support.

        Yes empty
        RDP_ENABLED Indicates whether RDP autologon is redirected to our credential provider. When set, RDP authentication will be performed with our credential provider automatically. When unset, redirection won't happen and the source provider will be used for authentication (typically the password provider). Yes False

      Deploy the installer.

      1. In Windows Explorer, locate the Command Prompt and open in Admin Mode by selecting Run as administrator.
      2. Choose from the following options:
        Installer Instructions
        Default configurations
        1. Review the baseline installer command (with no additional properties).
          msiexec.exe /x C:\Users\<username>\Desktop\127.msi /quiet "C:\Users\Local_RDP\Desktop\log.txt"
        2. Deploy the baseline installer via command line.
        Custom configurations
        1. Review the available properties (listed above) to determine the settings you want to configure.
        2. Configure then enter the baseline installer command (updated with your integration key and integration secret, as well as your desired configurations) – see below for an example.
        3. Deploy the MSI installer via command line.
      3. Deploy the installer via command line or your preferred deployment method.

        Example: The following is an example of deploying the Workstation MFA MSI installer with debug logging enabled (learn how to enable and view debug logging), Offline Mode disabled, allowlisting enabled with two additional credential providers set, and RDP enabled:

        msiexec /i C:\Users\<username>\Desktop\127.msi /quiet /l*v "C:\Users\<username>\Desktop\log.txt" ADDLOCAL=wmfa INTEGRATION_KEY=************************************************************************** INTEGRATION_SECRET=********************************************************************** PREVENT_OFFLINE_LOGIN=False CP_FILTER_ENABLED=True CP_FILTER_WHITELIST={60b78e88-ead8-445c-9cfd-0b87f74ea6cd},{8AF662BF-65A0-4D0A-A540-A338A999D36F} RDP_ENABLED=True

    Results: Setup is complete! You have successfully deployed the Workstation MFA for Windows to your users.
    What to do next: You can send your end users the following instructions: